All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Borislav Petkov <bp@alien8.de>
Cc: Arnd Bergmann <arnd@arndb.de>,
	linux-tip-commits@vger.kernel.org,
	Andy Lutomirski <luto@kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Joerg Roedel <jroedel@suse.de>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@kernel.org>, Toshi Kani <toshi.kani@hpe.com>,
	"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [tip:x86/urgent] x86/mm: Avoid VLA in pgd_alloc()
Date: Mon, 8 Oct 2018 16:28:34 -0700	[thread overview]
Message-ID: <CAGXu5j+4hjJSFpYi=5SqDmkonJ79J=hcb65qJC8+_r6+5NHewg@mail.gmail.com> (raw)
In-Reply-To: <20181008202209.GA6597@zn.tnic>

On Mon, Oct 8, 2018 at 1:22 PM, Borislav Petkov <bp@alien8.de> wrote:
> On Fri, Oct 05, 2018 at 09:24:53AM -0700, tip-bot for Arnd Bergmann wrote:
>> Commit-ID:  1be3f247c2882a82279cbcf43717581ea943b692
>> Gitweb:     https://git.kernel.org/tip/1be3f247c2882a82279cbcf43717581ea943b692
>> Author:     Arnd Bergmann <arnd@arndb.de>
>> AuthorDate: Fri, 5 Oct 2018 18:13:16 +0200
>> Committer:  Ingo Molnar <mingo@kernel.org>
>> CommitDate: Fri, 5 Oct 2018 18:16:55 +0200
>>
>> x86/mm: Avoid VLA in pgd_alloc()
>>
>> Turning on -Wvla found a new VLA usage:
>>
>>   arch/x86/mm/pgtable.c: In function 'pgd_alloc':
>>   include/linux/build_bug.h:29:45: error: ISO C90 forbids variable length array 'u_pmds' [-Werror=vla]
>>   arch/x86/mm/pgtable.c:190:34: note: in expansion of macro 'static_cpu_has'
>>    #define PREALLOCATED_USER_PMDS  (static_cpu_has(X86_FEATURE_PTI) ? \
>>                                     ^~~~~~~~~~~~~~
>>   arch/x86/mm/pgtable.c:431:16: note: in expansion of macro 'PREALLOCATED_USER_PMDS'
>>     pmd_t *u_pmds[PREALLOCATED_USER_PMDS];
>>                 ^~~~~~~~~~~~~~~~~~~~~~
>>
>> Use the actual size of the array that is used for X86_FEATURE_PTI
>> instead of the variable size.
>>
>> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: Andy Lutomirski <luto@kernel.org>
>> Cc: Borislav Petkov <bp@alien8.de>
>> Cc: Dave Hansen <dave.hansen@linux.intel.com>
>> Cc: Joerg Roedel <jroedel@suse.de>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Linus Torvalds <torvalds@linux-foundation.org>
>> Cc: Peter Zijlstra <peterz@infradead.org>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Toshi Kani <toshi.kani@hpe.com>
>> Fixes: 68664695ae57 ("Makefile: Globally enable VLA warning")
>> Fixes: f59dbe9ca670 ("x86/pgtable/pae: Use separate kernel PMDs for user page-table")
>> Link: http://lkml.kernel.org/r/20181005161333.765973-1-arnd@arndb.de
>> Signed-off-by: Ingo Molnar <mingo@kernel.org>
>> ---
>>  arch/x86/mm/pgtable.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
>> index 089e78c4effd..386b43e3e0ac 100644
>> --- a/arch/x86/mm/pgtable.c
>> +++ b/arch/x86/mm/pgtable.c
>> @@ -189,6 +189,7 @@ static void pgd_dtor(pgd_t *pgd)
>>   */
>>  #define PREALLOCATED_USER_PMDS        (static_cpu_has(X86_FEATURE_PTI) ? \
>>                                       KERNEL_PGD_PTRS : 0)
>> +#define MAX_PREALLOCATED_USER_PMDS KERNEL_PGD_PTRS
>>
>>  void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
>>  {
>> @@ -211,6 +212,7 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
>>  /* No need to prepopulate any pagetable entries in non-PAE modes. */
>>  #define PREALLOCATED_PMDS    0
>>  #define PREALLOCATED_USER_PMDS        0
>> +#define MAX_PREALLOCATED_USER_PMDS 0
>>  #endif       /* CONFIG_X86_PAE */
>>
>>  static void free_pmds(struct mm_struct *mm, pmd_t *pmds[], int count)
>> @@ -428,8 +430,8 @@ static inline void _pgd_free(pgd_t *pgd)
>>  pgd_t *pgd_alloc(struct mm_struct *mm)
>>  {
>>       pgd_t *pgd;
>> -     pmd_t *u_pmds[PREALLOCATED_USER_PMDS];
>> -     pmd_t *pmds[PREALLOCATED_PMDS];
>> +     pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS];
>> +     pmd_t *pmds[MAX_PREALLOCATED_USER_PMDS];
>>
>>       pgd = _pgd_alloc();
>
> For whatever reason - probably because it forced
> MAX_PREALLOCATED_USER_PMDS be KERNEL_PGD_PTRS and not 0 (and I don't
> have CONFIG_PAGE_TABLE_ISOLATION so it was 0 here with my .config
> before) but this patch causes the fun below.
>
> If I revert it, no splat.
>
> Also, config has CONFIG_X86_PAE=y. And CONFIG_STACKPROTECTOR_STRONG=y. If I
> disable _STRONG, it boots too. Attached.

