Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S976247AbdDXTLE (ORCPT ); Mon, 24 Apr 2017 15:11:04 -0400 Received: from mail-it0-f46.google.com ([209.85.214.46]:37954 "EHLO mail-it0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S973160AbdDXTKz (ORCPT ); Mon, 24 Apr 2017 15:10:55 -0400 MIME-Version: 1.0 In-Reply-To: <1493001650-5793-3-git-send-email-bhe@redhat.com> References: <1493001650-5793-1-git-send-email-bhe@redhat.com> <1493001650-5793-3-git-send-email-bhe@redhat.com> From: Kees Cook Date: Mon, 24 Apr 2017 12:10:53 -0700 X-Google-Sender-Auth: GS6Qn_B7vI3SKFxnNz9iBBsGJqI Message-ID: Subject: Re: [PATCH v2 2/3] KASLR: Handle memory limit specified by memmap and mem option To: Baoquan He Cc: LKML , Ingo Molnar , Dave Jiang , Dan Williams , "H. Peter Anvin" , Thomas Gleixner , Dave Young , Ingo Molnar , "x86@kernel.org" , Yinghai Lu , Borislav Petkov Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5765 Lines: 164 On Sun, Apr 23, 2017 at 7:40 PM, Baoquan He wrote: > Option mem= will limit the max address a system can use and any memory > region above the limit will be removed. > > Furthermore, memmap=nn[KMG] which has no offset specified has the same > behaviour as mem=. > > KASLR needs to consider this when choosing the random position for > decompressing the kernel. > > This patch implements that. > > Signed-off-by: Baoquan He > Cc: "H. Peter Anvin" > Cc: Thomas Gleixner > Cc: Ingo Molnar > Cc: x86@kernel.org > Cc: Kees Cook > Cc: Yinghai Lu > Cc: Borislav Petkov > --- > arch/x86/boot/compressed/kaslr.c | 60 ++++++++++++++++++++++++++++++++-------- > 1 file changed, 48 insertions(+), 12 deletions(-) > > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c > index 6649ecd..34f66a5 100644 > --- a/arch/x86/boot/compressed/kaslr.c > +++ b/arch/x86/boot/compressed/kaslr.c > @@ -79,6 +79,10 @@ int mem_avoid_memmap_index; > extern unsigned long get_cmd_line_ptr(void); > > > +/* Store memory limit specified by "mem=nn[KMG]" or "memmap=nn[KMG]" */ > +unsigned long long mem_limit = ULLONG_MAX; > + > + > enum mem_avoid_index { > MEM_AVOID_ZO_RANGE = 0, > MEM_AVOID_INITRD, > @@ -129,16 +133,22 @@ parse_memmap(char *p, unsigned long long *start, unsigned long long *size) > return -EINVAL; > > switch (*p) { > - case '@': > - /* Skip this region, usable */ > - *start = 0; > - *size = 0; > - return 0; > case '#': > case '$': > case '!': > *start = memparse(p + 1, &p); > return 0; > + case '@': > + /* memmap=nn@ss specifies usable region, should be skipped */ > + *size = 0; > + default: > + /* > + * If w/o offset, only size specified, memmap=nn[KMG] has the > + * same behaviour as mem=nn[KMG]. It limits the max address > + * system can use. Region above the limit should be avoided. > + */ > + *start = 0; > + return 0; > } > > return -EINVAL; > @@ -164,9 +174,14 @@ static void mem_avoid_memmap(char *str) > if (rc < 0) > break; > str = k; > - /* A usable region that should not be skipped */ > - if (size == 0) > + > + if (start == 0) { > + /* Store the specified memory limit if size > 0 */ > + if (size > 0) > + mem_limit = size; > + > continue; > + } > > mem_avoid[MEM_AVOID_MEMMAP_BEGIN + i].start = start; > mem_avoid[MEM_AVOID_MEMMAP_BEGIN + i].size = size; > @@ -191,6 +206,7 @@ static int handle_mem_memmap(void) > size_t len = strlen((char *)args); > char *tmp_cmdline; > char *param, *val; > + u64 mem_size; > > tmp_cmdline = malloc(COMMAND_LINE_SIZE); > if (!tmp_cmdline ) > @@ -213,8 +229,20 @@ static int handle_mem_memmap(void) > return -1; > } > > - if (!strcmp(param, "memmap")) > + if (!strcmp(param, "memmap")) { > mem_avoid_memmap(val); > + } else if (!strcmp(param, "mem")) { > + char *p = val; > + > + if (!strcmp(p, "nopentium")) > + continue; > + mem_size = memparse(p, &p); > + if (mem_size == 0) { > + free(tmp_cmdline); > + return -EINVAL; > + } > + mem_limit = mem_size; > + } > } > > free(tmp_cmdline); > @@ -451,7 +479,8 @@ static void process_e820_entry(struct boot_e820_entry *entry, > { > struct mem_vector region, overlap; > struct slot_area slot_area; > - unsigned long start_orig; > + unsigned long start_orig, end; > + struct boot_e820_entry cur_entry; > > /* Skip non-RAM entries. */ > if (entry->type != E820_TYPE_RAM) > @@ -465,8 +494,15 @@ static void process_e820_entry(struct boot_e820_entry *entry, > if (entry->addr + entry->size < minimum) > return; > > - region.start = entry->addr; > - region.size = entry->size; > + /* Ignore entries above memory limit */ > + end = min(entry->size + entry->addr, mem_limit); > + if (entry->addr >= end) > + return; > + cur_entry.addr = entry->addr; > + cur_entry.size = end - entry->addr; > + > + region.start = cur_entry.addr; > + region.size = cur_entry.size; > > /* Give up if slot area array is full. */ > while (slot_area_index < MAX_SLOT_AREA) { > @@ -480,7 +516,7 @@ static void process_e820_entry(struct boot_e820_entry *entry, > region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN); > > /* Did we raise the address above this e820 region? */ > - if (region.start > entry->addr + entry->size) > + if (region.start > cur_entry.addr + cur_entry.size) > return; > > /* Reduce size by any delta from the original address. */ > -- > 2.5.5 > Thanks! I find this much more readable. :) Acked-by: Kees Cook -Kees -- Kees Cook Pixel Security