Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp969104rda;
        Sun, 22 Oct 2023 19:31:34 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFuVwlCpP1FkpKnMpsn3sDYx7x3+E0p4fwpJvlJNMsEdYzQqffrmNUR765IakZxS24Kqz7U
X-Received: by 2002:a05:6a00:21cf:b0:6bd:705b:56fb with SMTP id t15-20020a056a0021cf00b006bd705b56fbmr6105039pfj.6.1698028294155;
        Sun, 22 Oct 2023 19:31:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698028294; cv=none;
        d=google.com; s=arc-20160816;
        b=taCYDZexI7bgDI73x2w+PI7c5aFKFmz7GmmKP8HzXyTBgB+hxclrCj5ZJeeJWvh7p9
         m2ubslC/5hr8PME6jcDHbz+h0rrfvrM7ZurZXNp1ax7KEKGjvgBTqAdrw0JflPxo5CGt
         Z6d+7YhDOqB03+uRhqqDbPtPXCU+tr9dMU+TWc1kuVo2odQodf9Vu7OAmN3R+BWZ/NYt
         ahRnU3kFXMyQJr/xH0r5bEdI2Fb/1ALs68pehi4KXedQ8Tr4kBa1GcMKV8WBpsJYiSnw
         psq/qXCrMVKCigNsRTIXpDAnO4OHnh9Wfjjt17aDlRwto+z++nf9NNO02xbDOGaRnvwb
         RrYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
         :dkim-signature;
        bh=i051oq9Sq7RRdnOZ5mTNUWUdMgsVYPFmVIteiDrh8b4=;
        fh=1BZtTB1T90zfmTZX+wP0YmEpRVbmPuTMSih58jW5XVg=;
        b=AH8JBiUdL89p8Ai0P3EhsFmBvxCt1XNPnCHHZIuZO/FDnshuaIgpTAabPh1q8WmUcz
         3VPir4+82fMlcxcWmQXPk5WG22U7dNzFH2/Qtw5h0HqBtg8XBN2xPhhFGLacWVq5G+vP
         FxlEMcJfc0HpM1RAOfRErRnczOfj0gR0TVNef5ogRJFIzaAfGwKiGsJ7SQwLcbCbY3U3
         6PDcVLCSl82TkMT0OL6bJrYK8drNIkio+RO77Ls741vZekb6JtMAJ764z76jpmjYO9V1
         s9nOf8zrrYxv7hRRphtNVX8MoTEsnsZTO4JHKtFqu970dnW1zQv7RJj8MemLH8Y2l+1w
         JSkg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=u3qzpSbE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
        by mx.google.com with ESMTPS id bz20-20020a056a02061400b00578acf1e8a4si6418385pgb.573.2023.10.22.19.31.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 22 Oct 2023 19:31:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=u3qzpSbE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 6D717805DC02;
	Sun, 22 Oct 2023 19:31:31 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233129AbjJWCb3 (ORCPT <rfc822;gvb.lkml@gmail.com> + 99 others);
        Sun, 22 Oct 2023 22:31:29 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47582 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229460AbjJWCb1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 22 Oct 2023 22:31:27 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7D41D41
        for <linux-kernel@vger.kernel.org>; Sun, 22 Oct 2023 19:31:25 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-d9a3942461aso3643724276.2
        for <linux-kernel@vger.kernel.org>; Sun, 22 Oct 2023 19:31:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1698028285; x=1698633085; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=i051oq9Sq7RRdnOZ5mTNUWUdMgsVYPFmVIteiDrh8b4=;
        b=u3qzpSbEXap2gGwunk6cD7S1RCS5jd4dtHS927yHWmoZZdZQm+i808y6n+rovcukoJ
         4s1XSvXwqfa22YHLllAPaB7fW6B084ecKrav0vCx6KNVl/LytxApxc04G+AKQMnzT7f4
         ZEALfrzGksOPSaehu+V9m8URwhbSidSPXcX34jVnfjuTJ0ATqn3k9J4y1aJ78Et6oJhc
         xveKrJiwyBxk8ynmGaPPdCUP214QaksNboVhdnbafkz2e/FRyoOUXJPPK5dORaE9wBZJ
         qcWtiDbbeKJHUfevqkKvq1voxPi47x9BUConHFLl2pxYpE1WBE6GZOdUR8ka9zbBlrKJ
         7pRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1698028285; x=1698633085;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=i051oq9Sq7RRdnOZ5mTNUWUdMgsVYPFmVIteiDrh8b4=;
        b=LyP+1LeBYKh9q4SkqK9/WxNjPkO94B9ovswjkiStFVbtpucCyx+YTYIvrc5cAn0oDJ
         yD61yBd6OrMO7Z5qqFCJeOllGFw6s3EklroWgIwTbi64Z/eKM36oVKE5bKd6s2F69Ka2
         C7kP5e3D03BytCdGddxNqaycrZbPxinCky642AV/LVk8NAG0kWYZQTUhGI2R5Zctpmp1
         t6BmBIc+DBh3HSdainYa6DZjPw5cNyWH14TaxGm/AedR9U9Cg+2qBemta4WtygP0AQED
         K9WCvhwd8JQl1wvopJdt0PzJKJ7TEWUbucwyaVnYV/dTveiSIfTlMK3FmkUFQMaZxuHz
         PsUw==
X-Gm-Message-State: AOJu0YwKJ4mFVVVYjWkg/Xxl/1SHZVQsjYKR9RfxK8UrVriXIfmoclkw
        CxQO1owZKM/7+50STNNiR2oeioM3u9yHSDs=
X-Received: from jsperbeck7.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:26dc])
 (user=jsperbeck job=sendgmr) by 2002:a25:3491:0:b0:d9a:3dac:6c1a with SMTP id
 b139-20020a253491000000b00d9a3dac6c1amr155361yba.11.1698028285033; Sun, 22
 Oct 2023 19:31:25 -0700 (PDT)
Date:   Mon, 23 Oct 2023 02:31:21 +0000
Mime-Version: 1.0
X-Mailer: git-send-email 2.42.0.655.g421f12c284-goog
Message-ID: <20231023023121.1464544-1-jsperbeck@google.com>
Subject: [PATCH] x86/kexec: set MIN_KERNEL_LOAD_ADDR to 0x01000000
From:   John Sperbeck <jsperbeck@google.com>
To:     Eric Biederman <ebiederm@xmission.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        "H . Peter Anvin " <hpa@zytor.com>, Baoquan He <bhe@redhat.com>,
        kexec@lists.infradead.org
Cc:     Dave Hansen <dave.hansen@linux.intel.com>,
        Zac Tang <zactang@google.com>, Cloud Hsu <cloudhsu@google.com>,
        linux-kernel@vger.kernel.org, John Sperbeck <jsperbeck@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sun, 22 Oct 2023 19:31:31 -0700 (PDT)

