* [PATCH 1/1] crash_dump: fix non-pae kdump kernel memory accesses @ 2009-10-23 15:45 Jiri Slaby 2009-10-25 16:20 ` Ingo Molnar 0 siblings, 1 reply; 7+ messages in thread From: Jiri Slaby @ 2009-10-23 15:45 UTC (permalink / raw) To: mingo Cc: tglx, hpa, x86, linux-kernel, Jiri Slaby, Vivek Goyal, Eric W. Biederman, Simon Horman, Paul Mundt, Ingo Molnar Non-PAE 32-bit dump kernels may wrap an address around 4G and poke unwanted space. ptes there are 32-bit long, and since pfn << PAGE_SIZE may exceed this limit, high pfn bits are cropped and wrong address mapped by kmap_atomic_pfn in copy_oldmem_page. Don't allow this behavior in non-PAE kdump kernels by checking pfns passed into copy_oldmem_page. In the case of failure, userspace process gets EFAULT. Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Simon Horman <horms@verge.net.au> Cc: Paul Mundt <lethal@linux-sh.org> Cc: Ingo Molnar <mingo@elte.hu> --- arch/x86/kernel/crash_dump_32.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/arch/x86/kernel/crash_dump_32.c b/arch/x86/kernel/crash_dump_32.c index f7cdb3b..b78dab8 100644 --- a/arch/x86/kernel/crash_dump_32.c +++ b/arch/x86/kernel/crash_dump_32.c @@ -16,6 +16,19 @@ static void *kdump_buf_page; /* Stores the physical address of elf header of crash image. */ unsigned long long elfcorehdr_addr = ELFCORE_ADDR_MAX; +#ifndef CONFIG_X86_PAE +/* non-PAE kdump kernel executed from a PAE one will crop high pte bits and + poke unwanted space counting again from address 0, we don't want that */ +static inline bool is_crashed_pfn_valid(unsigned long pfn) +{ + /* on non-PAE pte must fit into unsigned long + in fact the test is (pfn & 0x000fffff) */ + return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn; +} +#else +static inline bool is_crashed_pfn_valid(unsigned long pfn) { return true; } +#endif + /** * copy_oldmem_page - copy one page from "oldmem" * @pfn: page frame number to be copied @@ -41,6 +54,9 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, if (!csize) return 0; + if (!is_crashed_pfn_valid(pfn)) + return -EFAULT; + vaddr = kmap_atomic_pfn(pfn, KM_PTE0); if (!userbuf) { -- 1.6.4.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] crash_dump: fix non-pae kdump kernel memory accesses 2009-10-23 15:45 [PATCH 1/1] crash_dump: fix non-pae kdump kernel memory accesses Jiri Slaby @ 2009-10-25 16:20 ` Ingo Molnar 2009-10-26 10:11 ` [PATCH v2 " Jiri Slaby 2009-10-26 10:12 ` [PATCH " Jiri Slaby 0 siblings, 2 replies; 7+ messages in thread From: Ingo Molnar @ 2009-10-25 16:20 UTC (permalink / raw) To: Jiri Slaby Cc: mingo, tglx, hpa, x86, linux-kernel, Vivek Goyal, Eric W. Biederman, Simon Horman, Paul Mundt * Jiri Slaby <jirislaby@gmail.com> wrote: > Non-PAE 32-bit dump kernels may wrap an address around 4G and > poke unwanted space. ptes there are 32-bit long, and since > pfn << PAGE_SIZE may exceed this limit, high pfn bits are cropped > and wrong address mapped by kmap_atomic_pfn in copy_oldmem_page. > > Don't allow this behavior in non-PAE kdump kernels by checking > pfns passed into copy_oldmem_page. In the case of failure, > userspace process gets EFAULT. > > Signed-off-by: Jiri Slaby <jirislaby@gmail.com> > Cc: Vivek Goyal <vgoyal@redhat.com> > Cc: "Eric W. Biederman" <ebiederm@xmission.com> > Cc: Simon Horman <horms@verge.net.au> > Cc: Paul Mundt <lethal@linux-sh.org> > Cc: Ingo Molnar <mingo@elte.hu> > --- > arch/x86/kernel/crash_dump_32.c | 16 ++++++++++++++++ > 1 files changed, 16 insertions(+), 0 deletions(-) > > diff --git a/arch/x86/kernel/crash_dump_32.c b/arch/x86/kernel/crash_dump_32.c > index f7cdb3b..b78dab8 100644 > --- a/arch/x86/kernel/crash_dump_32.c > +++ b/arch/x86/kernel/crash_dump_32.c > @@ -16,6 +16,19 @@ static void *kdump_buf_page; > /* Stores the physical address of elf header of crash image. */ > unsigned long long elfcorehdr_addr = ELFCORE_ADDR_MAX; > > +#ifndef CONFIG_X86_PAE > +/* non-PAE kdump kernel executed from a PAE one will crop high pte bits and > + poke unwanted space counting again from address 0, we don't want that */ > +static inline bool is_crashed_pfn_valid(unsigned long pfn) > +{ > + /* on non-PAE pte must fit into unsigned long > + in fact the test is (pfn & 0x000fffff) */ > + return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn; > +} > +#else > +static inline bool is_crashed_pfn_valid(unsigned long pfn) { return true; } > +#endif i'd suggest to push the #ifdef inside the function. Also, please use the customary (multi-line) comment style: /* * Comment ..... * ...... goes here. */ specified in Documentation/CodingStyle. Thanks, Ingo ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/1] crash_dump: fix non-pae kdump kernel memory accesses 2009-10-25 16:20 ` Ingo Molnar @ 2009-10-26 10:11 ` Jiri Slaby 2009-10-26 15:24 ` [tip:x86/urgent] x86: crash_dump: Fix " tip-bot for Jiri Slaby ` (2 more replies) 2009-10-26 10:12 ` [PATCH " Jiri Slaby 1 sibling, 3 replies; 7+ messages in thread From: Jiri Slaby @ 2009-10-26 10:11 UTC (permalink / raw) To: mingo Cc: tglx, hpa, x86, linux-kernel, Jiri Slaby, Vivek Goyal, Eric W. Biederman, Simon Horman, Paul Mundt, Ingo Molnar Non-PAE 32-bit dump kernels may wrap an address around 4G and poke unwanted space. ptes there are 32-bit long, and since pfn << PAGE_SIZE may exceed this limit, high pfn bits are cropped and wrong address mapped by kmap_atomic_pfn in copy_oldmem_page. Don't allow this behavior in non-PAE kdump kernels by checking pfns passed into copy_oldmem_page. In the case of failure, userspace process gets EFAULT. [v2] - fix comments - move ifdefs inside the function Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Simon Horman <horms@verge.net.au> Cc: Paul Mundt <lethal@linux-sh.org> Cc: Ingo Molnar <mingo@elte.hu> --- arch/x86/kernel/crash_dump_32.c | 19 +++++++++++++++++++ 1 files changed, 19 insertions(+), 0 deletions(-) diff --git a/arch/x86/kernel/crash_dump_32.c b/arch/x86/kernel/crash_dump_32.c index f7cdb3b..cd97ce1 100644 --- a/arch/x86/kernel/crash_dump_32.c +++ b/arch/x86/kernel/crash_dump_32.c @@ -16,6 +16,22 @@ static void *kdump_buf_page; /* Stores the physical address of elf header of crash image. */ unsigned long long elfcorehdr_addr = ELFCORE_ADDR_MAX; +static inline bool is_crashed_pfn_valid(unsigned long pfn) +{ +#ifndef CONFIG_X86_PAE + /* + * non-PAE kdump kernel executed from a PAE one will crop high pte + * bits and poke unwanted space counting again from address 0, we + * don't want that. pte must fit into unsigned long. In fact the + * test checks high 12 bits for being zero (pfn will be shifted left + * by PAGE_SHIFT). + */ + return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn; +#else + return true; +#endif +} + /** * copy_oldmem_page - copy one page from "oldmem" * @pfn: page frame number to be copied @@ -41,6 +57,9 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, if (!csize) return 0; + if (!is_crashed_pfn_valid(pfn)) + return -EFAULT; + vaddr = kmap_atomic_pfn(pfn, KM_PTE0); if (!userbuf) { -- 1.6.4.