This really should mean that the stack canary changed. Either the
stack canary wasn't prepared yet (but this is from run_init_process(),
which is WELL after boot_init_stack_canary()), or the canary was
actually stomped on, which would certainly be a bug in the existing
code.

Ah! I see it now. "pmds" shouldn't have changed, it's not .._USER_PMDS...

-       pmd_t *u_pmds[PREALLOCATED_USER_PMDS];
-       pmd_t *pmds[PREALLOCATED_PMDS];
+       pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS];
+       pmd_t *pmds[MAX_PREALLOCATED_USER_PMDS];

-Kees

>
> [    1.749047] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0
> [    1.750306] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W         4.19.0-rc6+ #5
> [    1.751353] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
> [    1.752452] Call Trace:
> [    1.752902]  dump_stack+0x66/0x95
> [    1.753426]  panic+0x94/0x1dd
> [    1.753922]  __stack_chk_fail+0x1e/0x20
> [    1.754486]  ? pgd_alloc+0x29e/0x2a0
> [    1.755028]  pgd_alloc+0x29e/0x2a0
> [    1.755556]  mm_init.isra.60+0x1ec/0x210
> [    1.756128]  mm_alloc+0x30/0x40
> [    1.756635]  __do_execve_file+0x378/0x930
> [    1.757215]  ? __do_execve_file+0x108/0x930
> [    1.757820]  ? kmem_cache_alloc+0x123/0x220
> [    1.758414]  do_execve+0x2c/0x30
> [    1.758936]  run_init_process+0x31/0x36
> [    1.759501]  ? rest_init+0xb0/0xb0
> [    1.760029]  try_to_run_init_process+0x11/0x33
> [    1.760644]  ? rest_init+0xb0/0xb0
> [    1.761173]  kernel_init+0x9e/0xda
> [    1.761705]  ret_from_fork+0x2e/0x38
> [    1.762309] Kernel Offset: disabled
> [    1.762858] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pgd_alloc+0x29e/0x2a0 ]---
>
> --
> Regards/Gruss,
>     Boris.
>
> Good mailing practices for 400: avoid top-posting and trim the reply.



-- 
Kees Cook
Pixel Security

  reply	other threads:[~2018-10-08 23:28 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-05 16:13 [PATCH] x86: avoid " Arnd Bergmann
2018-10-05 16:24 ` [tip:x86/urgent] x86/mm: Avoid " tip-bot for Arnd Bergmann
2018-10-08 20:22   ` Borislav Petkov
2018-10-08 23:28     ` Kees Cook [this message]
2018-10-09  7:33       ` Arnd Bergmann
2018-10-09  7:39         ` Joerg Roedel
2018-10-09  7:48           ` Ingo Molnar
2018-10-08 23:54 [PATCH] x86/mm: Fix preallocated PMD stack array Kees Cook
2018-10-09  7:03 ` [tip:x86/urgent] x86/mm: Avoid VLA in pgd_alloc() tip-bot for Kees Cook
2018-10-09  7:58   ` Arnd Bergmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5j+4hjJSFpYi=5SqDmkonJ79J=hcb65qJC8+_r6+5NHewg@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=bp@alien8.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=jroedel@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=toshi.kani@hpe.com \
    --subject='Re: [tip:x86/urgent] x86/mm: Avoid VLA in pgd_alloc()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.