From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D2E7EB64DA for ; Thu, 20 Jul 2023 16:25:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CB33E28012C; Thu, 20 Jul 2023 12:25:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C62CD28004C; Thu, 20 Jul 2023 12:25:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B2B2928012C; Thu, 20 Jul 2023 12:25:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id A19C228004C for ; Thu, 20 Jul 2023 12:25:51 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 6AAE6A0200 for ; Thu, 20 Jul 2023 16:25:51 +0000 (UTC) X-FDA: 81032516502.26.6099E49 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf23.hostedemail.com (Postfix) with ESMTP id 91DD914001A for ; Thu, 20 Jul 2023 16:25:48 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=D3aC6zTL; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf23.hostedemail.com: domain of rppt@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=rppt@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689870348; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/LKfr5psQqaF/AUOTjAoubpij/3+YQPlNvt5lFvvTCE=; b=RrwNCvrlBucUFTg6UYddngIEsWBjd2x8nX3SDyRmHWOj09Xfm4rg7/Y542IhMCeC7GX/46 39yvrXBZU+Hq7eLS2q1IsXMResQDEBcoUGOigZxe2e+99IGCxhmXIXIb7AR0ZWqK2yobF5 RR99qsF1rEOaXsx/9QBKs32RWgL32Rw= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=D3aC6zTL; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf23.hostedemail.com: domain of rppt@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=rppt@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689870348; a=rsa-sha256; cv=none; b=5SBV4bK/3fw+uoHlHRIKaER4Wsj5FzoUbnvhXvDlWMzQvbFIbrAF8JNC9HXZ26HOVc0Lmh 89oYFS2ND6oUuRiVYnu1yup4Q6XvLSRGHMGBWpz8MXjslN2zjiECS2Y/Ri78dSCel3yu+k wcJBh3saLq6wEXJ7f8kILCM1li/Qi6g= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7C24661B5D; Thu, 20 Jul 2023 16:25:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F3442C433CD; Thu, 20 Jul 2023 16:25:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689870346; bh=e2loJuE/ZqGkDkAvmTjMFKYb1nNFlu5Zk7Uq4LKqs3k=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=D3aC6zTL+n3FzJVGA/KDjcpv5j9Cuw7yM8SijVK45May6Dy/gYCHzCkgQUrLoNL0N 75GyriGucZM+2PJSJ4U8/C535c5T/RdNo0MsKYUoGD8fs5v0a79M7aN3MYP3fl3FWf PQ6WY/ediXDPQksW6rcqLv/XBSywTgj18AqBwQwVjiByVxuZiHRXjndGRDtHyVDfy6 O1ceM8q4TKDFQkXJ1D9E0wbwD+t4bKZqqtUWTZAZhND8G5wJ3duYhy2WYR4o7kds4H RSlHZuPHuRWDozx8FEiMwAd7WawvsR+sfoVUppFFCGGOi+SHg+b8bg1IKI4cGUT9DA UQQxwfXv/WpTA== Date: Thu, 20 Jul 2023 19:25:22 +0300 From: Mike Rapoport To: Rik van Riel Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@meta.com Subject: Re: [PATCH] mm,memblock: reset memblock.reserved to system init state to prevent UAF Message-ID: <20230720162522.GO1901145@kernel.org> References: <20230719154137.732d8525@imladris.surriel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230719154137.732d8525@imladris.surriel.com> X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 91DD914001A X-Stat-Signature: x8ffc33mhwsaeompxqyhxenp1n83zo1g X-HE-Tag: 1689870348-503899 X-HE-Meta: U2FsdGVkX1+um3D9YVyBji1e0LLF81yZCMeCRTEiYHx9Azh7oKPdoF4gRqZwMKlH42dT0J3vEwK+WAj2kM/bldrF6+ObxxcQxbFC+QU9jHgs2zk/6f9hwyc2N4TWnpFpN3Zqp1Tw8me1xbiifkxYVaeplrlfkmQrrIm9z8Tk86vVjce6Y1QpspOcLlwsRKVvP1PxUrqJ/P6hcj5nVdhih/u6i7c6y1b8NzgYMCiJjjMYb2RfBqzLTYHzMLmRNMqIfS+blfe4J6499tUanYrLwvqXzxGL0/U8kzYnnwUJWGhdY3BWtAphsGrkJcUup2GUSlLmUwc3NIjpKNIHDNi5/HVjvbKFB7oXdj31P9a7EPY4O7NEKTsJGTkqzCmt9H8Qcg9Xg9BQivkEV4w3UwarqVc3P3m0SNQrbtjl5rgLJHLVBIXI0V4trksOuFqx02y20N88ttKP6Fv6u12T4x+UzHnuj/VHThEaL7al9SbXVF2dE5kM5g3vMXv+rpLfJ1SxOKDlU8PeGhjkJEOp+ps+WNo2yO71pojwwVhaG4XimNUuSl7+CBlC9G8eysdkUIW8IwfyrlPq62PCBYzgxmybR3TvD9Mv6+j1HQfLIwWj1fyBoZFTZbIVFJJeE6AaHUaBhSLoAIKFmqHToLSjY3N1iJiUbwI8AKM0DnSq8Nu+EIvjstJ5VdZkZ/RelTgYy51mYt8pszq6QG8ElmkJKVRH48Xg3nB8FLzUP3mpqsCFo1Rzujzsrv+8wuccHoSMozIwx6fQ4zlxJiLcZOU38XR0VJG1iF55T3h/Jk44lc1nj6kahPCwhg4/Tyf1vDydtHbziMUQKK0n77G1NFFapLbOEn5Q3scnd/f6plZphrrQJ54EnZ9FaPVI9hpXiTIk2jyj/nADVzmqN0otbSbggnz4UQ4iiWCs6lzIbpi6+EhcRamvSkIUS/j1h13VlwcDxHMk1kg/WQoQaBlYepYy3If b0eEnFmm DVZWzUmsi49t4TWbNogqv7119eOOfNV/0XVtCemozWyeitJudsXL3JElaqZX5MonvZV19172WoMhHo1jT7MKf2kwmjWfgLUczyv1KejbyvfmTUwk3j5uy34dkH7JbAyiPkfEg1QwkSs4rQbbdS+HPAGfZ1aLpqGOqaE+sthRHOEW2LYD4aEgRXHhpVHV19T2R3y7Kkwe5hirub6cN34ONcfljwBMCTjnoblKCZK/eYW29lJh4Ua97zc3FJU4LnuuApn/MD5zzQQXo9AZsEisRAbFeBWgZorfBcjF5I58J18chocRde+qnEk4EHMAi10SjLL65PYO3O14kLYPnox/YC2ufyg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jul 19, 2023 at 03:41:37PM -0400, Rik van Riel wrote: > The memblock_discard function frees the memblock.reserved.regions > array, which is good. > > However, if a subsequent memblock_free (or memblock_phys_free) comes > in later, from for example ima_free_kexec_buffer, that will result in > a use after free bug in memblock_isolate_range. > > When running a kernel with CONFIG_KASAN enabled, this will cause a > kernel panic very early in boot. Without CONFIG_KASAN, there is > a chance that memblock_isolate_range might scribble on memory > that is now in use by somebody else. > > Avoid those issues by making sure that memblock_discard points > memblock.reserved.regions back at the static buffer. > > If memblock_discard is called while there is still memory > in the memblock.reserved type, that will print a warning > in memblock_remove_region. I'm going to apply this with the last paragraph rewritten as If memblock_free is called after memblock memory is discarded, that will print a warning in memblock_remove_region. > Signed-off-by: Rik van Riel > --- > mm/memblock.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/mm/memblock.c b/mm/memblock.c > index 3feafea06ab2..068289a46903 100644 > --- a/mm/memblock.c > +++ b/mm/memblock.c > @@ -374,6 +374,10 @@ void __init memblock_discard(void) > kfree(memblock.reserved.regions); > else > memblock_free_late(addr, size); > + /* Reset to prevent UAF from stray frees. */ > + memblock.reserved.regions = memblock_reserved_init_regions; > + memblock.reserved.cnt = 1; > + memblock_remove_region(&memblock.reserved, 0); > } > > if (memblock.memory.regions != memblock_memory_init_regions) { > -- > 2.34.1 > > -- Sincerely yours, Mike.