Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp1666903pxb; Sun, 10 Jan 2021 06:24:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJyPxbgHNgGjwSXhxbrfJxqdndkL/dh4Wk0xtr0L7x2Hq05eNP56HsXVH6LLLxUQVVtRSV1P X-Received: by 2002:a50:f089:: with SMTP id v9mr11703438edl.353.1610288674433; Sun, 10 Jan 2021 06:24:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610288674; cv=none; d=google.com; s=arc-20160816; b=uIPf03KNCwcdXbZN6CEqyiYFisdOHZ6bz9SudmQIWVmC1+aTDcGrRaOuDtQbh72Mkn dxJsJVUv1K1+x/40bT1SQ4aAENl52xjLSiRsUkXhTiIO3tXsBUUsB5z6XlNUn6rGHl6x uWZxvAtkhQZ7N2I8QELzqcZJ3RqsZ+8CTXsBx3LK6PfalZpTG/DB4X+sqXzgYQrPcaN8 Nd40NVekFJ2pSNvfNp4UF5vvWEEa1UCFaBJDc8ksF/ohExx1AtwvBLTj4KT7McXvGohk ILa+R+6GaA/JLwtIRuwfFdT5u/ecYKio2UGQ1/IAVC3k2XEP2chHQ0xWY6PYOlHLxZmh Kddg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:subject:reply-to:cc:from:to:dkim-signature:date; bh=VGX0PRLKNwrqHDEXkOqUUZwUy5aJ1pV/tRE9+Arq0VI=; b=gYws8Ua1aaVDj71qYu1oIktcLzPddtZGWb/aTpYMSfb0iVBnGoKVsY48KR5ppAOk2C LGfEiIiX1RFBP3wv42sxav6u/YbLjWsNSZmDsDVJyxNR85JudJijEXDiFpcTAMlDAUqO hS3IOfLn6vlqYXhx8nOkkSAXE+/4hmLAc4nTlWIvA3PL5rW7mYtmimQgTDupxGVjTSLQ T+QM0QNbjry4Me8H+K3xhNjwmJFr/6nSgKnrnTz8UvM+c5WMWPPbKh8duDIpmlh2tH1L AvHLHqICvS9GRCNxYTQXUF6YWPeUCHc7YY6DvqEO5+TRHVV34/41ajMcLpNflDzVGoq8 SwrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pm.me header.s=protonmail header.b=aCJf4p3j; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=pm.me Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v1si5680541edy.108.2021.01.10.06.24.10; Sun, 10 Jan 2021 06:24:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@pm.me header.s=protonmail header.b=aCJf4p3j; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=pm.me Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726434AbhAJOVy (ORCPT + 99 others); Sun, 10 Jan 2021 09:21:54 -0500 Received: from mail1.protonmail.ch ([185.70.40.18]:62764 "EHLO mail1.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726250AbhAJOVx (ORCPT ); Sun, 10 Jan 2021 09:21:53 -0500 Date: Sun, 10 Jan 2021 14:21:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pm.me; s=protonmail; t=1610288470; bh=VGX0PRLKNwrqHDEXkOqUUZwUy5aJ1pV/tRE9+Arq0VI=; h=Date:To:From:Cc:Reply-To:Subject:From; b=aCJf4p3jmFPCVY0b8/vbBTqZ3xWaHVQARclhn/7SqULUBNlcRd7YrCsEeII20qKic wyCP+tV9UrkXGFCCaIfsvE1RfjLMdPUnMDAMVR8e83vUpEDvTyaAqtH3Jzt8y4RxzH 35Lz8H1AUueVhTYf5LUxfBuLOjUH9aFOwK5aNohrUoo2Gny26WlhEXNO/Y886SHa9I ukXhmKtx3bdiHyWgYlc5yb+YUzxyXxHfKQzoBCXpaXyrOCRsgKM61nBjBf3+3kJuJB tyHuyuq5vCQL9cMc5QHrRXGIDjOmBPppvwH5BuW87n41bpx4P8igHwH39LV3AzToXu +QqlU4nQ4rJyQ== To: Thomas Bogendoerfer From: Alexander Lobakin Cc: Nathan Chancellor , Nick Desaulniers , Kees Cook , Jinyang He , Alexander Lobakin , Ralf Baechle , Matt Redfearn , linux-mips@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, clang-built-linux@googlegroups.com Reply-To: Alexander Lobakin Subject: [PATCH mips-fixes] MIPS: relocatable: fix possible boot hangup with KASLR enabled Message-ID: <20210110142023.185275-1-alobakin@pm.me> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org LLVM-built Linux triggered a boot hangup with KASLR enabled. arch/mips/kernel/relocate.c:get_random_boot() uses linux_banner, which is a string constant, as a random seed, but accesses it as an array of unsigned long (in rotate_xor()). When the address of linux_banner is not aligned to sizeof(long), such access emits unaligned access exception and hangs the kernel. Use PTR_ALIGN() to align input address to sizeof(long) and also align down the input length to prevent possible access-beyond-end. Fixes: 405bc8fd12f5 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABL= E") Cc: stable@vger.kernel.org # 4.7+ Signed-off-by: Alexander Lobakin --- arch/mips/kernel/relocate.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/arch/mips/kernel/relocate.c b/arch/mips/kernel/relocate.c index 47aeb3350a76..0e365b7c742d 100644 --- a/arch/mips/kernel/relocate.c +++ b/arch/mips/kernel/relocate.c @@ -187,8 +187,14 @@ static int __init relocate_exception_table(long offset= ) static inline __init unsigned long rotate_xor(unsigned long hash, =09=09=09=09=09 const void *area, size_t size) { -=09size_t i; -=09unsigned long *ptr =3D (unsigned long *)area; +=09const typeof(hash) *ptr =3D PTR_ALIGN(area, sizeof(hash)); +=09size_t diff, i; + +=09diff =3D (void *)ptr - area; +=09if (unlikely(size < diff + sizeof(hash))) +=09=09return hash; + +=09size =3D ALIGN_DOWN(size - diff, sizeof(hash)); =20 =09for (i =3D 0; i < size / sizeof(hash); i++) { =09=09/* Rotate by odd number of bits and XOR. */ --=20 2.30.0