[PATCH v4 0/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[PATCH v4 0/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

Our customer reported that Kernel text may be located on non-mirror
region (movable zone) when both address range mirroring feature and
KASLR are enabled.

The functions of address range mirroring feature are as follows.
- The physical memory region whose descriptors in EFI memory map have
  EFI_MEMORY_MORE_RELIABLE attribute (bit: 16) are mirrored
- The function arranges such mirror region into normal zone and other region
  into movable zone in order to locate kernel code and data on mirror region

So we need restrict kernel to be located inside mirror regions if it
is existed.

The method is very simple. If efi is enabled, just iterate all efi
memory map and pick mirror region to process for adding candidate
of slot. If efi disabled or no mirror region existed, still process
e820 memory map. This won't bring much efficiency loss, at worst we
just go through all efi memory maps and found no mirror.

Changelog:
v3->v4:
  Rearrange the old patch 1/2 to make it be done in three steps for
  easier review addcording to Kees's suggestion.

v2->v3:
  Put process_efi_entry invocation inside the #ifdef CONFIG_EFI according
  to tglx's suggestion. Since the efi related code is meaningful only if
  CONFIG_EFI=y.

v1->v2:
  Removed debug code.

  Taku suggested that we should put kernel to mirrored region always
  whether or not "kernelcore=mirror" is specified since kernel text is
  important and mirrored region is reliable.

  Change code according to kbuild report and Chao Fan's comment.

Baoquan He (4):
  x86/boot/KASLR: Wrap e820 entries walking code into new function
    process_e820_entries()
  x86/boot/KASLR: Switch to pass struct mem_vector to
    process_e820_entry()
  x86/boot/KASLR: Rename process_e820_entry() into process_mem_region()
  x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

 arch/x86/boot/compressed/kaslr.c | 117 ++++++++++++++++++++++++++++++---------
 1 file changed, 90 insertions(+), 27 deletions(-)

-- 
2.5.5

[PATCH v4 1/4] x86/boot/KASLR: Wrap e820 entries walking code into new function process_e820_entries()

[Baoquan He]

The original function process_e820_entry() only takes care of each
e820 entry passed.

And move the E820_TYPE_RAM checking logic into process_e820_entries().

And remove the redundent local variable 'addr' definition in
find_random_phys_addr().

Signed-off-by: Baoquan He <bhe@redhat.com>
---
 arch/x86/boot/compressed/kaslr.c | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 91f27ab970ef..1485f48aeda1 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -488,10 +488,6 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 	unsigned long start_orig, end;
 	struct boot_e820_entry cur_entry;
 
-	/* Skip non-RAM entries. */
-	if (entry->type != E820_TYPE_RAM)
-		return;
-
 	/* On 32-bit, ignore entries entirely above our maximum. */
 	if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
 		return;
@@ -562,12 +558,29 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 	}
 }
 
-static unsigned long find_random_phys_addr(unsigned long minimum,
-					   unsigned long image_size)
+static void process_e820_entries(unsigned long minimum,
+				 unsigned long image_size)
 {
 	int i;
-	unsigned long addr;
+	struct boot_e820_entry *entry;
+
+	/* Verify potential e820 positions, appending to slots list. */
+	for (i = 0; i < boot_params->e820_entries; i++) {
+		entry = &boot_params->e820_table[i];
+		/* Skip non-RAM entries. */
+		if (entry->type != E820_TYPE_RAM)
+			continue;
+		process_e820_entry(entry, minimum, image_size);
+		if (slot_area_index == MAX_SLOT_AREA) {
+			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
+			break;
+		}
+	}
+}
 
+static unsigned long find_random_phys_addr(unsigned long minimum,
+					   unsigned long image_size)
+{
 	/* Check if we had too many memmaps. */
 	if (memmap_too_large) {
 		debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
@@ -577,16 +590,7 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
-	/* Verify potential e820 positions, appending to slots list. */
-	for (i = 0; i < boot_params->e820_entries; i++) {
-		process_e820_entry(&boot_params->e820_table[i], minimum,
-				   image_size);
-		if (slot_area_index == MAX_SLOT_AREA) {
-			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
-			break;
-		}
-	}
-
+	process_e820_entries(minimum, image_size);
 	return slots_fetch_random();
 }
 
-- 
2.5.5

[PATCH v4 2/4] x86/boot/KASLR: Switch to pass struct mem_vector to process_e820_entry()

[Baoquan He]

This makes process_e820_entry() be able to process any kind of memory
region.

Signed-off-by: Baoquan He <bhe@redhat.com>
---
 arch/x86/boot/compressed/kaslr.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 1485f48aeda1..36ff9f729c43 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -479,31 +479,31 @@ static unsigned long slots_fetch_random(void)
 	return 0;
 }
 
-static void process_e820_entry(struct boot_e820_entry *entry,
+static void process_e820_entry(struct mem_vector *entry,
 			       unsigned long minimum,
 			       unsigned long image_size)
 {
 	struct mem_vector region, overlap;
 	struct slot_area slot_area;
 	unsigned long start_orig, end;
-	struct boot_e820_entry cur_entry;
+	struct mem_vector cur_entry;
 
 	/* On 32-bit, ignore entries entirely above our maximum. */
-	if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
+	if (IS_ENABLED(CONFIG_X86_32) && entry->start >= KERNEL_IMAGE_SIZE)
 		return;
 
 	/* Ignore entries entirely below our minimum. */
-	if (entry->addr + entry->size < minimum)
+	if (entry->start + entry->size < minimum)
 		return;
 
 	/* Ignore entries above memory limit */
-	end = min(entry->size + entry->addr, mem_limit);
-	if (entry->addr >= end)
+	end = min(entry->size + entry->start, mem_limit);
+	if (entry->start >= end)
 		return;
-	cur_entry.addr = entry->addr;
-	cur_entry.size = end - entry->addr;
+	cur_entry.start = entry->start;
+	cur_entry.size = end - entry->start;
 
