From: tip-bot for Dave Jiang <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: tglx@linutronix.de, hpa@zytor.com, dave.jiang@intel.com,
mingo@kernel.org, linux-kernel@vger.kernel.org
Subject: [tip:x86/urgent] x86/boot: Prevent KASLR and memmap collision
Date: Mon, 19 Dec 2016 03:33:54 -0800 [thread overview]
Message-ID: <tip-d1a5058c063d9e0aaaf4d360d0f8074ee55ed096@git.kernel.org> (raw)
In-Reply-To: <148044760044.153060.616417783293212181.stgit@djiang5-desk3.ch.intel.com>
Commit-ID: d1a5058c063d9e0aaaf4d360d0f8074ee55ed096
Gitweb: http://git.kernel.org/tip/d1a5058c063d9e0aaaf4d360d0f8074ee55ed096
Author: Dave Jiang <dave.jiang@intel.com>
AuthorDate: Tue, 29 Nov 2016 12:26:40 -0700
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Mon, 19 Dec 2016 12:27:52 +0100
x86/boot: Prevent KASLR and memmap collision
CONFIG_RANDOMIZE_BASE relocates the kernel to a random base address.
However it does not take into account the memmap= parameter passed to the
kernel cmdline, so KASLR can put the kernel into a user defined memmap.
Prevent KASLR from inserting the kernel in memmap defined regions by
parsing the memmap command line arguments and adding them to the set of
memory regions to avoid for kernel placement.
The parser handles up to four memmap regions. If more regions are on the
command line KASLR is disabled.
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Cc: dan.j.williams@intel.com
Cc: david@fromorbit.com
Cc: linux-nvdimm@lists.01.org
Link: http://lkml.kernel.org/r/148044760044.153060.616417783293212181.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
arch/x86/boot/boot.h | 3 ++
arch/x86/boot/compressed/kaslr.c | 82 ++++++++++++++++++++++++++++++++++++++++
arch/x86/boot/string.c | 38 +++++++++++++++++++
3 files changed, 123 insertions(+)
diff --git a/arch/x86/boot/boot.h b/arch/x86/boot/boot.h
index e5612f3..59c2075 100644
--- a/arch/x86/boot/boot.h
+++ b/arch/x86/boot/boot.h
@@ -332,7 +332,10 @@ int strncmp(const char *cs, const char *ct, size_t count);
size_t strnlen(const char *s, size_t maxlen);
unsigned int atou(const char *s);
unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base);
+unsigned long simple_strtoul(const char *cp, char **endp, unsigned int base);
+long simple_strtol(const char *cp, char **endp, unsigned int base);
size_t strlen(const char *s);
+char *strchr(const char *s, int c);
/* tty.c */
void puts(const char *);
diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index a66854d..915509f 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -11,6 +11,7 @@
*/
#include "misc.h"
#include "error.h"
+#include "../boot.h"
#include <generated/compile.h>
#include <linux/module.h>
@@ -61,9 +62,16 @@ enum mem_avoid_index {
MEM_AVOID_INITRD,
MEM_AVOID_CMDLINE,
MEM_AVOID_BOOTPARAMS,
+ MEM_AVOID_MEMMAP1,
+ MEM_AVOID_MEMMAP2,
+ MEM_AVOID_MEMMAP3,
+ MEM_AVOID_MEMMAP4,
MEM_AVOID_MAX,
};
+/* only supporting at most 4 memmap regions with kaslr */
+#define MAX_MEMMAP_REGIONS 4
+
static struct mem_vector mem_avoid[MEM_AVOID_MAX];
static bool mem_overlaps(struct mem_vector *one, struct mem_vector *two)
@@ -77,6 +85,72 @@ static bool mem_overlaps(struct mem_vector *one, struct mem_vector *two)
return true;
}
+#include "../../../../lib/cmdline.c"
+
+static int
+parse_memmap(char *p, unsigned long long *start, unsigned long long *size)
+{
+ char *oldp;
+
+ if (!p)
+ return -EINVAL;
+
+ /* we don't care about this option here */
+ if (!strncmp(p, "exactmap", 8))
+ return -EINVAL;
+
+ oldp = p;
+ *size = memparse(p, &p);
