Hello Kees
I'm worrying that setup_data regions could be overwitten by randomize
kernel base. Would you like to fix it in kaslr code?
One problem is there could be a lot of setup_data regions but current
mem_avoid is an fixed array.
Thanks
Dave
On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <[email protected]> wrote:
> Hello Kees
>
> I'm worrying that setup_data regions could be overwitten by randomize
> kernel base. Would you like to fix it in kaslr code?
>
> One problem is there could be a lot of setup_data regions but current
> mem_avoid is an fixed array.
Sure, can you give me some examples? Seems like it shouldn't be too
hard to have the mem_avoid logic walk additional areas.
-Kees
--
Kees Cook
Chrome OS Security
On 04/23/14 at 07:43pm, Kees Cook wrote:
> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <[email protected]> wrote:
> > Hello Kees
> >
> > I'm worrying that setup_data regions could be overwitten by randomize
> > kernel base. Would you like to fix it in kaslr code?
> >
> > One problem is there could be a lot of setup_data regions but current
> > mem_avoid is an fixed array.
>
> Sure, can you give me some examples? Seems like it shouldn't be too
> hard to have the mem_avoid logic walk additional areas.
Great, To walk through the list just like the function parse_setup_data in
arch/x86/kernel/setup.c
Thanks
Dave
Ah, it sounds like boot_params.hdr.setup_data contains a series of
e820-like entries chained together as a linked list? Which loaders
currently populate that? Looks like EFI? Seems like
arch/x86/boot/compressed/eboot.c works on setup_data at least.
I won't be in a position to test EFI booting for a while. If someone
else took this, that would make it get fixed much faster.
Do you have examples where this is actually causing failures?
-Kees
On Wed, Apr 23, 2014 at 7:50 PM, Dave Young <[email protected]> wrote:
> On 04/23/14 at 07:43pm, Kees Cook wrote:
>> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <[email protected]> wrote:
>> > Hello Kees
>> >
>> > I'm worrying that setup_data regions could be overwitten by randomize
>> > kernel base. Would you like to fix it in kaslr code?
>> >
>> > One problem is there could be a lot of setup_data regions but current
>> > mem_avoid is an fixed array.
>>
>> Sure, can you give me some examples? Seems like it shouldn't be too
>> hard to have the mem_avoid logic walk additional areas.
>
> Great, To walk through the list just like the function parse_setup_data in
> arch/x86/kernel/setup.c
>
> Thanks
> Dave
--
Kees Cook
Chrome OS Security
On 04/24/2014 03:50 PM, Kees Cook wrote:
> Ah, it sounds like boot_params.hdr.setup_data contains a series of
> e820-like entries chained together as a linked list? Which loaders
> currently populate that? Looks like EFI? Seems like
> arch/x86/boot/compressed/eboot.c works on setup_data at least.
>
> I won't be in a position to test EFI booting for a while. If someone
> else took this, that would make it get fixed much faster.
>
> Do you have examples where this is actually causing failures?
>
> -Kees
Syslinux can populate it with arbitrary data; in particular Syslinux
uses it to pass FDT information if requested.
-hpa
On 04/24/14 at 03:50pm, Kees Cook wrote:
> Ah, it sounds like boot_params.hdr.setup_data contains a series of
> e820-like entries chained together as a linked list? Which loaders
> currently populate that? Looks like EFI? Seems like
> arch/x86/boot/compressed/eboot.c works on setup_data at least.
AFAIK efi stub, kexec, also as HPA mentioned syslinux use it as well.
kexec use setup_data for passing e820 ext ranges, also use it for efi boot.
>
> I won't be in a position to test EFI booting for a while. If someone
> else took this, that would make it get fixed much faster.
Because kaslr is randomizing the base, it's hard to produce the failure.
>From the code itself, maybe just iterate the setup_data regions and add them
to avoid list, not necessary to care about the setup_data type..
>
> Do you have examples where this is actually causing failures?
As mentioned above I have no idea how to test. Probably need manually hack
the code to create a failure?
>
> -Kees
>
> On Wed, Apr 23, 2014 at 7:50 PM, Dave Young <[email protected]> wrote:
> > On 04/23/14 at 07:43pm, Kees Cook wrote:
> >> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <[email protected]> wrote:
> >> > Hello Kees
> >> >
> >> > I'm worrying that setup_data regions could be overwitten by randomize
> >> > kernel base. Would you like to fix it in kaslr code?
> >> >
> >> > One problem is there could be a lot of setup_data regions but current
> >> > mem_avoid is an fixed array.
> >>
> >> Sure, can you give me some examples? Seems like it shouldn't be too
> >> hard to have the mem_avoid logic walk additional areas.
> >
> > Great, To walk through the list just like the function parse_setup_data in
> > arch/x86/kernel/setup.c
> >
> > Thanks
> > Dave
>
>
>
> --
> Kees Cook
> Chrome OS Security