-	region.start = cur_entry.addr;
+	region.start = cur_entry.start;
 	region.size = cur_entry.size;
 
 	/* Give up if slot area array is full. */
@@ -518,7 +518,7 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 		region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
 
 		/* Did we raise the address above this e820 region? */
-		if (region.start > cur_entry.addr + cur_entry.size)
+		if (region.start > cur_entry.start + cur_entry.size)
 			return;
 
 		/* Reduce size by any delta from the original address. */
@@ -562,6 +562,7 @@ static void process_e820_entries(unsigned long minimum,
 				 unsigned long image_size)
 {
 	int i;
+	struct mem_vector region;
 	struct boot_e820_entry *entry;
 
 	/* Verify potential e820 positions, appending to slots list. */
@@ -570,7 +571,9 @@ static void process_e820_entries(unsigned long minimum,
 		/* Skip non-RAM entries. */
 		if (entry->type != E820_TYPE_RAM)
 			continue;
-		process_e820_entry(entry, minimum, image_size);
+		region.start = entry->addr;
+		region.size = entry->size;
+		process_e820_entry(&region, minimum, image_size);
 		if (slot_area_index == MAX_SLOT_AREA) {
 			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
 			break;
-- 
2.5.5

[PATCH v4 3/4] x86/boot/KASLR: Rename process_e820_entry() into process_mem_region()

[Baoquan He]

Now process_e820_entry() is not limited to e820 entry processing, rename
it to process_mem_region(). And adjust the code comment accordingly.

Signed-off-by: Baoquan He <bhe@redhat.com>
---
 arch/x86/boot/compressed/kaslr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 36ff9f729c43..99c7194f7ea6 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -479,7 +479,7 @@ static unsigned long slots_fetch_random(void)
 	return 0;
 }
 
-static void process_e820_entry(struct mem_vector *entry,
+static void process_mem_region(struct mem_vector *entry,
 			       unsigned long minimum,
 			       unsigned long image_size)
 {
@@ -517,7 +517,7 @@ static void process_e820_entry(struct mem_vector *entry,
 		/* Potentially raise address to meet alignment needs. */
 		region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
 
-		/* Did we raise the address above this e820 region? */
+		/* Did we raise the address above the passed in memory entry? */
 		if (region.start > cur_entry.start + cur_entry.size)
 			return;
 
@@ -573,7 +573,7 @@ static void process_e820_entries(unsigned long minimum,
 			continue;
 		region.start = entry->addr;
 		region.size = entry->size;
-		process_e820_entry(&region, minimum, image_size);
+		process_mem_region(&region, minimum, image_size);
 		if (slot_area_index == MAX_SLOT_AREA) {
 			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
 			break;
-- 
2.5.5

[PATCH v4 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

Kernel text may be located in non-mirror regions (movable zone) when both
address range mirroring feature and KASLR are enabled.

The address range mirroring feature arranges such mirror region into
normal zone and other region into movable zone in order to locate
kernel code and data in mirror region. The physical memory region
whose descriptors in EFI memory map has EFI_MEMORY_MORE_RELIABLE
attribute (bit: 16) are mirrored.

If efi is detected, iterate efi memory map and pick the mirror region to
process for adding candidate of randomization slot. If efi is disabled
or no mirror region found, still process e820 memory map.

Signed-off-by: Baoquan He <bhe@redhat.com>
---
 arch/x86/boot/compressed/kaslr.c | 60 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 99c7194f7ea6..7376b3473758 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -37,7 +37,9 @@
 #include <linux/uts.h>
 #include <linux/utsname.h>
 #include <linux/ctype.h>
+#include <linux/efi.h>
 #include <generated/utsrelease.h>
+#include <asm/efi.h>
 
 /* Macros used by the included decompressor code below. */
 #define STATIC
@@ -558,6 +560,54 @@ static void process_mem_region(struct mem_vector *entry,
 	}
 }
 
+/* Marks if efi mirror regions have been found and handled. */
+static bool efi_mirror_found;
+
+static void process_efi_entries(unsigned long minimum,
+				unsigned long image_size)
+{
+	struct efi_info *e = &boot_params->efi_info;
+	struct mem_vector region;
+	efi_memory_desc_t *md;
+	unsigned long pmap;
+	char *signature;
+	u32 nr_desc;
+	int i;
+
+
+	signature = (char *)&boot_params->efi_info.efi_loader_signature;
+	if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
+	    strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
+		return;
+
+#ifdef CONFIG_X86_32
+	/* Can't handle data above 4GB at this time */
+	if (e->efi_memmap_hi) {
+		warn("Memory map is above 4GB, EFI should be disabled.\n");
+		return;
+	}
+	pmap =  e->efi_memmap;
+#else
+	pmap = (e->efi_memmap | ((__u64)e->efi_memmap_hi << 32));
+#endif
+
+	nr_desc = e->efi_memmap_size / e->efi_memdesc_size;
+	for (i = 0; i < nr_desc; i++) {
+		md = (efi_memory_desc_t *)(pmap + (i * e->efi_memdesc_size));
+		if (md->attribute & EFI_MEMORY_MORE_RELIABLE) {
+			region.start = md->phys_addr;
+			region.size = md->num_pages << EFI_PAGE_SHIFT;
+			process_mem_region(&region, minimum, image_size);
+			efi_mirror_found = true;
+
+			if (slot_area_index == MAX_SLOT_AREA) {
+				debug_putstr("Aborted efi scan (slot_areas full)!\n");
+				break;
+			}
+		}
+	}
+}
+
 static void process_e820_entries(unsigned long minimum,
 				 unsigned long image_size)
 {
@@ -586,13 +636,19 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 {
 	/* Check if we had too many memmaps. */
 	if (memmap_too_large) {
-		debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
+		debug_putstr("Aborted memory entries scan (more than 4 memmap= args)!\n");
 		return 0;
 	}
 
