From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754007AbcCHFXI (ORCPT <rfc822;w@1wt.eu>);
	Tue, 8 Mar 2016 00:23:08 -0500
Received: from mx1.redhat.com ([209.132.183.28]:50508 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753491AbcCHFXC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 8 Mar 2016 00:23:02 -0500
Date: Tue, 8 Mar 2016 13:22:51 +0800
From: Baoquan He <bhe@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>, Yinghai Lu <yinghai@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>, Vivek Goyal <vgoyal@redhat.com>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        Andy Lutomirski <luto@kernel.org>, lasse.collin@tukaani.org,
        Andrew Morton <akpm@linux-foundation.org>,
        Dave Young <dyoung@redhat.com>
Subject: Re: [PATCH v3 12/19] x86, kaslr: Fix a bug that relocation can not
 be handled when kernel is loaded above 2G
Message-ID: <20160308052251.GF2481@x1.redhat.com>
References: <1457108717-12191-1-git-send-email-bhe@redhat.com>
 <1457108717-12191-13-git-send-email-bhe@redhat.com>
 <CAGXu5jJeqvGq-9yBDBCEGcAfw4-=yGn2JQfMynFs2_MFj51HpQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5jJeqvGq-9yBDBCEGcAfw4-=yGn2JQfMynFs2_MFj51HpQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/07/16 at 03:30pm, Kees Cook wrote:
> On Fri, Mar 4, 2016 at 8:25 AM, Baoquan He <bhe@redhat.com> wrote:
> > When process 32 bit relocation tables a local variable 'extended'
> > is defined to calculate the physical address of relocs entry.
> > However its type is 'int' which is enough for i386, but not enough
> > for x86_64. That's why relocation can only be handled under 2G.
> > Otherwise a overflow will happen and cause system hang.
> >
> > Here change it to 'long' as 32 bit inverse relocation processing
> > does, and this change is safe for i386 relocation handling.
> >
> > Signed-off-by: Baoquan He <bhe@redhat.com>
> 
> Acked-by: Kees Cook <keescook@chromium.org>
> 
> This patch should probably be moved up into the start of this series
> instead of living in the middle here, since it's a clear stand-alone
> bug fix.

Of course. Will put it in the start of this series. 

Thanks.

> 
> -Kees
> 
> > ---
> >  arch/x86/boot/compressed/misc.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
> > index 4b2cd0c..70445c3 100644
> > --- a/arch/x86/boot/compressed/misc.c
> > +++ b/arch/x86/boot/compressed/misc.c
> > @@ -298,7 +298,7 @@ static void handle_relocations(void *output, unsigned long output_len)
> >          * So we work backwards from the end of the decompressed image.
> >          */
> >         for (reloc = output + output_len - sizeof(*reloc); *reloc; reloc--) {
> > -               int extended = *reloc;
> > +               long extended = *reloc;
> >                 extended += map;
> >
> >                 ptr = (unsigned long)extended;
> > --
> > 2.5.0
> >
> 
> 
> 
> -- 
> Kees Cook
> Chrome OS & Brillo Security