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [tip:x86/urgent] x86: crash_dump: Fix non-pae kdump kernel memory accesses 2009-10-26 10:11 ` [PATCH v2 " Jiri Slaby @ 2009-10-26 15:24 ` tip-bot for Jiri Slaby 2009-10-26 20:40 ` [PATCH v2 1/1] crash_dump: fix " Eric W. Biederman 2009-10-27 13:17 ` Vivek Goyal 2 siblings, 0 replies; 7+ messages in thread From: tip-bot for Jiri Slaby @ 2009-10-26 15:24 UTC (permalink / raw) To: linux-tip-commits Cc: linux-kernel, horms, hpa, mingo, jirislaby, lethal, vgoyal, ebiederm, tglx, mingo Commit-ID: 72ed7de74e8f0fad0d8e567ae1f987b740accb3f Gitweb: http://git.kernel.org/tip/72ed7de74e8f0fad0d8e567ae1f987b740accb3f Author: Jiri Slaby <jirislaby@gmail.com> AuthorDate: Mon, 26 Oct 2009 11:11:43 +0100 Committer: Ingo Molnar <mingo@elte.hu> CommitDate: Mon, 26 Oct 2009 12:38:59 +0100 x86: crash_dump: Fix non-pae kdump kernel memory accesses Non-PAE 32-bit dump kernels may wrap an address around 4G and poke unwanted space. ptes there are 32-bit long, and since pfn << PAGE_SIZE may exceed this limit, high pfn bits are cropped and wrong address mapped by kmap_atomic_pfn in copy_oldmem_page. Don't allow this behavior in non-PAE kdump kernels by checking pfns passed into copy_oldmem_page. In the case of failure, userspace process gets EFAULT. [v2] - fix comments - move ifdefs inside the function Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Simon Horman <horms@verge.net.au> Cc: Paul Mundt <lethal@linux-sh.org> LKML-Reference: <1256551903-30567-1-git-send-email-jirislaby@gmail.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> --- arch/x86/kernel/crash_dump_32.c | 19 +++++++++++++++++++ 1 files changed, 19 insertions(+), 0 deletions(-) diff --git a/arch/x86/kernel/crash_dump_32.c b/arch/x86/kernel/crash_dump_32.c index f7cdb3b..cd97ce1 100644 --- a/arch/x86/kernel/crash_dump_32.c +++ b/arch/x86/kernel/crash_dump_32.c @@ -16,6 +16,22 @@ static void *kdump_buf_page; /* Stores the physical address of elf header of crash image. */ unsigned long long elfcorehdr_addr = ELFCORE_ADDR_MAX; +static inline bool is_crashed_pfn_valid(unsigned long pfn) +{ +#ifndef CONFIG_X86_PAE + /* + * non-PAE kdump kernel executed from a PAE one will crop high pte + * bits and poke unwanted space counting again from address 0, we + * don't want that. pte must fit into unsigned long. In fact the + * test checks high 12 bits for being zero (pfn will be shifted left + * by PAGE_SHIFT). + */ + return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn; +#else + return true; +#endif +} + /** * copy_oldmem_page - copy one page from "oldmem" * @pfn: page frame number to be copied @@ -41,6 +57,9 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, if (!csize) return 0; + if (!is_crashed_pfn_valid(pfn)) + return -EFAULT; + vaddr = kmap_atomic_pfn(pfn, KM_PTE0); if (!userbuf) { ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/1] crash_dump: fix non-pae kdump kernel memory accesses 2009-10-26 10:11 ` [PATCH v2 " Jiri Slaby 2009-10-26 15:24 ` [tip:x86/urgent] x86: crash_dump: Fix " tip-bot for Jiri Slaby @ 2009-10-26 20:40 ` Eric W. Biederman 2009-10-27 13:17 ` Vivek Goyal 2 siblings, 0 replies; 7+ messages in thread From: Eric W. Biederman @ 2009-10-26 20:40 UTC (permalink / raw) To: Jiri Slaby Cc: mingo, tglx, hpa, x86, linux-kernel, Vivek Goyal, Simon Horman, Paul Mundt, Ingo Molnar Jiri Slaby <jirislaby@gmail.com> writes: > Non-PAE 32-bit dump kernels may wrap an address around 4G and > poke unwanted space. ptes there are 32-bit long, and since > pfn << PAGE_SIZE may exceed this limit, high pfn bits are cropped > and wrong address mapped by kmap_atomic_pfn in copy_oldmem_page. > > Don't allow this behavior in non-PAE kdump kernels by checking > pfns passed into copy_oldmem_page. In the case of failure, > userspace process gets EFAULT. Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Looks good to me. > [v2] > - fix comments > - move ifdefs inside the function > > Signed-off-by: Jiri Slaby <jirislaby@gmail.com> > Cc: Vivek Goyal <vgoyal@redhat.com> > Cc: "Eric W. Biederman" <ebiederm@xmission.com> > Cc: Simon Horman <horms@verge.net.au> > Cc: Paul Mundt <lethal@linux-sh.org> > Cc: Ingo Molnar <mingo@elte.hu> > --- > arch/x86/kernel/crash_dump_32.c | 19 +++++++++++++++++++ > 1 files changed, 19 insertions(+), 0 deletions(-) > > diff --git a/arch/x86/kernel/crash_dump_32.c b/arch/x86/kernel/crash_dump_32.c > index f7cdb3b..cd97ce1 100644 > --- a/arch/x86/kernel/crash_dump_32.c > +++ b/arch/x86/kernel/crash_dump_32.c > @@ -16,6 +16,22 @@ static void *kdump_buf_page; > /* Stores the physical address of elf header of crash image. */ > unsigned long long elfcorehdr_addr = ELFCORE_ADDR_MAX; > > +static inline bool is_crashed_pfn_valid(unsigned long pfn) > +{ > +#ifndef CONFIG_X86_PAE > + /* > + * non-PAE kdump kernel executed from a PAE one will crop high pte > + * bits and poke unwanted space counting again from address 0, we > + * don't want that. pte must fit into unsigned long. In fact the > + * test checks high 12 bits for being zero (pfn will be shifted left > + * by PAGE_SHIFT). > + */ > + return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn; > +#else > + return true; > +#endif > +} > + > /** > * copy_oldmem_page - copy one page from "oldmem" > * @pfn: page frame number to be copied > @@ -41,6 +57,9 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, > if (!csize) > return 0; > > + if (!is_crashed_pfn_valid(pfn)) > + return -EFAULT; > + > vaddr = kmap_atomic_pfn(pfn, KM_PTE0); > > if (!userbuf) { > -- > 1.6.4.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/1] crash_dump: fix non-pae kdump kernel memory accesses 2009-10-26 10:11 ` [PATCH v2 " Jiri Slaby 2009-10-26 15:24 ` [tip:x86/urgent] x86: crash_dump: Fix " tip-bot for Jiri Slaby 2009-10-26 20:40 ` [PATCH v2 1/1] crash_dump: fix " Eric W. Biederman @ 2009-10-27 13:17 ` Vivek Goyal 2 siblings, 0 replies; 7+ messages in thread From: Vivek Goyal @ 2009-10-27 13:17 UTC (permalink / raw) To: Jiri Slaby Cc: mingo, tglx, hpa, x86, linux-kernel, Eric W. Biederman, Simon Horman, Paul Mundt, Ingo Molnar On Mon, Oct 26, 2009 at 11:11:43AM +0100, Jiri Slaby wrote: > Non-PAE 32-bit dump kernels may wrap an address around 4G and > poke unwanted space. ptes there are 32-bit long, and since > pfn << PAGE_SIZE may exceed this limit, high pfn bits are cropped > and wrong address mapped by kmap_atomic_pfn in copy_oldmem_page. > > Don't allow this behavior in non-PAE kdump kernels by checking > pfns passed into copy_oldmem_page. In the case of failure, > userspace