Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp3989463ioo; Wed, 25 May 2022 12:14:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwMyP5FiBhZadIPb87F/OUej4uLv8uZALIkJb8N1bHhiMwQeIDpawOoLo6sI6jBV2mwPoUI X-Received: by 2002:a17:90a:2e83:b0:1da:3273:53ab with SMTP id r3-20020a17090a2e8300b001da327353abmr12002005pjd.14.1653506078631; Wed, 25 May 2022 12:14:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653506078; cv=none; d=google.com; s=arc-20160816; b=DsLyPHLQ58MpgWe5aF7JJhYx3pvbBLsm+RTDpD+MSXSVsEX24lEs8Xm5bZbp8XKTqA WIOSH04uXFdCWgvwsKtXZQp+2qOrNdasnK3BxvUramowkGNL0EPIEdIBQL2RdPSLuP/j 81Erf5TFTb4jT/Bi9BuW8Gop0btCwBiJtk/Imitijrb9jwOgIVR6qA+75scoczR0kq0D AMv1GJPnQN8X3AKg7n7rQgnO6l1Elsy0gR2eYmT/TUxtEIUHJWgH/RPD7jiv3ooMdt0L OgI8DoGB8veeAGBzHRhdLXfqsED0XoAatVe7uABG8aVwlWQPnc5RUUw6T9bFr8pEsIuV LN0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=sGMC9J3i2A0JEMEBRMvIAV6dTYRQjIEP1weGgAQj+xI=; b=W+hnWhCigmjMiZDvDprf5BA2RCdJiC1LHHg07XCaV/Mb3K3TtwyQVmhcucPhAHDU6P uZ5hHdhLAfGiLCa95G8Mv65yskHYT7mFP1OyLP7JJPlByGAFvwFYkxIodDTGG3Xn1kgS ASvGUFG5Dtuf+qhVGOZ3rXSGKQ3zxEdKigailz57b236UlkF7/xq06KGeJgYqtSFArHN yVF1qnsMIuXqt7+vSQXa/Cn4UtV4d86WL7l0eF7XS/2Ip0o7NPxVdLrdDzyiw5e0gGLa zSmD938ByJVzdiRsvVdQid5u2KqBgnIyDsQ8RJynVheQFsTIxv1jq8s67GZYWttGsPQS a8Rg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=DiEqRXuQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j184-20020a638bc1000000b003f9f41da8bcsi16126911pge.23.2022.05.25.12.14.02; Wed, 25 May 2022 12:14:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=DiEqRXuQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244066AbiEYFv7 (ORCPT + 99 others); Wed, 25 May 2022 01:51:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242912AbiEYFv5 (ORCPT ); Wed, 25 May 2022 01:51:57 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 382245933B; Tue, 24 May 2022 22:51:55 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id q4so17680520plr.11; Tue, 24 May 2022 22:51:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=sGMC9J3i2A0JEMEBRMvIAV6dTYRQjIEP1weGgAQj+xI=; b=DiEqRXuQ0GoU9KOzRPRrrP85Totp4N3hDUUUgE0VkGyrk02TPDqDfZBf70fDXvngz0 mRai2GwSRPKbCa31jEvrNpaxeYx36xCanlyV1jjlbx98ff9RWsD6vnYfgrUPrtW7T7kt 42JTkzlNn1glDLKL3mN5I69G1L1fgFFgtjELNHlXMA9xZkSV5ip/IzmXs8EG2kRn/BV4 k+u4LL7A/ObwbTk+/E5XNX82YHAVXOMHdR0sGY0oaBIJEk6sw415oGineHm28+2MAsy+ jz1lMhLLi6AEbMMo26XkRoKRnvYWV1OYi1nNcCotDO2m78AXiwHkYO1Z4hpj0hR1xiUI LfOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=sGMC9J3i2A0JEMEBRMvIAV6dTYRQjIEP1weGgAQj+xI=; b=yFrAJfvKS3xvboGBgqlGG9nFznLGMzkUbBsAqPz7QjNlos70MPXC5A4qG/2pKv/y9F 5ZvfEiFa8fRQ44LEVXTkA6khkxAAvGsehHv7WD25QJPUgc4+qTljAWd+A27UrsLfGgHc WBqkpIqI5KuYtyqtNS7P6jGtecxgmlv7BiwQd8lvL9s72PsBZirq3aDwgFeTfm2LLw+G BV+LhCPm6KTviP9XB5xuNxJQN+k+AxuTXVsghKjJ1cQwOE+djFY8T/lmd32D3//TvmA3 dduRGD8uS7FAs0rAPX9lpDH7r5OeUvBa/GF2ncqajT1lOI/B5sMgiCGACiakQ9GPxj6H UqZw== X-Gm-Message-State: AOAM531S/ZXJEiIa6e6z+CJJiwchund2lHBZgZ5YfRNS1D5PIDUubQmt sg5/PBwdKueKIn9Byymdnr8= X-Received: by 2002:a17:90b:1e46:b0:1e0:10de:f8e4 with SMTP id pi6-20020a17090b1e4600b001e010def8e4mr8587987pjb.7.1653457914739; Tue, 24 May 2022 22:51:54 -0700 (PDT) Received: from localhost ([2406:7400:63:4576:a782:286b:de51:79ce]) by smtp.gmail.com with ESMTPSA id x17-20020a170902821100b0015e8d4eb2a8sm8134043pln.242.2022.05.24.22.51.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 May 2022 22:51:54 -0700 (PDT) Date: Wed, 25 May 2022 11:21:49 +0530 From: Ritesh Harjani To: Vaibhav Jain Cc: linuxppc-dev@lists.ozlabs.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, "Aneesh Kumar K . V" , Michael Ellerman , Frank Rowand , Prakhar Srivastava , Lakshmi Ramasubramanian , Thiago Jung Bauermann , Rob Herring Subject: Re: [PATCH v2] of: check previous kernel's ima-kexec-buffer against memory bounds Message-ID: <20220525055149.f4nqx2ocnh3pqnpr@riteshh-domain> References: <20220524055042.1527968-1-vaibhav@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220524055042.1527968-1-vaibhav@linux.ibm.