Re: [PATCH] mm,memblock: reset memblock.reserved to system init state to prevent UAF

[Mike Rapoport <rppt@kernel.org>]

Hi Ric,

On Wed, Jul 19, 2023 at 03:41:37PM -0400, Rik van Riel wrote:
> The memblock_discard function frees the memblock.reserved.regions
> array, which is good.
> 
> However, if a subsequent memblock_free (or memblock_phys_free) comes
> in later, from for example ima_free_kexec_buffer, that will result in
> a use after free bug in memblock_isolate_range.

The use of memblock_phys_free() in ima_free_kexec_buffer() is entirely
bogus and must be fixed. It should be memblock_free_late() there.
 
> When running a kernel with CONFIG_KASAN enabled, this will cause a
> kernel panic very early in boot. Without CONFIG_KASAN, there is
> a chance that memblock_isolate_range might scribble on memory
> that is now in use by somebody else.
 
This can't happen because memblock_double_array() uses kmalloc() as soon as
slab_is_available(), so this sentence is misleading.

> Avoid those issues by making sure that memblock_discard points
> memblock.reserved.regions back at the static buffer.
>
> If memblock_discard is called while there is still memory
> in the memblock.reserved type, that will print a warning
> in memblock_remove_region.
> 
> Signed-off-by: Rik van Riel <riel@surriel.com>
> ---
>  mm/memblock.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/mm/memblock.c b/mm/memblock.c
> index 3feafea06ab2..068289a46903 100644
> --- a/mm/memblock.c
> +++ b/mm/memblock.c
> @@ -374,6 +374,10 @@ void __init memblock_discard(void)
>  			kfree(memblock.reserved.regions);
>  		else
>  			memblock_free_late(addr, size);
> +		/* Reset to prevent UAF from stray frees. */
> +		memblock.reserved.regions = memblock_reserved_init_regions;
> +		memblock.reserved.cnt = 1;
> +		memblock_remove_region(&memblock.reserved, 0);
>  	}
>  
>  	if (memblock.memory.regions != memblock_memory_init_regions) {
> -- 
> 2.34.1
> 
> 

-- 
Sincerely yours,
Mike.