process gets EFAULT. > > [v2] > - fix comments > - move ifdefs inside the function > > Signed-off-by: Jiri Slaby <jirislaby@gmail.com> > Cc: Vivek Goyal <vgoyal@redhat.com> > Cc: "Eric W. Biederman" <ebiederm@xmission.com> > Cc: Simon Horman <horms@verge.net.au> > Cc: Paul Mundt <lethal@linux-sh.org> > Cc: Ingo Molnar <mingo@elte.hu> > --- Looks good to me. Acked-by: Vivek Goyal <vgoyal@redhat.com> Thanks Vivek > arch/x86/kernel/crash_dump_32.c | 19 +++++++++++++++++++ > 1 files changed, 19 insertions(+), 0 deletions(-) > > diff --git a/arch/x86/kernel/crash_dump_32.c b/arch/x86/kernel/crash_dump_32.c > index f7cdb3b..cd97ce1 100644 > --- a/arch/x86/kernel/crash_dump_32.c > +++ b/arch/x86/kernel/crash_dump_32.c > @@ -16,6 +16,22 @@ static void *kdump_buf_page; > /* Stores the physical address of elf header of crash image. */ > unsigned long long elfcorehdr_addr = ELFCORE_ADDR_MAX; > > +static inline bool is_crashed_pfn_valid(unsigned long pfn) > +{ > +#ifndef CONFIG_X86_PAE > + /* > + * non-PAE kdump kernel executed from a PAE one will crop high pte > + * bits and poke unwanted space counting again from address 0, we > + * don't want that. pte must fit into unsigned long. In fact the > + * test checks high 12 bits for being zero (pfn will be shifted left > + * by PAGE_SHIFT). > + */ > + return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn; > +#else > + return true; > +#endif > +} > + > /** > * copy_oldmem_page - copy one page from "oldmem" > * @pfn: page frame number to be copied > @@ -41,6 +57,9 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf, > if (!csize) > return 0; > > + if (!is_crashed_pfn_valid(pfn)) > + return -EFAULT; > + > vaddr = kmap_atomic_pfn(pfn, KM_PTE0); > > if (!userbuf) { > -- > 1.6.4.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] crash_dump: fix non-pae kdump kernel memory accesses 2009-10-25 16:20 ` Ingo Molnar 2009-10-26 10:11 ` [PATCH v2 " Jiri Slaby @ 2009-10-26 10:12 ` Jiri Slaby 1 sibling, 0 replies; 7+ messages in thread From: Jiri Slaby @ 2009-10-26 10:12 UTC (permalink / raw) To: Ingo Molnar Cc: mingo, tglx, hpa, x86, linux-kernel, Vivek Goyal, Eric W. Biederman, Simon Horman, Paul Mundt On 10/25/2009 05:20 PM, Ingo Molnar wrote: >> +#ifndef CONFIG_X86_PAE >> +/* non-PAE kdump kernel executed from a PAE one will crop high pte bits and >> + poke unwanted space counting again from address 0, we don't want that */ >> +static inline bool is_crashed_pfn_valid(unsigned long pfn) >> +{ >> + /* on non-PAE pte must fit into unsigned long >> + in fact the test is (pfn & 0x000fffff) */ >> + return pte_pfn(pfn_pte(pfn, __pgprot(0))) == pfn; >> +} >> +#else >> +static inline bool is_crashed_pfn_valid(unsigned long pfn) { return true; } >> +#endif > > i'd suggest to push the #ifdef inside the function. I posted a v2 patch a second ago. Thanks. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-10-27 13:18 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-10-23 15:45 [PATCH 1/1] crash_dump: fix non-pae kdump kernel memory accesses Jiri Slaby 2009-10-25 16:20 ` Ingo Molnar 2009-10-26 10:11 ` [PATCH v2 " Jiri Slaby 2009-10-26 15:24 ` [tip:x86/urgent] x86: crash_dump: Fix " tip-bot for Jiri Slaby 2009-10-26 20:40 ` [PATCH v2 1/1] crash_dump: fix " Eric W. Biederman 2009-10-27 13:17 ` Vivek Goyal 2009-10-26 10:12 ` [PATCH " Jiri Slaby
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox