From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5AC1FEB64DA for ; Thu, 20 Jul 2023 05:01:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 508842800AD; Thu, 20 Jul 2023 01:01:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4B53128004C; Thu, 20 Jul 2023 01:01:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 37D5C2800AD; Thu, 20 Jul 2023 01:01:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 285FB28004C for ; Thu, 20 Jul 2023 01:01:15 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id D773DA0120 for ; Thu, 20 Jul 2023 05:01:14 +0000 (UTC) X-FDA: 81030791268.01.1F52369 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf02.hostedemail.com (Postfix) with ESMTP id 2201A80016 for ; Thu, 20 Jul 2023 05:01:12 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=PJ+cQPG9; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf02.hostedemail.com: domain of rppt@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=rppt@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689829273; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=n/RjAlELD761EKG1qJGfRZpAwPthc4UWHtH13yI3av4=; b=aF9wWb75ndLRbWqo4d76xtvEy0CiQWs6lk1erq+S8w3G0lN9nG321wpjlw2gVt5c3nCINC 5CL1axsvqtNBzD2Y3WLEItLYfI0u5jPfwyVDzyZL4sQCGaUfYYp8qQunS2P+56KmxX6Xw5 Xl8hf1IUXpW00rnVmULCzwRPfCTrv+Q= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=PJ+cQPG9; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf02.hostedemail.com: domain of rppt@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=rppt@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689829273; a=rsa-sha256; cv=none; b=BqE3mxbdgl/UdHJLdSCA7nIfXsYc8Q6LlaGtqHhN4MFO47xEWqbTAhGBE5B1RBojUfv1V9 evngbzVJJMvZJVW5Xy5Fvc1VdKXQrJLCJu9XtziWwpo4OzXcqOejv6geD9CGjQNILptag5 911Wmt7gAj0dYSzCWcJzgnYYFDvt/Rg= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C6D37611B1; Thu, 20 Jul 2023 05:01:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 27BEAC433C7; Thu, 20 Jul 2023 05:01:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689829271; bh=fS7HyRAzNtCEQx3osa1ecBKATZwAMKPT9YjrYfvPOnY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PJ+cQPG9w+4yoMDgmGRhX8w3l9hXb3C9LeP0AG7UI5l0XyMxerF7SkNS1tVJ7u1Od b2OGtLukQs58CIODl43C3V/VClONSU+XWJCfavEVpoXIAyWxj7lbcJERhx9mB+ZqQ0 DHlQB8L0yea52OhwRbpTl7Jw+MdEIrX3T5o+mChINvtzBmxvT7SQGVEXem17ZNUYNi 7iILekTwwduFHwuVtepPlEQwat9GBz5JFVQp23vWs6e3t1dMd7RV/aZW6WPoywo9vr /LGguxqa1RINXyQEEGt9A6IhzmiXv9dLdhM5Dg5OWkAJtO1cl6T+FdiPZHxUtnkECi lDNmDImWv4AlQ== Date: Thu, 20 Jul 2023 08:00:47 +0300 From: Mike Rapoport To: Rik van Riel Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@meta.com Subject: Re: [PATCH] mm,memblock: reset memblock.reserved to system init state to prevent UAF Message-ID: <20230720050047.GL1901145@kernel.org> References: <20230719154137.732d8525@imladris.surriel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230719154137.732d8525@imladris.surriel.com> X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 2201A80016 X-Stat-Signature: 1uqsd7bitmbrsptrdj36sw7hg4ogz8t8 X-Rspam-User: X-HE-Tag: 1689829272-404926 X-HE-Meta: U2FsdGVkX19muzf7QJ+yh1v8vC3CgjYdSqD+BD4IuHM0+BPElxC+Jy+jQ26Jo61Srw0RpvjXLN1C4HSDNS+b/GXR7FXvfI8c6DmSxTxVQfM8ylk6/NZo9ypFPDOejzsr8KK85FqXQSCjxGyqodx6mmLhWkX4LmTIs9A8AOoWeCIvyX5hDflvvchqcFoYi0RF+S8QeL0mn3HvCG/LEEqYLi6bNRnJOao5EYnvmGPdlTVZrWvKktb1PnvaRTl8Lea9t3yG/oUtgoCAJgOT3+uMPz8hrzGGNMuAz4piT08I/fNmPmCLWfJbWLHCVicywNdA88bWaTepAbdT/a6uR1bNeaM7SxJ17XX1zwaDYJkV7rluZF9Kr0E766nvQ6nno1HEVdnUwCY0yX4M5uAhUGZTtRnuvroMQkXBLrfhjrsGiqePFjKIIFpownzu0Q4heGg27McTU8661xcIDGoeGtgq9cFls59BIf1QfdBviOUOVC6nXmWjfQuyVf8s63V/ceyE2byhCPh11qrk3A3weu19mNMpJgT2ITHghk5ljRffvJw9T+1uCUuVVP+3FrBKh3oq9WuLuqZbYByj1HvQvCmz/H6E5n4bRcoi4V7UaKpz3ZGnPw0szvCG0coWeOy9kSv1lA0VG+/cDnkS7fFqXpgLm52RNRS+Tb5Ul5dhhhcPfgSRc7nof8CZh5UF2CO899Ovp876UznyUDFgWDmHDXq/KuKZ4veIF+u61wvcr5CoKPvr24rahHJBtlhRakQN3BzgcZVgGgiG8XpmWuvL5Pr7Uqxi8GdRYUwejJvmxe2rIiAm21s7LU7R/du6sXkwAITsNV4cCC777/EUorl1MG656yNZI/4X2e+v579aIGJ2Z+QbsXyZcLNEZG5wrKMxCM31TsR8BscWstMiPPLpj42K2Een9OKV0xtpt+WGpZEnrkdJ4GIJa/721NpuVXVkl448D3yoArEm0b9E0Lr+B9d xfkGWjCo iEvXVsFTLYLHCkmA6aui07zCG21gOingOfB3JhSfR095D1+gsMByIytEfaf3wPl781KhVMDCVd6holgdsa6HPpNJpyTEWU4THr2CK1uZwKfD7as8SRqq79EI6tST7/qqkSxOLD0hKkjWMFksdGM3qimPltPAufWZMkFDGvoEH/tDpaYSC+Zzicd+bkSnXNmw2Iqod8E3j9nxnFJYU6Dmjdy8rNfGypijBD8aoA3SV0CaXwaUuyW2tpMBH7QrHu03Mqs2QedQzYuZqoxfYNt/JKGmtOVJKhu5Rm65CHLm9oGhTYJkxFl7GGbu/He+kMpwSemVwKru+BCyZ9peEwL3fz68YCA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi Ric, On Wed, Jul 19, 2023 at 03:41:37PM -0400, Rik van Riel wrote: > The memblock_discard function frees the memblock.reserved.regions > array, which is good. > > However, if a subsequent memblock_free (or memblock_phys_free) comes > in later, from for example ima_free_kexec_buffer, that will result in > a use after free bug in memblock_isolate_range. The use of memblock_phys_free() in ima_free_kexec_buffer() is entirely bogus and must be fixed. It should be memblock_free_late() there. > When running a kernel with CONFIG_KASAN enabled, this will cause a > kernel panic very early in boot. Without CONFIG_KASAN, there is > a chance that memblock_isolate_range might scribble on memory > that is now in use by somebody else. This can't happen because memblock_double_array() uses kmalloc() as soon as slab_is_available(), so this sentence is misleading. > Avoid those issues by making sure that memblock_discard points > memblock.reserved.regions back at the static buffer. > > If memblock_discard is called while there is still memory > in the memblock.reserved type, that will print a warning > in memblock_remove_region. > > Signed-off-by: Rik van Riel > --- > mm/memblock.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/mm/memblock.c b/mm/memblock.c > index 3feafea06ab2..068289a46903 100644 > --- a/mm/memblock.c > +++ b/mm/memblock.c > @@ -374,6 +374,10 @@ void __init memblock_discard(void) > kfree(memblock.reserved.regions); > else > memblock_free_late(addr, size); > + /* Reset to prevent UAF from stray frees. */ > + memblock.reserved.regions = memblock_reserved_init_regions; > + memblock.reserved.cnt = 1; > + memblock_remove_region(&memblock.reserved, 0); > } > > if (memblock.memory.regions != memblock_memory_init_regions) { > -- > 2.34.1 > > -- Sincerely yours, Mike.