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
+#ifdef CONFIG_EFI
+	process_efi_entries(minimum, image_size);
+	if (efi_mirror_found)
+		return slots_fetch_random();
+#endif
+
 	process_e820_entries(minimum, image_size);
 	return slots_fetch_random();
 }
@@ -652,7 +708,7 @@ void choose_random_location(unsigned long input,
 	 */
 	min_addr = min(*output, 512UL << 20);
 
-	/* Walk e820 and find a random address. */
+	/* Walk available memory entries to find a random address. */
 	random_addr = find_random_phys_addr(min_addr, output_size);
 	if (!random_addr) {
 		warn("Physical KASLR disabled: no suitable memory region!");
-- 
2.5.5

Re: [PATCH v4 1/4] x86/boot/KASLR: Wrap e820 entries walking code into new function process_e820_entries()

[Kees Cook]

On Sun, Jul 9, 2017 at 5:37 AM, Baoquan He <bhe@redhat.com> wrote:
> The original function process_e820_entry() only takes care of each
> e820 entry passed.
>
> And move the E820_TYPE_RAM checking logic into process_e820_entries().
>
> And remove the redundent local variable 'addr' definition in
> find_random_phys_addr().
>
> Signed-off-by: Baoquan He <bhe@redhat.com>

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  arch/x86/boot/compressed/kaslr.c | 38 +++++++++++++++++++++-----------------
>  1 file changed, 21 insertions(+), 17 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> index 91f27ab970ef..1485f48aeda1 100644
> --- a/arch/x86/boot/compressed/kaslr.c
> +++ b/arch/x86/boot/compressed/kaslr.c
> @@ -488,10 +488,6 @@ static void process_e820_entry(struct boot_e820_entry *entry,
>         unsigned long start_orig, end;
>         struct boot_e820_entry cur_entry;
>
> -       /* Skip non-RAM entries. */
> -       if (entry->type != E820_TYPE_RAM)
> -               return;
> -
>         /* On 32-bit, ignore entries entirely above our maximum. */
>         if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
>                 return;
> @@ -562,12 +558,29 @@ static void process_e820_entry(struct boot_e820_entry *entry,
>         }
>  }
>
> -static unsigned long find_random_phys_addr(unsigned long minimum,
> -                                          unsigned long image_size)
> +static void process_e820_entries(unsigned long minimum,
> +                                unsigned long image_size)
>  {
>         int i;
> -       unsigned long addr;
> +       struct boot_e820_entry *entry;
> +
> +       /* Verify potential e820 positions, appending to slots list. */
> +       for (i = 0; i < boot_params->e820_entries; i++) {
> +               entry = &boot_params->e820_table[i];
> +               /* Skip non-RAM entries. */
> +               if (entry->type != E820_TYPE_RAM)
> +                       continue;
> +               process_e820_entry(entry, minimum, image_size);
> +               if (slot_area_index == MAX_SLOT_AREA) {
> +                       debug_putstr("Aborted e820 scan (slot_areas full)!\n");
> +                       break;
> +               }
> +       }
> +}
>
> +static unsigned long find_random_phys_addr(unsigned long minimum,
> +                                          unsigned long image_size)
> +{
>         /* Check if we had too many memmaps. */
>         if (memmap_too_large) {
>                 debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
> @@ -577,16 +590,7 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
>         /* Make sure minimum is aligned. */
>         minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
>
> -       /* Verify potential e820 positions, appending to slots list. */
> -       for (i = 0; i < boot_params->e820_entries; i++) {
> -               process_e820_entry(&boot_params->e820_table[i], minimum,
> -                                  image_size);
> -               if (slot_area_index == MAX_SLOT_AREA) {
> -                       debug_putstr("Aborted e820 scan (slot_areas full)!\n");
> -                       break;
> -               }
> -       }
> -
> +       process_e820_entries(minimum, image_size);
>         return slots_fetch_random();
>  }
>
> --
> 2.5.5
>



-- 
Kees Cook
Pixel Security

Re: [PATCH v4 2/4] x86/boot/KASLR: Switch to pass struct mem_vector to process_e820_entry()

[Kees Cook]

On Sun, Jul 9, 2017 at 5:37 AM, Baoquan He <bhe@redhat.com> wrote:
> This makes process_e820_entry() be able to process any kind of memory
> region.
>
> Signed-off-by: Baoquan He <bhe@redhat.com>

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  arch/x86/boot/compressed/kaslr.c | 25 ++++++++++++++-----------
>  1 file changed, 14 insertions(+), 11 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> index 1485f48aeda1..36ff9f729c43 100644
> --- a/arch/x86/boot/compressed/kaslr.c
> +++ b/arch/x86/boot/compressed/kaslr.c
> @@ -479,31 +479,31 @@ static unsigned long slots_fetch_random(void)
>         return 0;
>  }
>
> -static void process_e820_entry(struct boot_e820_entry *entry,
> +static void process_e820_entry(struct mem_vector *entry,
>                                unsigned long minimum,
>                                unsigned long image_size)
>  {
>         struct mem_vector region, overlap;
>         struct slot_area slot_area;
>         unsigned long start_orig, end;
> -       struct boot_e820_entry cur_entry;
> +       struct mem_vector cur_entry;
>
>         /* On 32-bit, ignore entries entirely above our maximum. */
> -       if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
> +       if (IS_ENABLED(CONFIG_X86_32) && entry->start >= KERNEL_IMAGE_SIZE)
>                 return;
>
>         /* Ignore entries entirely below our minimum. */
> -       if (entry->addr + entry->size < minimum)
> +       if (entry->start + entry->size < minimum)
>                 return;
>
>         /* Ignore entries above memory limit */
> -       end = min(entry->size + entry->addr, mem_limit);
> -       if (entry->addr >= end)
> +       end = min(entry->size + entry->start, mem_limit);
> +       if (entry->start >= end)
>                 return;
> -       cur_entry.addr = entry->addr;
> -       cur_entry.size = end - entry->addr;
> +       cur_entry.start = entry->start;
> +       cur_entry.size = end - entry->start;
>
> -       region.start = cur_entry.addr;
> +       region.start = cur_entry.start;
>         region.size = cur_entry.size;
>
>         /* Give up if slot area array is full. */
> @@ -518,7 +518,7 @@ static void process_e820_entry(struct boot_e820_entry *entry,
>                 region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
>
>                 /* Did we raise the address above this e820 region? */
> -               if (region.start > cur_entry.addr + cur_entry.size)
> +               if (region.start > cur_entry.start + cur_entry.size)
>                         return;
>
>                 /* Reduce size by any delta from the original address. */
> @@ -562,6 +562,7 @@ static void process_e820_entries(unsigned long minimum,
>                                  unsigned long image_size)
>  {
>         int i;
> +       struct mem_vector region;
>         struct boot_e820_entry *entry;
>
>         /* Verify potential e820 positions, appending to slots list. */
> @@ -570,7 +571,9 @@ static void process_e820_entries(unsigned long minimum,
>                 /* Skip non-RAM entries. */
>                 if (entry->type != E820_TYPE_RAM)
>                         continue;
> -               process_e820_entry(entry, minimum, image_size);
> +               region.start = entry->addr;
> +               region.size = entry->size;
> +               process_e820_entry(&region, minimum, image_size);
>                 if (slot_area_index == MAX_SLOT_AREA) {
>                         debug_putstr("Aborted e820 scan (slot_areas full)!\n");
>                         break;
> --
> 2.5.5
>



-- 
Kees Cook
Pixel Security

Re: [PATCH v4 3/4] x86/boot/KASLR: Rename process_e820_entry() into process_mem_region()

[Kees Cook]

On Sun, Jul 9, 2017 at 5:37 AM, Baoquan He <bhe@redhat.com> wrote:
> Now process_e820_entry() is not limited to e820 entry processing, rename
> it to process_mem_region(). And adjust the code comment accordingly.
>
> Signed-off-by: Baoquan He <bhe@redhat.com>

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  arch/x86/boot/compressed/kaslr.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> index 36ff9f729c43..99c7194f7ea6 100644
> --- a/arch/x86/boot/compressed/kaslr.c
> +++ b/arch/x86/boot/compressed/kaslr.c
> @@ -479,7 +479,7 @@ static unsigned long slots_fetch_random(void)
>         return 0;
>  }
>
> -static void process_e820_entry(struct mem_vector *entry,
> +static void process_mem_region(struct mem_vector *entry,
>                                unsigned long minimum,
>                                unsigned long image_size)
>  {
> @@ -517,7 +517,7 @@ static void process_e820_entry(struct mem_vector *entry,
>                 /* Potentially raise address to meet alignment needs. */
>                 region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
>
> -               /* Did we raise the address above this e820 region? */
> +               /* Did we raise the address above the passed in memory entry? */
>                 if (region.start > cur_entry.start + cur_entry.size)
>                         return;
>
> @@ -573,7 +573,7 @@ static void process_e820_entries(unsigned long minimum,
>                         continue;
>                 region.start = entry->addr;
>                 region.size = entry->size;
> -               process_e820_entry(&region, minimum, image_size);
> +               process_mem_region(&region, minimum, image_size);
>                 if (slot_area_index == MAX_SLOT_AREA) {
>                         debug_putstr("Aborted e820 scan (slot_areas full)!\n");
>                         break;
> --
> 2.5.5
>



-- 
Kees Cook
Pixel Security

Re: [PATCH v4 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Kees Cook]

On Sun, Jul 9, 2017 at 5:37 AM, Baoquan He <bhe@redhat.com> wrote:
> Kernel text may be located in non-mirror regions (movable zone) when both
> address range mirroring feature and KASLR are enabled.
>
> The address range mirroring feature arranges such mirror region into
> normal zone and other region into movable zone in order to locate
> kernel code and data in mirror region. The physical memory region
> whose descriptors in EFI memory map has EFI_MEMORY_MORE_RELIABLE
> attribute (bit: 16) are mirrored.
>
> If efi is detected, iterate efi memory map and pick the mirror region to
> process for adding candidate of randomization slot. If efi is disabled
> or no mirror region found, still process e820 memory map.
>
> Signed-off-by: Baoquan He <bhe@redhat.com>
> ---
>  arch/x86/boot/compressed/kaslr.c | 60 ++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 58 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> index 99c7194f7ea6..7376b3473758 100644
> --- a/arch/x86/boot/compressed/kaslr.c
> +++ b/arch/x86/boot/compressed/kaslr.c
> @@ -37,7 +37,9 @@
>  #include <linux/uts.h>
>  #include <linux/utsname.h>
>  #include <linux/ctype.h>
> +#include <linux/efi.h>
>  #include <generated/utsrelease.h>
> +#include <asm/efi.h>
>
>  /* Macros used by the included decompressor code below. */
>  #define STATIC
> @@ -558,6 +560,54 @@ static void process_mem_region(struct mem_vector *entry,
>         }
>  }
>
> +/* Marks if efi mirror regions have been found and handled. */
> +static bool efi_mirror_found;

I think this is only ever checked once? How about having
process_efi_entries return bool to indicate if mirror was found? Also,
that function should be behind #ifdef. Let's do something like this:


> +
> +static void process_efi_entries(unsigned long minimum,
> +                               unsigned long image_size)

#ifdef CONFIG_EFI
/* Returns true if mirror region found (and further scanning should stop) */
static bool process_efi_entries(...)
{
...
}
#else
static inline bool process_efi_entries(...)
{
    return false;
}
#endif

Then:

> +#ifdef CONFIG_EFI
> +       process_efi_entries(minimum, image_size);
> +       if (efi_mirror_found)
> +               return slots_fetch_random();
> +#endif

Can become:

if (process_efi_entries(minimum, image_size))
    return slots_fetch_random()

and no #ifndef needed here.

> +
>         process_e820_entries(minimum, image_size);
>         return slots_fetch_random();
>  }
> @@ -652,7 +708,7 @@ void choose_random_location(unsigned long input,
>          */
>         min_addr = min(*output, 512UL << 20);
>
> -       /* Walk e820 and find a random address. */
> +       /* Walk available memory entries to find a random address. */
>         random_addr = find_random_phys_addr(min_addr, output_size);
>         if (!random_addr) {
>                 warn("Physical KASLR disabled: no suitable memory region!");
> --
> 2.5.5
>

Otherwise, if the EFI logic is good, this looks sensible.

Thanks for splitting up the patches!

-Kees

-- 
Kees Cook
Pixel Security

Re: [PATCH v4 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

On 07/09/17 at 07:11am, Kees Cook wrote:
> On Sun, Jul 9, 2017 at 5:37 AM, Baoquan He <bhe@redhat.com> wrote:
> > Kernel text may be located in non-mirror regions (movable zone) when both
> > address range mirroring feature and KASLR are enabled.
> >
> > The address range mirroring feature arranges such mirror region into
> > normal zone and other region into movable zone in order to locate
> > kernel code and data in mirror region. The physical memory region
> > whose descriptors in EFI memory map has EFI_MEMORY_MORE_RELIABLE
> > attribute (bit: 16) are mirrored.
> >
> > If efi is detected, iterate efi memory map and pick the mirror region to
> > process for adding candidate of randomization slot. If efi is disabled
> > or no mirror region found, still process e820 memory map.
> >
> > Signed-off-by: Baoquan He <bhe@redhat.com>
> > ---
> >  arch/x86/boot/compressed/kaslr.c | 60 ++++++++++++++++++++++++++++++++++++++--
> >  1 file changed, 58 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> > index 99c7194f7ea6..7376b3473758 100644
> > --- a/arch/x86/boot/compressed/kaslr.c
> > +++ b/arch/x86/boot/compressed/kaslr.c
> > @@ -37,7 +37,9 @@
> >  #include <linux/uts.h>
> >  #include <linux/utsname.h>
> >  #include <linux/ctype.h>
> > +#include <linux/efi.h>
> >  #include <generated/utsrelease.h>
> > +#include <asm/efi.h>
> >
> >  /* Macros used by the included decompressor code below. */
> >  #define STATIC
> > @@ -558,6 +560,54 @@ static void process_mem_region(struct mem_vector *entry,
> >         }
> >  }
> >
> > +/* Marks if efi mirror regions have been found and handled. */
> > +static bool efi_mirror_found;
> 
> I think this is only ever checked once? How about having
> process_efi_entries return bool to indicate if mirror was found? Also,
> that function should be behind #ifdef. Let's do something like this:

Yes. Yours looks much better, let me change as you suggested and repost.
Thanks a lot for reviewing and great suggestions!

> 
> 
> > +
> > +static void process_efi_entries(unsigned long minimum,
> > +                               unsigned long image_size)
> 
> #ifdef CONFIG_EFI
> /* Returns true if mirror region found (and further scanning should stop) */
> static bool process_efi_entries(...)
> {
> ...
> }
> #else
> static inline bool process_efi_entries(...)
> {
>     return false;
> }
> #endif
> 
> Then:
> 
> > +#ifdef CONFIG_EFI
> > +       process_efi_entries(minimum, image_size);
> > +       if (efi_mirror_found)
> > +               return slots_fetch_random();
> > +#endif
> 
> Can become:
> 
> if (process_efi_entries(minimum, image_size))
>     return slots_fetch_random()
> 
> and no #ifndef needed here.
> 
> > +
> >         process_e820_entries(minimum, image_size);
> >         return slots_fetch_random();
> >  }
> > @@ -652,7 +708,7 @@ void choose_random_location(unsigned long input,
> >          */
> >         min_addr = min(*output, 512UL << 20);
> >
> > -       /* Walk e820 and find a random address. */
> > +       /* Walk available memory entries to find a random address. */
> >         random_addr = find_random_phys_addr(min_addr, output_size);
> >         if (!random_addr) {
> >                 warn("Physical KASLR disabled: no suitable memory region!");
> > --
> > 2.5.5
> >
> 
> Otherwise, if the EFI logic is good, this looks sensible.
> 
> Thanks for splitting up the patches!
> 
> -Kees
> 
> -- 
> Kees Cook
> Pixel Security

Re: [PATCH v4 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

On 07/09/17 at 07:11am, Kees Cook wrote:
> On Sun, Jul 9, 2017 at 5:37 AM, Baoquan He <bhe@redhat.com> wrote:
> > Signed-off-by: Baoquan He <bhe@redhat.com>
> > +/* Marks if efi mirror regions have been found and handled. */
> > +static bool efi_mirror_found;
> 
> I think this is only ever checked once? How about having
> process_efi_entries return bool to indicate if mirror was found? Also,
> that function should be behind #ifdef. Let's do something like this:
> 
> 
> > +
> > +static void process_efi_entries(unsigned long minimum,
> > +                               unsigned long image_size)
> 
> #ifdef CONFIG_EFI
> /* Returns true if mirror region found (and further scanning should stop) */

Well, here it might be not like that. The mirror regions could be multiple,
we need find and process each of them to add slots. 