The physical memory range that kexec selects for the compressed
bzimage target kernel, might not be where it runs from.  The
startup_64() code in head_64.S copies itself out of the way
before the decompression so it doesn't clobber itself.

If the start of the memory range selected by kexec is above
LOAD_PHYSICAL_ADDR (0x01000000 by default), then the copy remains
within the memory area.  But if the start is below this range,
then the copy will likely end up outside the range.

Usually, this will be harmless because not much memory is in use
at the time of the pre-decompression copy, so there is little
to accidentally clobber.  However, an unlucky choice for the
adress of the kernel and the initrd could put the initrd in harm's
way.  For example:

    0x00400000 - physical address for target kernel
    0x03ff8000 - physical address of seven-page initrd
    0x0302c000 - size of uncompressed kernel (about 50 Mbytes)

The decompressed kernel will span 0x01000000 through 0x0402c000,
which will overwrite the initrd.

If the kexec code restricts itself to physical addresses above
0x01000000, then the pre-decompression copy and the decompression
itself will stay within the bounds of the memory kexec selected
(unless a non-default value is used in the target kernel for
CONFIG_PHYSICAL_START, which will change LOAD_PHYSICAL_ADDR,
but that's probably unsolvable unless the target kernel were to
somehow communicate this to kexec).

Signed-off-by: John Sperbeck <jsperbeck@google.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index a61c12c01270..d6bf6c13dab1 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -36,7 +36,7 @@
  */
 #define MIN_PURGATORY_ADDR	0x3000
 #define MIN_BOOTPARAM_ADDR	0x3000
-#define MIN_KERNEL_LOAD_ADDR	0x100000
+#define MIN_KERNEL_LOAD_ADDR	0x1000000
 #define MIN_INITRD_LOAD_ADDR	0x1000000
 
 /*
-- 
2.42.0.655.g421f12c284-goog