Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5308579rdb; Wed, 13 Dec 2023 05:20:51 -0800 (PST) X-Google-Smtp-Source: AGHT+IHfMLBye0FUdVheH3/C/9XNGpWApjQvDqeJX7fgkArC3V177II4EtSBLp8KbBChNeNlZMuA X-Received: by 2002:a05:6a20:7d8e:b0:18c:110e:c34e with SMTP id v14-20020a056a207d8e00b0018c110ec34emr4598120pzj.34.1702473651215; Wed, 13 Dec 2023 05:20:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702473651; cv=none; d=google.com; s=arc-20160816; b=xrYb57KFemymYXPFG2pFZtSa8E24mha3ZChBENIaB+NYeboPpvsCE8TtcKS9QB0nss 0woeuy8l2tsRJxUjsMktGMLNY8Qp3AU0nd802XzIrptaSdBjXEBCOyuFzg/gexs2FP+b lYnwHBJXa1tmsKrf24OUaCGxm0Pc+aDJwx1qFgeDh+3Mzytvio3vLdbh2ztgYzsNHLyD PzIxJdpQl8L0hXl+VjQVat7UbmF2pBlW1JaxGfbq9jKdinPtQYvq6ljLCE9ifPK19frU Ymy0sMBUXTGuiy4VVRFrpZSIsfHLjkMyzxox6f51TV9WCQpozMc6Xwz2pV/IVUlSrNiI DidQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=TFv9Sj01VdRmBr3F1K7Lby9Mq2zgIjNOdOpAT3zbY4U=; fh=zq/kTYSb4kHUAaxkWUbvmqC+sl7O3x4rrdIXSgxAw+w=; b=MBsVHxRLJlOaJnyeNBtVUoQAu4ypxD8QNm+nPs3yCAuah8584E2c2cR1OLbT87yS6d ly+CpBmrLDMqIvHnPviXENDjWwdj5ATHDeyFyq7LZb1z+16VXGxyyHA7YbhX5XTy3mbn +MGMsu4puhxn1ydLk90yGALEMPXtipNYgUbyGMDr2ZNqNtjCagqFbaNavrmqN10jPFCD 6gzRA2KNW9R8C+CNiugtgCKqJ3lGon8XR23ytZR3EfZr3ERcDLBec2d7dYQAJ3SLkKwv c5rY7Z6LwPlUcKS2HEHnopJbDHBZxT108EMqY/BTOFLNKf505MFA7GRZVZPuFLHIA9YS dNyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=easystack.cn Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id h18-20020a17090aa89200b00285b8197a32si10895377pjq.167.2023.12.13.05.20.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 05:20:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=easystack.cn Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id C5BDF803A534; Wed, 13 Dec 2023 05:20:47 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379191AbjLMNU2 (ORCPT + 99 others); Wed, 13 Dec 2023 08:20:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379161AbjLMNU1 (ORCPT ); Wed, 13 Dec 2023 08:20:27 -0500 X-Greylist: delayed 490 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 13 Dec 2023 05:20:31 PST Received: from mail-m17207.xmail.ntesmail.com (mail-m17207.xmail.ntesmail.com [45.195.17.207]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51ECCEB for ; Wed, 13 Dec 2023 05:20:31 -0800 (PST) Received: from [10.9.0.122] (unknown [211.103.144.18]) by smtp.qiye.163.com (Hmail) with ESMTPA id 32B6F560105; Wed, 13 Dec 2023 21:10:03 +0800 (CST) Message-ID: <92a1bdff-e988-48ff-8e78-2998834a3e02@easystack.cn> Date: Wed, 13 Dec 2023 21:10:01 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] kexec: avoid out of bounds in crash_exclude_mem_range() Content-Language: en-US To: Baoquan He Cc: Vivek Goyal , Dave Young , kexec@lists.infradead.org, linux-kernel@vger.kernel.org References: <20231127025641.62210-1-fuqiang.wang@easystack.cn> From: fuqiang wang In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFJQjdXWS1ZQUlXWQ8JGhUIEh9ZQVkaTx1CVhlISEIfGhhPT0MYT1UZERMWGhIXJBQOD1 lXWRgSC1lBWUlKSlVKS0hVSk9PVUpDWVdZFhoPEhUdFFlBWU9LSFVKTU9JTE5VSktLVUpCS0tZBg ++ X-HM-Tid: 0a8c634c72cf0278kunm32b6f560105 X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Pz46SBw6ODE*PwkBMT0#TBFN EUtPCQ5VSlVKTEtJT0xIS0tPTEJNVTMWGhIXVR0OChIaFRxVDBoVHDseGggCCA8aGBBVGBVFWVdZ EgtZQVlJSkpVSktIVUpPT1VKQ1lXWQgBWUFNSUtLNwY+ X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 13 Dec 2023 05:20:47 -0800 (PST) 在 2023/12/13 12:44, Baoquan He 写道: > On 11/30/23 at 09:20pm, fuqiang wang wrote: >> On 2023/11/30 15:44, Baoquan He wrote: >>> On 11/27/23 at 10:56am, fuqiang wang wrote: >>>> When the split happened, judge whether mem->nr_ranges is equal to >>>> mem->max_nr_ranges. If it is true, return -ENOMEM. >>>> >>>> The advantage of doing this is that it can avoid array bounds caused by >>>> some bugs. E.g., Before commit 4831be702b95 ("arm64/kexec: Fix missing >>>> extra range for crashkres_low."), reserve both high and low memories for >>>> the crashkernel may cause out of bounds. >>>> >>>> On the other hand, move this code before the split to ensure that the >>>> array will not be changed when return error. >>> If out of array boundary is caused, means the laoding failed, whether >>> the out of boundary happened or not. I don't see how this code change >>> makes sense. Do I miss anything? >>> >>> Thanks >>> Baoquan >>> >> Hi baoquan, >> >> In some configurations, out of bounds may not cause crash_exclude_mem_range() >> returns error, then the load will succeed. >> >> E.g. >> There is a cmem before execute crash_exclude_mem_range(): >> >>   cmem = { >>     max_nr_ranges = 3 >>     nr_ranges = 2 >>     ranges = { >>        {start = 1,      end = 1000} >>        {start = 1001,    end = 2000} >>     } >>   } >> >> After executing twice crash_exclude_mem_range() with the start/end params >> 100/200, 300/400 respectively, the cmem will be: >> >>   cmem = { >>     max_nr_ranges = 3 >>     nr_ranges = 4                    <== nr_ranges > max_nr_ranges >>     ranges = { >>       {start = 1,       end = 99  } >>       {start = 201,     end = 299 } >>       {start = 401,     end = 1000} >>       {start = 1001,    end = 2000}  <== OUT OF BOUNDS >>     } >>   } >> >> When an out of bounds occurs during the second execution, the function will not >> return error. >> >> Additionally, when the function returns error, means the load failed. It seems >> meaningless to keep the original data unchanged. But in my opinion, this will >> make this function more rigorous and more versatile. (However, I am not sure if >> it is self-defeating and I hope to receive more suggestions). > Sorry for late reply. > > I checked the code again, there seems to be cases out of bounds occur > very possiblly. We may need to enlarge the cmem array to avoid the risk. > > In below draft code, we need add another slot to exclude the low 1M area > when preparing elfcorehdr. And to exclude the elf header region from > crash kernel region, we need create the cmem with 2 slots. > > With these change, we can absolutely avoid out of bounds occurence. > What do you think? > > diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c > index 1715e5f06a59..21facabcf699 100644 > --- a/arch/x86/kernel/crash.c > +++ b/arch/x86/kernel/crash.c > @@ -147,10 +147,10 @@ static struct crash_mem *fill_up_crash_elf_data(void) > return NULL; > > /* > - * Exclusion of crash region and/or crashk_low_res may cause > - * another range split. So add extra two slots here. > + * Exclusion of low 1M, crash region and/or crashk_low_res may > + * cause another range split. So add extra two slots here. > */ > - nr_ranges += 2; > + nr_ranges += 3; > cmem = vzalloc(struct_size(cmem, ranges, nr_ranges)); > if (!cmem) > return NULL; Hi baoquan, Exclusion of low 1M may not cause new region. Because when calling crash_exclude_mem_range(), the start parameter is 0 and the condition for splitting a new region is that the start, end parameters are both in a certain existing region in cmem and cannot be equal to existing region's start or end. Obviously, start (0) cannot meet this condition. > @@ -282,7 +282,7 @@ int crash_setup_memmap_entries(struct kimage *image, struct boot_params *params) > struct crash_memmap_data cmd; > struct crash_mem *cmem; > > - cmem = vzalloc(struct_size(cmem, ranges, 1)); > + cmem = vzalloc(struct_size(cmem, ranges, 2)); > if (!cmem) > return -ENOMEM; > > Yes, you are right. Exclude the elf header region from crash kernel region may cause split a new region. And there seems to be another issue with this code path: Before calling crash_exclude_mem_range(), cmem->max_nr_ranges was not initialized. In my opinion, these change can absolutely avoid out of bounds occurence. But when we forget to modify max_nr_ranges due to a mistakes in the future, is it better to report it by returning an error through crash_exclude_mem_range(). What do you think about it? Thanks fuqiang