> static bool process_efi_entries(...)
> {
> ...
> }
> #else
> static inline bool process_efi_entries(...)
> {
>     return false;
> }
> #endif
> 
> Then:
> 
> > +#ifdef CONFIG_EFI
> > +       process_efi_entries(minimum, image_size);
> > +       if (efi_mirror_found)
> > +               return slots_fetch_random();
> > +#endif
> 
> Can become:
> 
> if (process_efi_entries(minimum, image_size))
>     return slots_fetch_random()
> 
> and no #ifndef needed here.
> 
> > +
> >         process_e820_entries(minimum, image_size);
> >         return slots_fetch_random();
> >  }
> > @@ -652,7 +708,7 @@ void choose_random_location(unsigned long input,
> >          */
> >         min_addr = min(*output, 512UL << 20);
> >
> > -       /* Walk e820 and find a random address. */
> > +       /* Walk available memory entries to find a random address. */
> >         random_addr = find_random_phys_addr(min_addr, output_size);
> >         if (!random_addr) {
> >                 warn("Physical KASLR disabled: no suitable memory region!");
> > --
> > 2.5.5
> >
> 
> Otherwise, if the EFI logic is good, this looks sensible.
> 
> Thanks for splitting up the patches!
> 
> -Kees
> 
> -- 
> Kees Cook
> Pixel Security

Re: [PATCH v4 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Chao Fan]

On Mon, Jul 10, 2017 at 09:47:29AM +0800, Baoquan He wrote:
>On 07/09/17 at 07:11am, Kees Cook wrote:
>> On Sun, Jul 9, 2017 at 5:37 AM, Baoquan He <bhe@redhat.com> wrote:
>> > Signed-off-by: Baoquan He <bhe@redhat.com>
>> > +/* Marks if efi mirror regions have been found and handled. */
>> > +static bool efi_mirror_found;
>> 
>> I think this is only ever checked once? How about having
>> process_efi_entries return bool to indicate if mirror was found? Also,
>> that function should be behind #ifdef. Let's do something like this:
>> 
>> 
>> > +
>> > +static void process_efi_entries(unsigned long minimum,
>> > +                               unsigned long image_size)
>> 
>> #ifdef CONFIG_EFI
>> /* Returns true if mirror region found (and further scanning should stop) */
>
>Well, here it might be not like that. The mirror regions could be multiple,
>we need find and process each of them to add slots. 

Yes, in my test, I found the memory situation is like this:

0-1325M:	mirror	(this scope contains tens of entries)
1532M-2303M:	non-mirror
4G-128G:	non-mirror
129G-154G:	mirror
154G-231G:	non-mirror

Thanks,
Chao Fan

>
>> static bool process_efi_entries(...)
>> {
>> ...
>> }
>> #else
>> static inline bool process_efi_entries(...)
>> {
>>     return false;
>> }
>> #endif
>> 
>> Then:
>> 
>> > +#ifdef CONFIG_EFI
>> > +       process_efi_entries(minimum, image_size);
>> > +       if (efi_mirror_found)
>> > +               return slots_fetch_random();
>> > +#endif
>> 
>> Can become:
>> 
>> if (process_efi_entries(minimum, image_size))
>>     return slots_fetch_random()
>> 
>> and no #ifndef needed here.
>> 
>> > +
>> >         process_e820_entries(minimum, image_size);
>> >         return slots_fetch_random();
>> >  }
>> > @@ -652,7 +708,7 @@ void choose_random_location(unsigned long input,
>> >          */
>> >         min_addr = min(*output, 512UL << 20);
>> >
>> > -       /* Walk e820 and find a random address. */
>> > +       /* Walk available memory entries to find a random address. */
>> >         random_addr = find_random_phys_addr(min_addr, output_size);
>> >         if (!random_addr) {
>> >                 warn("Physical KASLR disabled: no suitable memory region!");
>> > --
>> > 2.5.5
>> >
>> 
>> Otherwise, if the EFI logic is good, this looks sensible.
>> 
>> Thanks for splitting up the patches!
>> 
>> -Kees
>> 
>> -- 
>> Kees Cook
>> Pixel Security
>
>

Re: [PATCH v4 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

Hi Kees,

Do you think the patch as below is OK to you? 

Thanks!

>From 1cec45dc65090f6d17bf3499b8904efc1822082e Mon Sep 17 00:00:00 2001
From: Baoquan He <bhe@redhat.com>
Date: Fri, 7 Jul 2017 17:25:41 +0800
Subject: [PATCH v5 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror
 regions

Kernel text may be located in non-mirror regions (movable zone) when both
address range mirroring feature and KASLR are enabled.

The address range mirroring feature arranges such mirror region into
normal zone and other region into movable zone in order to locate
kernel code and data in mirror region. The physical memory region
whose descriptors in EFI memory map has EFI_MEMORY_MORE_RELIABLE
attribute (bit: 16) are mirrored.

If efi is detected, iterate efi memory map and pick the mirror region to
process for adding candidate of randomization slot. If efi is disabled
or no mirror region found, still process e820 memory map.

Signed-off-by: Baoquan He <bhe@redhat.com>
---
v4->v5:
  Change the process_efi_entries() to return bool value to indicate if a
  mirror region is found and has been processed to add slots.

  Move process_efi_entries() into #ifdef CONFIG_EFI section, and also
  make another dummy process_efi_entries() to return false behind #else.