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Just a minor nit which I noticed. On 22/05/24 11:20AM, Vaibhav Jain wrote: > Presently ima_get_kexec_buffer() doesn't check if the previous kernel's > ima-kexec-buffer lies outside the addressable memory range. This can result > in a kernel panic if the new kernel is booted with 'mem=X' arg and the > ima-kexec-buffer was allocated beyond that range by the previous kernel. > The panic is usually of the form below: > > $ sudo kexec --initrd initrd vmlinux --append='mem=16G' > > > BUG: Unable to handle kernel data access on read at 0xc000c01fff7f0000 > Faulting instruction address: 0xc000000000837974 > Oops: Kernel access of bad area, sig: 11 [#1] > > NIP [c000000000837974] ima_restore_measurement_list+0x94/0x6c0 > LR [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160 > Call Trace: > [c00000000371fa80] [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160 > [c00000000371fb00] [c0000000020512c4] ima_init+0x80/0x108 > [c00000000371fb70] [c0000000020514dc] init_ima+0x4c/0x120 > [c00000000371fbf0] [c000000000012240] do_one_initcall+0x60/0x2c0 > [c00000000371fcc0] [c000000002004ad0] kernel_init_freeable+0x344/0x3ec > [c00000000371fda0] [c0000000000128a4] kernel_init+0x34/0x1b0 > [c00000000371fe10] [c00000000000ce64] ret_from_kernel_thread+0x5c/0x64 > Instruction dump: > f92100b8 f92100c0 90e10090 910100a0 4182050c 282a0017 3bc00000 40810330 > 7c0802a6 fb610198 7c9b2378 f80101d0 2c090001 40820614 e9240010 > ---[ end trace 0000000000000000 ]--- > > Fix this issue by checking returned PFN range of previous kernel's > ima-kexec-buffer with pfn_valid to ensure correct memory bounds. > > Fixes: 467d27824920 ("powerpc: ima: get the kexec buffer passed by the previous kernel") > Cc: Frank Rowand > Cc: Prakhar Srivastava > Cc: Lakshmi Ramasubramanian > Cc: Thiago Jung Bauermann > Cc: Rob Herring > Signed-off-by: Vaibhav Jain > > --- > Changelog > ========== > > v2: > * Instead of using memblock to determine the valid bounds use pfn_valid() to do > so since memblock may not be available late after the kernel init. [ Mpe ] > * Changed the patch prefix from 'powerpc' to 'of' [ Mpe ] > * Updated the 'Fixes' tag to point to correct commit that introduced this > function. [ Rob ] > * Fixed some whitespace/tab issues in the patch description [ Rob ] > * Added another check for checking ig 'tmp_size' for ima-kexec-buffer is > 0 > --- > drivers/of/kexec.c | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/drivers/of/kexec.c b/drivers/of/kexec.c > index 8d374cc552be..879e984fe901 100644 > --- a/drivers/of/kexec.c > +++ b/drivers/of/kexec.c > @@ -126,6 +126,7 @@ int ima_get_kexec_buffer(void **addr, size_t *size) > { > int ret, len; > unsigned long tmp_addr; > + unsigned int start_pfn, end_pfn; ^^^ Shouldn't this be unsigned long? -ritesh > size_t tmp_size; > const void *prop; > > @@ -140,6 +141,22 @@ int ima_get_kexec_buffer(void **addr, size_t *size) > if (ret) > return ret; > > + /* Do some sanity on the returned size for the ima-kexec buffer */ > + if (!tmp_size) > + return -ENOENT; > + > + /* > + * Calculate the PFNs for the buffer and ensure > + * they are with in addressable memory. > + */ > + start_pfn = PHYS_PFN(tmp_addr); > + end_pfn = PHYS_PFN(tmp_addr + tmp_size - 1); > + if (!pfn_valid(start_pfn) || !pfn_valid(end_pfn)) { > + pr_warn("IMA buffer at 0x%lx, size = 0x%zx beyond memory\n", > + tmp_addr, tmp_size); > + return -EINVAL; > + } > + > *addr = __va(tmp_addr); > *size = tmp_size; > > -- > 2.35.1 >