kaslr should avoid setup_data region

kaslr should avoid setup_data region

[Dave Young]

Hello Kees

I'm worrying that setup_data regions could be overwitten by randomize
kernel base. Would you like to fix it in kaslr code?

One problem is there could be a lot of setup_data regions but current
mem_avoid is an fixed array.

Thanks
Dave

Re: kaslr should avoid setup_data region

[Kees Cook]

On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <dyoung@redhat.com> wrote:
> Hello Kees
>
> I'm worrying that setup_data regions could be overwitten by randomize
> kernel base. Would you like to fix it in kaslr code?
>
> One problem is there could be a lot of setup_data regions but current
> mem_avoid is an fixed array.

Sure, can you give me some examples? Seems like it shouldn't be too
hard to have the mem_avoid logic walk additional areas.

-Kees

-- 
Kees Cook
Chrome OS Security

Re: kaslr should avoid setup_data region

[Dave Young]

On 04/23/14 at 07:43pm, Kees Cook wrote:
> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <dyoung@redhat.com> wrote:
> > Hello Kees
> >
> > I'm worrying that setup_data regions could be overwitten by randomize
> > kernel base. Would you like to fix it in kaslr code?
> >
> > One problem is there could be a lot of setup_data regions but current
> > mem_avoid is an fixed array.
> 
> Sure, can you give me some examples? Seems like it shouldn't be too
> hard to have the mem_avoid logic walk additional areas.

Great, To walk through the list just like the function parse_setup_data in
arch/x86/kernel/setup.c

Thanks
Dave

Re: kaslr should avoid setup_data region

[Kees Cook]

Ah, it sounds like boot_params.hdr.setup_data contains a series of
e820-like entries chained together as a linked list? Which loaders
currently populate that? Looks like EFI? Seems like
arch/x86/boot/compressed/eboot.c works on setup_data at least.

I won't be in a position to test EFI booting for a while. If someone
else took this, that would make it get fixed much faster.

Do you have examples where this is actually causing failures?

-Kees

On Wed, Apr 23, 2014 at 7:50 PM, Dave Young <dyoung@redhat.com> wrote:
> On 04/23/14 at 07:43pm, Kees Cook wrote:
>> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <dyoung@redhat.com> wrote:
>> > Hello Kees
>> >
>> > I'm worrying that setup_data regions could be overwitten by randomize
>> > kernel base. Would you like to fix it in kaslr code?
>> >
>> > One problem is there could be a lot of setup_data regions but current
>> > mem_avoid is an fixed array.
>>
>> Sure, can you give me some examples? Seems like it shouldn't be too
>> hard to have the mem_avoid logic walk additional areas.
>
> Great, To walk through the list just like the function parse_setup_data in
> arch/x86/kernel/setup.c
>
> Thanks
> Dave



-- 
Kees Cook
Chrome OS Security

Re: kaslr should avoid setup_data region

[H. Peter Anvin]

On 04/24/2014 03:50 PM, Kees Cook wrote:
> Ah, it sounds like boot_params.hdr.setup_data contains a series of
> e820-like entries chained together as a linked list? Which loaders
> currently populate that? Looks like EFI? Seems like
> arch/x86/boot/compressed/eboot.c works on setup_data at least.
> 
> I won't be in a position to test EFI booting for a while. If someone
> else took this, that would make it get fixed much faster.
> 
> Do you have examples where this is actually causing failures?
> 
> -Kees

Syslinux can populate it with arbitrary data; in particular Syslinux
uses it to pass FDT information if requested.

	-hpa

Re: kaslr should avoid setup_data region

[Dave Young]

On 04/24/14 at 03:50pm, Kees Cook wrote:
> Ah, it sounds like boot_params.hdr.setup_data contains a series of
> e820-like entries chained together as a linked list? Which loaders
> currently populate that? Looks like EFI? Seems like
> arch/x86/boot/compressed/eboot.c works on setup_data at least.

AFAIK efi stub, kexec, also as HPA mentioned syslinux use it as well.

kexec use setup_data for passing e820 ext ranges, also use it for efi boot.

> 
> I won't be in a position to test EFI booting for a while. If someone
> else took this, that would make it get fixed much faster.

Because kaslr is randomizing the base, it's hard to produce the failure.

>From the code itself, maybe just iterate the setup_data regions and add them
to avoid list, not necessary to care about the setup_data type..

> 
> Do you have examples where this is actually causing failures?

As mentioned above I have no idea how to test. Probably need manually hack
the code to create a failure? 

> 
> -Kees
> 
> On Wed, Apr 23, 2014 at 7:50 PM, Dave Young <dyoung@redhat.com> wrote:
> > On 04/23/14 at 07:43pm, Kees Cook wrote:
> >> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <dyoung@redhat.com> wrote:
> >> > Hello Kees
> >> >
> >> > I'm worrying that setup_data regions could be overwitten by randomize
> >> > kernel base. Would you like to fix it in kaslr code?
> >> >
> >> > One problem is there could be a lot of setup_data regions but current
> >> > mem_avoid is an fixed array.
> >>
> >> Sure, can you give me some examples? Seems like it shouldn't be too
> >> hard to have the mem_avoid logic walk additional areas.
> >
> > Great, To walk through the list just like the function parse_setup_data in
> > arch/x86/kernel/setup.c
> >
> > Thanks
> > Dave
> 
> 
> 
> -- 
> Kees Cook
> Chrome OS Security

Re: kaslr should avoid setup_data region

[Dave Young]

> I won't be in a position to test EFI booting for a while. If someone
> else took this, that would make it get fixed much faster.