  These are done according to Kees's suggestion.
  
 arch/x86/boot/compressed/kaslr.c | 68 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 66 insertions(+), 2 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 99c7194f7ea6..9059b571eca1 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -37,7 +37,9 @@
 #include <linux/uts.h>
 #include <linux/utsname.h>
 #include <linux/ctype.h>
+#include <linux/efi.h>
 #include <generated/utsrelease.h>
+#include <asm/efi.h>
 
 /* Macros used by the included decompressor code below. */
 #define STATIC
@@ -558,6 +560,65 @@ static void process_mem_region(struct mem_vector *entry,
 	}
 }
 
+#ifdef CONFIG_EFI
+/*
+ * Returns true if mirror region found (and must have been processed
+ * for slots adding)
+ */
+static bool process_efi_entries(unsigned long minimum,
+				unsigned long image_size)
+{
+	struct efi_info *e = &boot_params->efi_info;
+	bool efi_mirror_found = false;
+	struct mem_vector region;
+	efi_memory_desc_t *md;
+	unsigned long pmap;
+	char *signature;
+	u32 nr_desc;
+	int i;
+
+	signature = (char *)&boot_params->efi_info.efi_loader_signature;
+	if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
+	    strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
+		return false;
+
+#ifdef CONFIG_X86_32
+	/* Can't handle data above 4GB at this time */
+	if (e->efi_memmap_hi) {
+		warn("Memory map is above 4GB, EFI should be disabled.\n");
+		return false;
+	}
+	pmap =  e->efi_memmap;
+#else
+	pmap = (e->efi_memmap | ((__u64)e->efi_memmap_hi << 32));
+#endif
+
+	nr_desc = e->efi_memmap_size / e->efi_memdesc_size;
+	for (i = 0; i < nr_desc; i++) {
+		md = (efi_memory_desc_t *)(pmap + (i * e->efi_memdesc_size));
+		if (md->attribute & EFI_MEMORY_MORE_RELIABLE) {
+			region.start = md->phys_addr;
+			region.size = md->num_pages << EFI_PAGE_SHIFT;
+			process_mem_region(&region, minimum, image_size);
+			efi_mirror_found = true;
+
+			if (slot_area_index == MAX_SLOT_AREA) {
+				debug_putstr("Aborted efi scan (slot_areas full)!\n");
+				break;
+			}
+		}
+	}
+
+	return efi_mirror_found;
+}
+#else
+static inline bool process_efi_entries(unsigned long minimum,
+				       unsigned long image_size)
+{
+	return false;
+}
+#endif
+
 static void process_e820_entries(unsigned long minimum,
 				 unsigned long image_size)
 {
@@ -586,13 +647,16 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 {
 	/* Check if we had too many memmaps. */
 	if (memmap_too_large) {
-		debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
+		debug_putstr("Aborted memory entries scan (more than 4 memmap= args)!\n");
 		return 0;
 	}
 
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
+	if(process_efi_entries(minimum, image_size))
+		return slots_fetch_random();
+
 	process_e820_entries(minimum, image_size);
 	return slots_fetch_random();
 }
@@ -652,7 +716,7 @@ void choose_random_location(unsigned long input,
 	 */
 	min_addr = min(*output, 512UL << 20);
 
-	/* Walk e820 and find a random address. */
+	/* Walk available memory entries to find a random address. */
 	random_addr = find_random_phys_addr(min_addr, output_size);
 	if (!random_addr) {
 		warn("Physical KASLR disabled: no suitable memory region!");
-- 
2.5.5

[tip:x86/boot] x86/boot/KASLR: Wrap e820 entries walking code into new function process_e820_entries()

[tip-bot for Baoquan He]

Commit-ID:  f62995c92a29e4d9331382b8b2461eef3b9c7c6b
Gitweb:     http://git.kernel.org/tip/f62995c92a29e4d9331382b8b2461eef3b9c7c6b
Author:     Baoquan He <bhe@redhat.com>
AuthorDate: Sun, 9 Jul 2017 20:37:39 +0800
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Tue, 18 Jul 2017 11:11:11 +0200

x86/boot/KASLR: Wrap e820 entries walking code into new function process_e820_entries()

The original function process_e820_entry() only takes care of each
e820 entry passed.

And move the E820_TYPE_RAM checking logic into process_e820_entries().

And remove the redundent local variable 'addr' definition in
find_random_phys_addr().

Signed-off-by: Baoquan He <bhe@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: fanc.fnst@cn.fujitsu.com
Cc: izumi.taku@jp.fujitsu.com
Cc: matt@codeblueprint.co.uk
Cc: thgarnie@google.com
Link: http://lkml.kernel.org/r/1499603862-11516-2-git-send-email-bhe@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/boot/compressed/kaslr.c | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 91f27ab..1485f48 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -488,10 +488,6 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 	unsigned long start_orig, end;
 	struct boot_e820_entry cur_entry;
 
-	/* Skip non-RAM entries. */
-	if (entry->type != E820_TYPE_RAM)
-		return;
-
 	/* On 32-bit, ignore entries entirely above our maximum. */
 	if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
 		return;
@@ -562,12 +558,29 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 	}
 }
 
-static unsigned long find_random_phys_addr(unsigned long minimum,
-					   unsigned long image_size)
+static void process_e820_entries(unsigned long minimum,
+				 unsigned long image_size)
 {
 	int i;
-	unsigned long addr;
+	struct boot_e820_entry *entry;
+
+	/* Verify potential e820 positions, appending to slots list. */
+	for (i = 0; i < boot_params->e820_entries; i++) {
+		entry = &boot_params->e820_table[i];
+		/* Skip non-RAM entries. */
+		if (entry->type != E820_TYPE_RAM)
+			continue;
+		process_e820_entry(entry, minimum, image_size);
+		if (slot_area_index == MAX_SLOT_AREA) {
+			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
+			break;
+		}
+	}
+}
 
+static unsigned long find_random_phys_addr(unsigned long minimum,
+					   unsigned long image_size)
+{
 	/* Check if we had too many memmaps. */
 	if (memmap_too_large) {
 		debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
@@ -577,16 +590,7 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
-	/* Verify potential e820 positions, appending to slots list. */
-	for (i = 0; i < boot_params->e820_entries; i++) {
-		process_e820_entry(&boot_params->e820_table[i], minimum,
-				   image_size);
-		if (slot_area_index == MAX_SLOT_AREA) {
-			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
-			break;
-		}
-	}
-
+	process_e820_entries(minimum, image_size);
 	return slots_fetch_random();
 }
 

[tip:x86/boot] x86/boot/KASLR: Switch to pass struct mem_vector to process_e820_entry()

[tip-bot for Baoquan He]

Commit-ID:  87891b01b54210763117f0a67b022cd94de6cd13
Gitweb:     http://git.kernel.org/tip/87891b01b54210763117f0a67b022cd94de6cd13
Author:     Baoquan He <bhe@redhat.com>
AuthorDate: Sun, 9 Jul 2017 20:37:40 +0800
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Tue, 18 Jul 2017 11:11:11 +0200

x86/boot/KASLR: Switch to pass struct mem_vector to process_e820_entry()

This makes process_e820_entry() be able to process any kind of memory
region.

