From: "tip-bot2 for Ard Biesheuvel" <tip-bot2@linutronix.de>
To: linux-tip-commits@vger.kernel.org
Cc: Jiri Slaby <jslaby@suse.cz>, Ard Biesheuvel <ardb@kernel.org>,
Ingo Molnar <mingo@kernel.org>, x86 <x86@kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: [tip: efi/urgent] efi/x86: Don't remap text<->rodata gap read-only for mixed mode
Date: Tue, 14 Apr 2020 08:20:48 -0000 [thread overview]
Message-ID: <158685244872.28353.1602051956513496508.tip-bot2@tip-bot2> (raw)
In-Reply-To: <20200409130434.6736-10-ardb@kernel.org>
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: f6103162008dfd37567f240b50e5e1ea7cf2e00c
Gitweb: https://git.kernel.org/tip/f6103162008dfd37567f240b50e5e1ea7cf2e00c
Author: Ard Biesheuvel <ardb@kernel.org>
AuthorDate: Thu, 09 Apr 2020 15:04:34 +02:00
Committer: Ingo Molnar <mingo@kernel.org>
CommitterDate: Tue, 14 Apr 2020 08:32:17 +02:00
efi/x86: Don't remap text<->rodata gap read-only for mixed mode
Commit
d9e3d2c4f10320 ("efi/x86: Don't map the entire kernel text RW for mixed mode")
updated the code that creates the 1:1 memory mapping to use read-only
attributes for the 1:1 alias of the kernel's text and rodata sections, to
protect it from inadvertent modification. However, it failed to take into
account that the unused gap between text and rodata is given to the page
allocator for general use.
If the vmap'ed stack happens to be allocated from this region, any by-ref
output arguments passed to EFI runtime services that are allocated on the
stack (such as the 'datasize' argument taken by GetVariable() when invoked
from efivar_entry_size()) will be referenced via a read-only mapping,
resulting in a page fault if the EFI code tries to write to it:
BUG: unable to handle page fault for address: 00000000386aae88
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD fd61063 P4D fd61063 PUD fd62063 PMD 386000e1
Oops: 0003 [#1] SMP PTI
CPU: 2 PID: 255 Comm: systemd-sysv-ge Not tainted 5.6.0-rc4-default+ #22
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0008:0x3eaeed95
Code: ... <89> 03 be 05 00 00 80 a1 74 63 b1 3e 83 c0 48 e8 44 d2 ff ff eb 05
RSP: 0018:000000000fd73fa0 EFLAGS: 00010002
RAX: 0000000000000001 RBX: 00000000386aae88 RCX: 000000003e9f1120
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 000000000fd73fd8 R08: 00000000386aae88 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc0f040220000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f21160ac940(0000) GS:ffff9cf23d500000(0000) knlGS:0000000000000000
CS: 0008 DS: 0018 ES: 0018 CR0: 0000000080050033
CR2: 00000000386aae88 CR3: 000000000fd6c004 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
CR2: 00000000386aae88
---[ end trace a8bfbd202e712834 ]---
Let's fix this by remapping text and rodata individually, and leave the
gaps mapped read-write.