I will hopefully look into it next week. But as I said I can only test
with a hacked kernel which set the randomized addr to the setup_data region.

Thanks
Dave 

Re: kaslr should avoid setup_data region

[Dave Young]

On 04/24/14 at 03:50pm, Kees Cook wrote:
> Ah, it sounds like boot_params.hdr.setup_data contains a series of
> e820-like entries chained together as a linked list? Which loaders
> currently populate that? Looks like EFI? Seems like
> arch/x86/boot/compressed/eboot.c works on setup_data at least.
> 
> I won't be in a position to test EFI booting for a while. If someone
> else took this, that would make it get fixed much faster.
> 
> Do you have examples where this is actually causing failures?
> 
> -Kees
> 
> On Wed, Apr 23, 2014 at 7:50 PM, Dave Young <dyoung@redhat.com> wrote:
> > On 04/23/14 at 07:43pm, Kees Cook wrote:
> >> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <dyoung@redhat.com> wrote:
> >> > Hello Kees
> >> >
> >> > I'm worrying that setup_data regions could be overwitten by randomize
> >> > kernel base. Would you like to fix it in kaslr code?
> >> >
> >> > One problem is there could be a lot of setup_data regions but current
> >> > mem_avoid is an fixed array.
> >>
> >> Sure, can you give me some examples? Seems like it shouldn't be too
> >> hard to have the mem_avoid logic walk additional areas.
> >
> > Great, To walk through the list just like the function parse_setup_data in
> > arch/x86/kernel/setup.c

One problem for me is that I am not sure how to read the setup_data memory
and iterate it, I think early_ioremap is not available that early. BTW the
setup_data region could be above 4G.

Appreciate for any hints.

Thanks
Dave

Re: kaslr should avoid setup_data region

[Kees Cook]

On Thu, May 8, 2014 at 2:46 AM, Dave Young <dyoung@redhat.com> wrote:
> On 04/24/14 at 03:50pm, Kees Cook wrote:
>> On Wed, Apr 23, 2014 at 7:50 PM, Dave Young <dyoung@redhat.com> wrote:
>> > On 04/23/14 at 07:43pm, Kees Cook wrote:
>> >> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <dyoung@redhat.com> wrote:
>> >> > Hello Kees
>> >> >
>> >> > I'm worrying that setup_data regions could be overwitten by randomize
>> >> > kernel base. Would you like to fix it in kaslr code?
>> >> >
>> >> > One problem is there could be a lot of setup_data regions but current
>> >> > mem_avoid is an fixed array.
>> >>
>> >> Sure, can you give me some examples? Seems like it shouldn't be too
>> >> hard to have the mem_avoid logic walk additional areas.
>> >
>> > Great, To walk through the list just like the function parse_setup_data in
>> > arch/x86/kernel/setup.c
>
> One problem for me is that I am not sure how to read the setup_data memory
> and iterate it, I think early_ioremap is not available that early. BTW the
> setup_data region could be above 4G.
>
> Appreciate for any hints.

Hm, I'm not sure. The kASLR code only deals with memory that has been
set up during the physical/virtual identity mapping.

-Kees

-- 
Kees Cook
Chrome OS Security

Re: kaslr should avoid setup_data region

[Dave Young]

On 05/08/14 at 12:31pm, Kees Cook wrote:
> On Thu, May 8, 2014 at 2:46 AM, Dave Young <dyoung@redhat.com> wrote:
> > On 04/24/14 at 03:50pm, Kees Cook wrote:
> >> On Wed, Apr 23, 2014 at 7:50 PM, Dave Young <dyoung@redhat.com> wrote:
> >> > On 04/23/14 at 07:43pm, Kees Cook wrote:
> >> >> On Wed, Apr 23, 2014 at 7:35 PM, Dave Young <dyoung@redhat.com> wrote:
> >> >> > Hello Kees
> >> >> >
> >> >> > I'm worrying that setup_data regions could be overwitten by randomize
> >> >> > kernel base. Would you like to fix it in kaslr code?
> >> >> >
> >> >> > One problem is there could be a lot of setup_data regions but current
> >> >> > mem_avoid is an fixed array.
> >> >>
> >> >> Sure, can you give me some examples? Seems like it shouldn't be too
> >> >> hard to have the mem_avoid logic walk additional areas.
> >> >
> >> > Great, To walk through the list just like the function parse_setup_data in
> >> > arch/x86/kernel/setup.c
> >
> > One problem for me is that I am not sure how to read the setup_data memory
> > and iterate it, I think early_ioremap is not available that early. BTW the
> > setup_data region could be above 4G.
> >
> > Appreciate for any hints.
> 
> Hm, I'm not sure. The kASLR code only deals with memory that has been
> set up during the physical/virtual identity mapping.
> 

So will dereference them directly and ignore setup_data which is above 4G.

Thanks
Dave