Re: [tip:x86/urgent] x86/mm: Avoid VLA in pgd_alloc()

[Kees Cook <keescook@chromium.org>]

On Mon, Oct 8, 2018 at 1:22 PM, Borislav Petkov <bp@alien8.de> wrote:
> On Fri, Oct 05, 2018 at 09:24:53AM -0700, tip-bot for Arnd Bergmann wrote:
>> Commit-ID:  1be3f247c2882a82279cbcf43717581ea943b692
>> Gitweb:     https://git.kernel.org/tip/1be3f247c2882a82279cbcf43717581ea943b692
>> Author:     Arnd Bergmann <arnd@arndb.de>
>> AuthorDate: Fri, 5 Oct 2018 18:13:16 +0200
>> Committer:  Ingo Molnar <mingo@kernel.org>
>> CommitDate: Fri, 5 Oct 2018 18:16:55 +0200
>>
>> x86/mm: Avoid VLA in pgd_alloc()
>>
>> Turning on -Wvla found a new VLA usage:
>>
>>   arch/x86/mm/pgtable.c: In function 'pgd_alloc':
>>   include/linux/build_bug.h:29:45: error: ISO C90 forbids variable length array 'u_pmds' [-Werror=vla]
>>   arch/x86/mm/pgtable.c:190:34: note: in expansion of macro 'static_cpu_has'
>>    #define PREALLOCATED_USER_PMDS  (static_cpu_has(X86_FEATURE_PTI) ? \
>>                                     ^~~~~~~~~~~~~~
>>   arch/x86/mm/pgtable.c:431:16: note: in expansion of macro 'PREALLOCATED_USER_PMDS'
>>     pmd_t *u_pmds[PREALLOCATED_USER_PMDS];
>>                 ^~~~~~~~~~~~~~~~~~~~~~
>>
>> Use the actual size of the array that is used for X86_FEATURE_PTI
>> instead of the variable size.
>>
>> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: Andy Lutomirski <luto@kernel.org>
>> Cc: Borislav Petkov <bp@alien8.de>
>> Cc: Dave Hansen <dave.hansen@linux.intel.com>
>> Cc: Joerg Roedel <jroedel@suse.de>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Linus Torvalds <torvalds@linux-foundation.org>
>> Cc: Peter Zijlstra <peterz@infradead.org>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Toshi Kani <toshi.kani@hpe.com>
>> Fixes: 68664695ae57 ("Makefile: Globally enable VLA warning")
>> Fixes: f59dbe9ca670 ("x86/pgtable/pae: Use separate kernel PMDs for user page-table")
>> Link: http://lkml.kernel.org/r/20181005161333.765973-1-arnd@arndb.de
>> Signed-off-by: Ingo Molnar <mingo@kernel.org>
>> ---
>>  arch/x86/mm/pgtable.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
>> index 089e78c4effd..386b43e3e0ac 100644
>> --- a/arch/x86/mm/pgtable.c
>> +++ b/arch/x86/mm/pgtable.c
>> @@ -189,6 +189,7 @@ static void pgd_dtor(pgd_t *pgd)
>>   */
>>  #define PREALLOCATED_USER_PMDS        (static_cpu_has(X86_FEATURE_PTI) ? \
>>                                       KERNEL_PGD_PTRS : 0)
>> +#define MAX_PREALLOCATED_USER_PMDS KERNEL_PGD_PTRS
>>
>>  void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
>>  {
>> @@ -211,6 +212,7 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
>>  /* No need to prepopulate any pagetable entries in non-PAE modes. */
>>  #define PREALLOCATED_PMDS    0
>>  #define PREALLOCATED_USER_PMDS        0
>> +#define MAX_PREALLOCATED_USER_PMDS 0
>>  #endif       /* CONFIG_X86_PAE */
>>
>>  static void free_pmds(struct mm_struct *mm, pmd_t *pmds[], int count)
>> @@ -428,8 +430,8 @@ static inline void _pgd_free(pgd_t *pgd)
>>  pgd_t *pgd_alloc(struct mm_struct *mm)
>>  {
>>       pgd_t *pgd;
>> -     pmd_t *u_pmds[PREALLOCATED_USER_PMDS];
>> -     pmd_t *pmds[PREALLOCATED_PMDS];
>> +     pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS];
>> +     pmd_t *pmds[MAX_PREALLOCATED_USER_PMDS];
>>
>>       pgd = _pgd_alloc();
>
> For whatever reason - probably because it forced
> MAX_PREALLOCATED_USER_PMDS be KERNEL_PGD_PTRS and not 0 (and I don't
> have CONFIG_PAGE_TABLE_ISOLATION so it was 0 here with my .config
> before) but this patch causes the fun below.
>
> If I revert it, no splat.
>
> Also, config has CONFIG_X86_PAE=y. And CONFIG_STACKPROTECTOR_STRONG=y. If I
> disable _STRONG, it boots too. Attached.

This really should mean that the stack canary changed. Either the
stack canary wasn't prepared yet (but this is from run_init_process(),
which is WELL after boot_init_stack_canary()), or the canary was
actually stomped on, which would certainly be a bug in the existing
code.

Ah! I see it now. "pmds" shouldn't have changed, it's not .._USER_PMDS...

-       pmd_t *u_pmds[PREALLOCATED_USER_PMDS];
-       pmd_t *pmds[PREALLOCATED_PMDS];
+       pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS];
+       pmd_t *pmds[MAX_PREALLOCATED_USER_PMDS];

-Kees

>
> [    1.749047] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0
> [    1.750306] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W         4.19.0-rc6+ #5
> [    1.751353] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
> [    1.752452] Call Trace:
> [    1.752902]  dump_stack+0x66/0x95
> [    1.753426]  panic+0x94/0x1dd
> [    1.753922]  __stack_chk_fail+0x1e/0x20
> [    1.754486]  ? pgd_alloc+0x29e/0x2a0
> [    1.755028]  pgd_alloc+0x29e/0x2a0
> [    1.755556]  mm_init.isra.60+0x1ec/0x210
> [    1.756128]  mm_alloc+0x30/0x40
> [    1.756635]  __do_execve_file+0x378/0x930
> [    1.757215]  ? __do_execve_file+0x108/0x930
> [    1.757820]  ? kmem_cache_alloc+0x123/0x220
> [    1.758414]  do_execve+0x2c/0x30
> [    1.758936]  run_init_process+0x31/0x36
> [    1.759501]  ? rest_init+0xb0/0xb0
> [    1.760029]  try_to_run_init_process+0x11/0x33
> [    1.760644]  ? rest_init+0xb0/0xb0
> [    1.761173]  kernel_init+0x9e/0xda
> [    1.761705]  ret_from_fork+0x2e/0x38
> [    1.762309] Kernel Offset: disabled
> [    1.762858] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0 ]---
>
> --
> Regards/Gruss,
>     Boris.
>
> Good mailing practices for 400: avoid top-posting and trim the reply.



-- 
Kees Cook
Pixel Security