Re: [PATCH 1/1] x86: sanitize argument of clearcpuid command-line option

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ingo Molnar <mingo@kernel.org>
To: Borislav Petkov <bp@alien8.de>
Cc: Lukasz Odzioba <lukasz.odzioba@intel.com>,
	linux-kernel@vger.kernel.org, tglx@linutronix.de,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, luto@kernel.org,
	slaoub@gmail.com, bp@suse.de, dave.hansen@linux.intel.com,
	andi.kleen@intel.com
Subject: Re: [PATCH 1/1] x86: sanitize argument of clearcpuid command-line option
Date: Thu, 5 Jan 2017 08:55:59 +0100	[thread overview]
Message-ID: <20170105075559.GA2098@gmail.com> (raw)
In-Reply-To: <20161229102105.GD11221@nazgul.tnic>


* Borislav Petkov <bp@alien8.de> wrote:

> On Wed, Dec 28, 2016 at 02:55:40PM +0100, Lukasz Odzioba wrote:
> > A negative number can be specified in the cmdline which will be used as
> > setup_clear_cpu_cap() argument. With that we can clear/set some bit in
> > memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
> > to misbehave. This patch adds lower bound check to setup_disablecpuid().
> > 
> > Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")
> > 
> > Signed-off-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
> > ---
> > As an example let's change definition of one_hundred variable:
> > ffffffff81c4eeec d one_hundred
> > ffffffff81d69720 D boot_cpu_data (0x14 is x86_capability offset)
> > 
> > 8*(0xffffffff81d69734-0xffffffff81c4eeec) => 9257536 -2 because we
> > want to clear the second bit. With clearcpuid=-9257534 we change the
> > definition of one_hundread to 96 which is used among other things
> > as sysfs' max value for swappiness, so we can check the effect like so:
> > # echo 96 >  /proc/sys/vm/swappiness
> > # echo 97 >  /proc/sys/vm/swappiness
> > -bash: echo: write error: Invalid argument
> > ---
> >  arch/x86/kernel/cpu/common.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> > index dc1697c..9bab7a8 100644
> > --- a/arch/x86/kernel/cpu/common.c
> > +++ b/arch/x86/kernel/cpu/common.c
> > @@ -1221,7 +1221,7 @@ static __init int setup_disablecpuid(char *arg)
> >  {
> >  	int bit;
> >  
> > -	if (get_option(&arg, &bit) && bit < NCAPINTS*32)
> > +	if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
> >  		setup_clear_cpu_cap(bit);
> >  	else
> >  		return 0;
> > -- 
> 
> Yap, that's a good catch!
> 
> Acked-by: Borislav Petkov <bp@suse.de>
> 
> I even got a splat while experimenting with this:
> 
> 
> [    1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540
> [    1.236535] IP: memcpy_erms+0x6/0x10

Good one, queued it up.

Btw., another (separate) fix would be to keep the kernel's option filtering code 
from being passive aggressive:

        if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
                setup_clear_cpu_cap(bit);
        else
                return 0;

When we don't accept the value we should at least inform the user (via a printk 
that includes the 'clearcpuid' token in its message) that we totally ignored 
whatever he wanted. Something like:

	pr_warn("x86/cpu: Ignoring invalid "clearcpuid=%s' option!\n", arg)

Which would save quite a bit of head scratching and frustration when someone has a 
bad enough day to add silly typos to the kernel cmdline.

Thanks,

	Ingo

next prev parent reply	other threads:[~2017-01-05  7:56 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-28 13:55 [PATCH 1/1] x86: sanitize argument of clearcpuid command-line option Lukasz Odzioba
2016-12-29 10:21 ` Borislav Petkov
2017-01-05  7:55   ` Ingo Molnar [this message]
2017-01-16 18:50     ` Odzioba, Lukasz
2017-01-17  7:17       ` Ingo Molnar
2017-01-18  9:52         ` Odzioba, Lukasz
2017-01-05 15:04 ` [tip:x86/urgent] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' " tip-bot for Lukasz Odzioba

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170105075559.GA2098@gmail.com \
    --to=mingo@kernel.org \
    --cc=andi.kleen@intel.com \
    --cc=bp@alien8.de \
    --cc=bp@suse.de \
    --cc=dave.hansen@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lukasz.odzioba@intel.com \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=slaoub@gmail.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.