From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S376431AbdD2KPD (ORCPT ); Sat, 29 Apr 2017 06:15:03 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39436 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756454AbdD2KOw (ORCPT ); Sat, 29 Apr 2017 06:14:52 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 471B179341 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=bhe@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 471B179341 Date: Sat, 29 Apr 2017 18:14:46 +0800 From: Baoquan He To: Kees Cook Cc: Ingo Molnar , LKML , Dave Young , douly.fnst@cn.fujitsu.com, Dan Williams , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "x86@kernel.org" , Yinghai Lu , Borislav Petkov Subject: Re: [PATCH v3 2/3] KASLR: Handle memory limit specified by memmap and mem option Message-ID: <20170429101446.GH2649@x1> References: <1493201772-19084-1-git-send-email-bhe@redhat.com> <1493201772-19084-3-git-send-email-bhe@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.0 (2016-08-17) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Sat, 29 Apr 2017 10:14:51 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/28/17 at 12:39pm, Kees Cook wrote: > On Wed, Apr 26, 2017 at 3:16 AM, Baoquan He wrote: > > Option mem= will limit the max address a system can use and any memory > > region above the limit will be removed. > > > > Furthermore, memmap=nn[KMG] which has no offset specified has the same > > behaviour as mem=. > > > > KASLR needs to consider this when choosing the random position for > > decompressing the kernel. > > > > This patch implements that. > > > > Signed-off-by: Baoquan He > > Acked-by: Kees Cook > > Cc: "H. Peter Anvin" > > Cc: Thomas Gleixner > > Cc: Ingo Molnar > > Cc: x86@kernel.org > > Cc: Kees Cook > > Cc: Yinghai Lu > > Cc: Borislav Petkov > > --- > > arch/x86/boot/compressed/kaslr.c | 60 ++++++++++++++++++++++++++++++++-------- > > 1 file changed, 48 insertions(+), 12 deletions(-) > > > > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c > > index 53a06ec..e5eb0c3 100644 > > --- a/arch/x86/boot/compressed/kaslr.c > > +++ b/arch/x86/boot/compressed/kaslr.c > > @@ -78,6 +78,10 @@ static bool memmap_too_large; > > extern unsigned long get_cmd_line_ptr(void); > > > > > > +/* Store memory limit specified by "mem=nn[KMG]" or "memmap=nn[KMG]" */ > > +unsigned long long mem_limit = ULLONG_MAX; > > + > > + > > enum mem_avoid_index { > > MEM_AVOID_ZO_RANGE = 0, > > MEM_AVOID_INITRD, > > @@ -128,16 +132,22 @@ parse_memmap(char *p, unsigned long long *start, unsigned long long *size) > > return -EINVAL; > > > > switch (*p) { > > - case '@': > > - /* Skip this region, usable */ > > - *start = 0; > > - *size = 0; > > - return 0; > > case '#': > > case '$': > > case '!': > > *start = memparse(p + 1, &p); > > return 0; > > + case '@': > > + /* memmap=nn@ss specifies usable region, should be skipped */ > > + *size = 0; > > Please explicitly add a comment like /* Fall through. */ or something > here, to help future reviewers. :) Sure, will add. Thanks! > > > + default: > > + /* > > + * If w/o offset, only size specified, memmap=nn[KMG] has the > > + * same behaviour as mem=nn[KMG]. It limits the max address > > + * system can use. Region above the limit should be avoided. > > + */ > > + *start = 0; > > + return 0; > > } > > > > return -EINVAL; > > @@ -163,9 +173,14 @@ static void mem_avoid_memmap(char *str) > > if (rc < 0) > > break; > > str = k; > > - /* A usable region that should not be skipped */ > > - if (size == 0) > > + > > + if (start == 0) { > > + /* Store the specified memory limit if size > 0 */ > > + if (size > 0) > > + mem_limit = size; > > + > > continue; > > + } > > > > mem_avoid[MEM_AVOID_MEMMAP_BEGIN + i].start = start; > > mem_avoid[MEM_AVOID_MEMMAP_BEGIN + i].size = size; > > @@ -189,6 +204,7 @@ static int handle_mem_memmap(void) > > size_t len = strlen((char *)args); > > char *tmp_cmdline; > > char *param, *val; > > + u64 mem_size; > > > > tmp_cmdline = malloc(COMMAND_LINE_SIZE); > > if (!tmp_cmdline ) > > @@ -211,8 +227,20 @@ static int handle_mem_memmap(void) > > return -1; > > } > > > > - if (!strcmp(param, "memmap")) > > + if (!strcmp(param, "memmap")) { > > mem_avoid_memmap(val); > > + } else if (!strcmp(param, "mem")) { > > + char *p = val; > > + > > + if (!strcmp(p, "nopentium")) > > + continue; > > + mem_size = memparse(p, &p); > > + if (mem_size == 0) { > > + free(tmp_cmdline); > > + return -EINVAL; > > + } > > + mem_limit = mem_size; > > + } > > } > > > > free(tmp_cmdline); > > @@ -449,7 +477,8 @@ static void process_e820_entry(struct boot_e820_entry *entry, > > { > > struct mem_vector region, overlap; > > struct slot_area slot_area; > > - unsigned long start_orig; > > + unsigned long start_orig, end; > > + struct boot_e820_entry cur_entry; > > > > /* Skip non-RAM entries. */ > > if (entry->type != E820_TYPE_RAM) > > @@ -463,8 +492,15 @@ static void process_e820_entry(struct boot_e820_entry *entry, > > if (entry->addr + entry->size < minimum) > > return; > > > > - region.start = entry->addr; > > - region.size = entry->size; > > + /* Ignore entries above memory limit */ > > + end = min(entry->size + entry->addr, mem_limit); > > + if (entry->addr >= end) > > + return; > > + cur_entry.addr = entry->addr; > > + cur_entry.size = end - entry->addr; > > + > > + region.start = cur_entry.addr; > > + region.size = cur_entry.size; > > > > /* Give up if slot area array is full. */ > > while (slot_area_index < MAX_SLOT_AREA) { > > @@ -478,7 +514,7 @@ static void process_e820_entry(struct boot_e820_entry *entry, > > region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN); > > > > /* Did we raise the address above this e820 region? */ > > - if (region.start > entry->addr + entry->size) > > + if (region.start > cur_entry.addr + cur_entry.size) > > return; > > > > /* Reduce size by any delta from the original address. */ > > -- > > 2.5.5 > > > > Otherwise, this looks good to me. > > -Kees > > -- > Kees Cook > Pixel Security