+ if (p == oldp)
+ return -EINVAL;
+
+ switch (*p) {
+ case '@':
+ case '#':
+ case '$':
+ case '!':
+ *start = memparse(p + 1, &p);
+ return 0;
+ }
+
+ return -EINVAL;
+}
+
+static int mem_avoid_memmap(void)
+{
+ char arg[128];
+ int rc = 0;
+
+ /* see if we have any memmap areas */
+ if (cmdline_find_option("memmap", arg, sizeof(arg)) > 0) {
+ int i = 0;
+ char *str = arg;
+
+ while (str && (i < MAX_MEMMAP_REGIONS)) {
+ unsigned long long start, size;
+ char *k = strchr(str, ',');
+
+ if (k)
+ *k++ = 0;
+
+ rc = parse_memmap(str, &start, &size);
+ if (rc < 0)
+ break;
+ str = k;
+
+ mem_avoid[MEM_AVOID_MEMMAP1 + i].start = start;
+ mem_avoid[MEM_AVOID_MEMMAP1 + i].size = size;
+ i++;
+ }
+
+ /* more than 4 memmaps, fail kaslr */
+ if ((i >= MAX_MEMMAP_REGIONS) && str)
+ rc = -EINVAL;
+ }
+
+ return rc;
+}
+
/*
* In theory, KASLR can put the kernel anywhere in the range of [16M, 64T).
* The mem_avoid array is used to store the ranges that need to be avoided
@@ -429,6 +503,7 @@ void choose_random_location(unsigned long input,
unsigned long *virt_addr)
{
unsigned long random_addr, min_addr;
+ int rc;
/* By default, keep output position unchanged. */
*virt_addr = *output;
@@ -438,6 +513,13 @@ void choose_random_location(unsigned long input,
return;
}
+ /* Mark the memmap regions we need to avoid */
+ rc = mem_avoid_memmap();
+ if (rc < 0) {
+ warn("KASLR disabled: memmap exceeds limit of 4, giving up.");
+ return;
+ }
+
boot_params->hdr.loadflags |= KASLR_FLAG;
/* Prepare to add new identity pagetables on demand. */
diff --git a/arch/x86/boot/string.c b/arch/x86/boot/string.c
index cc3bd58..0464aaa 100644
--- a/arch/x86/boot/string.c
+++ b/arch/x86/boot/string.c
@@ -122,6 +122,31 @@ unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int bas
}
/**
+ * simple_strtoul - convert a string to an unsigned long
+ * @cp: The start of the string
+ * @endp: A pointer to the end of the parsed string will be placed here
+ * @base: The number base to use
+ */
+unsigned long simple_strtoul(const char *cp, char **endp, unsigned int base)
+{
+ return simple_strtoull(cp, endp, base);
+}
+
+/**
+ * simple_strtol - convert a string to a signed long
+ * @cp: The start of the string
+ * @endp: A pointer to the end of the parsed string will be placed here
+ * @base: The number base to use
+ */
+long simple_strtol(const char *cp, char **endp, unsigned int base)
+{
+ if (*cp == '-')
+ return -simple_strtoul(cp + 1, endp, base);
+
+ return simple_strtoul(cp, endp, base);
+}
+
+/**
* strlen - Find the length of a string
* @s: The string to be sized
*/
@@ -155,3 +180,16 @@ char *strstr(const char *s1, const char *s2)
}
return NULL;
}
+
+/**
+ * strchr - Find the first occurrence of the character c in the string s.
+ * @s: the string to be searched
+ * @c: the character to search for
+ */
+char *strchr(const char *s, int c)
+{
+ while (*s != (char)c)
+ if (*s++ == '\0')
+ return NULL;
+ return (char *)s;
+}
next prev parent reply other threads:[~2016-12-19 11:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-29 19:26 [PATCH v2] x86: fix kaslr and memmap collision Dave Jiang
2016-12-15 22:10 ` Dave Jiang
2016-12-19 11:33 ` tip-bot for Dave Jiang [this message]
2016-12-20 8:31 ` [tip:x86/urgent] x86/boot: Prevent KASLR " Ingo Molnar
2016-12-20 18:23 ` Dave Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-d1a5058c063d9e0aaaf4d360d0f8074ee55ed096@git.kernel.org \
--to=tipbot@zytor.com \
--cc=dave.jiang@intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).