Fixes: d9e3d2c4f10320 ("efi/x86: Don't map the entire kernel text RW for mixed mode")
Reported-by: Jiri Slaby <jslaby@suse.cz>
Tested-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20200409130434.6736-10-ardb@kernel.org
---
arch/x86/platform/efi/efi_64.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
index e0e2e81..c5e393f 100644
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -202,7 +202,7 @@ virt_to_phys_or_null_size(void *va, unsigned long size)
int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
{
- unsigned long pfn, text, pf;
+ unsigned long pfn, text, pf, rodata;
struct page *page;
unsigned npages;
pgd_t *pgd = efi_mm.pgd;
@@ -256,7 +256,7 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
efi_scratch.phys_stack = page_to_phys(page + 1); /* stack grows down */
- npages = (__end_rodata_aligned - _text) >> PAGE_SHIFT;
+ npages = (_etext - _text) >> PAGE_SHIFT;
text = __pa(_text);
pfn = text >> PAGE_SHIFT;
@@ -266,6 +266,14 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
return 1;
}
+ npages = (__end_rodata - __start_rodata) >> PAGE_SHIFT;
+ rodata = __pa(__start_rodata);
+ pfn = rodata >> PAGE_SHIFT;
+ if (kernel_map_pages_in_pgd(pgd, pfn, rodata, npages, pf)) {
+ pr_err("Failed to map kernel rodata 1:1\n");
+ return 1;
+ }
+
return 0;
}
next prev parent reply other threads:[~2020-04-14 8:22 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-09 13:04 [GIT PULL 0/9] EFI fixes for v5.7-rc Ard Biesheuvel
2020-04-09 13:04 ` [PATCH 1/9] efi/cper: Use scnprintf() for avoiding potential buffer overflow Ard Biesheuvel
2020-04-09 13:04 ` [PATCH 2/9] efi/libstub/x86: remove redundant assignment to pointer hdr Ard Biesheuvel
2020-04-09 13:04 ` [PATCH 3/9] efi/x86: Move efi stub globals from .bss to .data Ard Biesheuvel
2020-04-09 20:05 ` Brian Gerst
2020-04-09 20:53 ` Brian Gerst
2020-04-09 21:08 ` Arvind Sankar
2020-04-10 8:20 ` Ard Biesheuvel
2020-04-10 15:16 ` Arvind Sankar
2020-04-10 16:03 ` Ard Biesheuvel
2020-04-10 18:01 ` Arvind Sankar
2020-04-10 18:03 ` Ard Biesheuvel
2020-04-10 19:03 ` Arvind Sankar
2020-04-11 1:03 ` Arvind Sankar
2020-04-09 13:04 ` [PATCH 4/9] efi/x86: Always relocate the kernel for EFI handover entry Ard Biesheuvel
2020-04-09 13:04 ` [PATCH 5/9] efi/arm: Deal with ADR going out of range in efi_enter_kernel() Ard Biesheuvel
2020-04-14 8:20 ` [tip: efi/urgent] " tip-bot2 for Ard Biesheuvel
2020-04-09 13:04 ` [PATCH 6/9] Documentation: efi/x86: clarify EFI handover protocol and its requirements Ard Biesheuvel
2020-04-14 8:20 ` [tip: efi/urgent] Documentation/x86, efi/x86: Clarify " tip-bot2 for Ard Biesheuvel
2020-04-09 13:04 ` [PATCH 7/9] efi/libstub/file: merge filename buffers to reduce stack usage Ard Biesheuvel
2020-04-14 8:20 ` [tip: efi/urgent] efi/libstub/file: Merge file name " tip-bot2 for Ard Biesheuvel
2020-04-09 13:04 ` [PATCH 8/9] efi/x86: Fix the deletion of variables in mixed mode Ard Biesheuvel
2020-04-09 13:04 ` [PATCH 9/9] efi/x86: Don't remap text<->rodata gap read-only for " Ard Biesheuvel
2020-04-14 8:20 ` tip-bot2 for Ard Biesheuvel [this message]
2020-04-09 19:01 ` [GIT PULL 0/9] EFI fixes for v5.7-rc Theodore Y. Ts'o
2020-04-09 19:04 ` Ard Biesheuvel
2020-04-09 20:16 ` Theodore Y. Ts'o
2020-04-09 21:29 ` Ard Biesheuvel
2020-04-09 23:57 ` Theodore Y. Ts'o
2020-04-10 7:08 ` Ard Biesheuvel
2020-04-10 13:54 ` Dave Young
2020-04-11 19:43 ` Theodore Y. Ts'o
2020-04-12 3:51 ` Dave Young
2020-04-13 14:07 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=158685244872.28353.1602051956513496508.tip-bot2@tip-bot2 \
--to=tip-bot2@linutronix.de \
--cc=ardb@kernel.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).