Signed-off-by: Baoquan He <bhe@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: fanc.fnst@cn.fujitsu.com
Cc: izumi.taku@jp.fujitsu.com
Cc: matt@codeblueprint.co.uk
Cc: thgarnie@google.com
Link: http://lkml.kernel.org/r/1499603862-11516-3-git-send-email-bhe@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/boot/compressed/kaslr.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 1485f48..36ff9f7 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -479,31 +479,31 @@ static unsigned long slots_fetch_random(void)
 	return 0;
 }
 
-static void process_e820_entry(struct boot_e820_entry *entry,
+static void process_e820_entry(struct mem_vector *entry,
 			       unsigned long minimum,
 			       unsigned long image_size)
 {
 	struct mem_vector region, overlap;
 	struct slot_area slot_area;
 	unsigned long start_orig, end;
-	struct boot_e820_entry cur_entry;
+	struct mem_vector cur_entry;
 
 	/* On 32-bit, ignore entries entirely above our maximum. */
-	if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
+	if (IS_ENABLED(CONFIG_X86_32) && entry->start >= KERNEL_IMAGE_SIZE)
 		return;
 
 	/* Ignore entries entirely below our minimum. */
-	if (entry->addr + entry->size < minimum)
+	if (entry->start + entry->size < minimum)
 		return;
 
 	/* Ignore entries above memory limit */
-	end = min(entry->size + entry->addr, mem_limit);
-	if (entry->addr >= end)
+	end = min(entry->size + entry->start, mem_limit);
+	if (entry->start >= end)
 		return;
-	cur_entry.addr = entry->addr;
-	cur_entry.size = end - entry->addr;
+	cur_entry.start = entry->start;
+	cur_entry.size = end - entry->start;
 
-	region.start = cur_entry.addr;
+	region.start = cur_entry.start;
 	region.size = cur_entry.size;
 
 	/* Give up if slot area array is full. */
@@ -518,7 +518,7 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 		region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
 
 		/* Did we raise the address above this e820 region? */
-		if (region.start > cur_entry.addr + cur_entry.size)
+		if (region.start > cur_entry.start + cur_entry.size)
 			return;
 
 		/* Reduce size by any delta from the original address. */
@@ -562,6 +562,7 @@ static void process_e820_entries(unsigned long minimum,
 				 unsigned long image_size)
 {
 	int i;
+	struct mem_vector region;
 	struct boot_e820_entry *entry;
 
 	/* Verify potential e820 positions, appending to slots list. */
@@ -570,7 +571,9 @@ static void process_e820_entries(unsigned long minimum,
 		/* Skip non-RAM entries. */
 		if (entry->type != E820_TYPE_RAM)
 			continue;
-		process_e820_entry(entry, minimum, image_size);
+		region.start = entry->addr;
+		region.size = entry->size;
+		process_e820_entry(&region, minimum, image_size);
 		if (slot_area_index == MAX_SLOT_AREA) {
 			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
 			break;

[tip:x86/boot] x86/boot/KASLR: Rename process_e820_entry() into process_mem_region()

[tip-bot for Baoquan He]

Commit-ID:  27aac20574110abfd594175a668dc58b23b2b14a
Gitweb:     http://git.kernel.org/tip/27aac20574110abfd594175a668dc58b23b2b14a
Author:     Baoquan He <bhe@redhat.com>
AuthorDate: Sun, 9 Jul 2017 20:37:41 +0800
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Tue, 18 Jul 2017 11:11:12 +0200

x86/boot/KASLR: Rename process_e820_entry() into process_mem_region()

Now process_e820_entry() is not limited to e820 entry processing, rename
it to process_mem_region(). And adjust the code comment accordingly.

Signed-off-by: Baoquan He <bhe@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: fanc.fnst@cn.fujitsu.com
Cc: izumi.taku@jp.fujitsu.com
Cc: matt@codeblueprint.co.uk
Cc: thgarnie@google.com
Link: http://lkml.kernel.org/r/1499603862-11516-4-git-send-email-bhe@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/boot/compressed/kaslr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 36ff9f7..99c7194f 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -479,7 +479,7 @@ static unsigned long slots_fetch_random(void)
 	return 0;
 }
 
-static void process_e820_entry(struct mem_vector *entry,
+static void process_mem_region(struct mem_vector *entry,
 			       unsigned long minimum,
 			       unsigned long image_size)
 {
@@ -517,7 +517,7 @@ static void process_e820_entry(struct mem_vector *entry,
 		/* Potentially raise address to meet alignment needs. */
 		region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
 
-		/* Did we raise the address above this e820 region? */
+		/* Did we raise the address above the passed in memory entry? */
 		if (region.start > cur_entry.start + cur_entry.size)
 			return;
 
@@ -573,7 +573,7 @@ static void process_e820_entries(unsigned long minimum,
 			continue;
 		region.start = entry->addr;
 		region.size = entry->size;
-		process_e820_entry(&region, minimum, image_size);
+		process_mem_region(&region, minimum, image_size);
 		if (slot_area_index == MAX_SLOT_AREA) {
 			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
 			break;