From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1F97EB64DC for ; Thu, 20 Jul 2023 13:15:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4E7BF28010A; Thu, 20 Jul 2023 09:15:52 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4972128004C; Thu, 20 Jul 2023 09:15:52 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 35E7F28010A; Thu, 20 Jul 2023 09:15:52 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 26B7128004C for ; Thu, 20 Jul 2023 09:15:52 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id A6A1F1C8953 for ; Thu, 20 Jul 2023 13:15:51 +0000 (UTC) X-FDA: 81032037702.08.F0BB788 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) by imf03.hostedemail.com (Postfix) with ESMTP id 8ADA82002A for ; Thu, 20 Jul 2023 13:15:48 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=none; spf=none (imf03.hostedemail.com: domain of riel@shelob.surriel.com has no SPF policy when checking 96.67.55.147) smtp.mailfrom=riel@shelob.surriel.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689858948; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z4L8JnnUSLQWuymz81VDsL7uZRJqj9xT5+TIrUfOZ1U=; b=X7Z3/PRthpzl/1mgOn6GGTTdBoRhl4V/5KcY/32nXSgxxHGkUiB4AtwxA1HVD4y6exY8v+ Xw/3kQEQYF0KE/qRWifuZSnuIEpvf4Fx4hMN6TYgH0iHqoymzJKCF9kaTAagEARRd/Xfu6 Ik3FtVvEjZV+I9TPd7KpM3Ae5gkh/vU= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689858948; a=rsa-sha256; cv=none; b=NedHuHoxpbgI1RMx2PJrKJ49lYqexTA2IU/YaYqFl79JyWwBejGhqqB+6kopMQghh2oWiw J0b1bGhdHrCwuaFt+nFGrPd4WsCGC2s/lmkEDFV556JJj7Hj1HLsdTCmHtNJY94nBMOMvI MFFE9u10pdeEkLpAO52wxDDgd+Yprl8= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=none; spf=none (imf03.hostedemail.com: domain of riel@shelob.surriel.com has no SPF policy when checking 96.67.55.147) smtp.mailfrom=riel@shelob.surriel.com; dmarc=none Received: from imladris.home.surriel.com ([10.0.13.28] helo=imladris.surriel.com) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1qMTV8-0000mX-0X; Thu, 20 Jul 2023 09:15:26 -0400 Message-ID: <7dc943023c620bed4bf49710dbe6facaade203fa.camel@surriel.com> Subject: Re: [PATCH] mm,memblock: reset memblock.reserved to system init state to prevent UAF From: Rik van Riel To: Mike Rapoport Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@meta.com Date: Thu, 20 Jul 2023 09:15:25 -0400 In-Reply-To: <20230720050047.GL1901145@kernel.org> References: <20230719154137.732d8525@imladris.surriel.com> <20230720050047.GL1901145@kernel.org> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-z3EnKr3kBd390TWl4hRd" User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 X-Stat-Signature: 8p36iscyda9bqorybriqnw3bibtp768g X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 8ADA82002A X-Rspam-User: X-HE-Tag: 1689858948-863020 X-HE-Meta: U2FsdGVkX18u52ZbM2uWOrf+tb8Ha1BzR9cw3cNGeAbNu0GQ4LnW4xk1nHuscRGKWXhTbfgVdO6WjIJ1xppYorpkm3RUhkzM9bC6PVWUpCNCvobHu3wPUS3h8ZeMJIQ95HQurJyxLfJyfi0BULJYE0Yo3TjzzD87V273s4zrdeV/aev7jGTjQs3FCsKAgHgU0F81KBslrNVKgsMzK6GUhIRlqHlcw49dDh8LvvyEno5HXvBqEuA/EL+p0tFxraRRJbcezpyINnOKKvX8Br4W9w90Zcs6b1bBNofXz/FkzYnWjyCwvxB+cjesZ3+tr91V/T9aNyhLDvz73elfLFbS8vSTcGEieWUBptXK8R3rVqTK0964raK/GUl9LMCVyHX/cwAlZHqC4iLq+soiUni4WSHm8c/13jhcISwrMOu8S8qgkiBLHTn40Q6d8mZmICnkI7vu1t7lsT9IbR7BSbWx7A6XD7P/SbVe1Omu+F5RxJU6YPmnxDxItYXIAEjhOQGiqNPnbQcna4l3N4xDZBbaSI2FxeyOW3skbH8CJVwDEzVRnjFbuguZZPcPfjgKrSsBT+Rv/bU11qA4p29c69S1Y30Jh8eysXq2vbPBn4YWLX5AVnf2T3Xwne6ksagimr9jRG1MoFqYibYddbtNOk0NQGU7Gc3+CTWCxxhdwsajRTytNAJKJZMhODVr7Eut4Dezzl4bPJyPXafWcK+2TKFhHTOd/4i0BYKIlbhMaPlDY7EWxesvvi1seVhuWERkUkaDbirlu78EV2dXYtTTE5RfEnqcABt/rOb92N8aiXZNuWi1IfEux0Jd/lJC9sYA6AOm+YUjaGHNkTUHVkdIIttMgdX7qc96huYHkf/6gMjB8MIjf5xzS8WGENwkBz0EFqp4/JUCIKYSoYPTcGfPA7PN0TTmHsQt5QQ79pkhT4gqLGQN5aFenzu5lzy7/71+l3A3/csbFOBE9NeBT1XFNyX xQvJ8ubo dgaI7mJbrsmF9Cg/faniU69XJoneupfWv32ipjw7wKBolZmdUii28gAUNrBtRGRKXj4+wmeyBUeDOoirtZ80XGpF09D+mtp4H+LnRd9ZylRe5f576k70P2sKCL5nunAapyDg74REN5koH7TH+N6ypz2Ge4ydXRLxkIaRWfL9lpJRkvKOg/E7IVLkbPUWOlVQV3CY6s4qWA/rmX7eUbB1iZQKwKqeVc1od1RciKr+pNUDqjgsqpWuoowe9GdYV9wfV8yelrCKobCVdNTTv3fHF6qjauyZJMq0kwCj3uZqW9TVjGz0xUnxaEPg4IwJXNY3B2IgAtgd+zfmwSuX45WO+UMuFFg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --=-z3EnKr3kBd390TWl4hRd Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2023-07-20 at 08:00 +0300, Mike Rapoport wrote: > Hi Ric, >=20 > On Wed, Jul 19, 2023 at 03:41:37PM -0400, Rik van Riel wrote: > > The memblock_discard function frees the memblock.reserved.regions > > array, which is good. > >=20 > > However, if a subsequent memblock_free (or memblock_phys_free) > > comes > > in later, from for example ima_free_kexec_buffer, that will result > > in > > a use after free bug in memblock_isolate_range. >=20 > The use of memblock_phys_free() in ima_free_kexec_buffer() is > entirely > bogus and must be fixed. It should be memblock_free_late() there. >=20 I'll send in a patch for that code, then. Thank you! > > When running a kernel with CONFIG_KASAN enabled, this will cause a > > kernel panic very early in boot. Without CONFIG_KASAN, there is > > a chance that memblock_isolate_range might scribble on memory > > that is now in use by somebody else. > =C2=A0 > This can't happen because memblock_double_array() uses kmalloc() as > soon as > slab_is_available(), so this sentence is misleading. memblock_discard() freed the array, but did not change the pointer. That resulted in memblock_isolate_range() following a stale pointer. There was no call to memblock_double_array() in the final call that crashed. I checked that by booting with memblock=3Ddebug. kind regards, Rik van Riel --=20 All Rights Reversed. --=-z3EnKr3kBd390TWl4hRd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEKR73pCCtJ5Xj3yADznnekoTE3oMFAmS5M20ACgkQznnekoTE 3oOr6gf/YAHP9Wh62dvAwLIqvbxzi9A1JenT3vRtd9tw854rVZaUy4WalweHjQYO dUDidfirkAnKDjjuywdNtrjy4sjvSJ6w8Be4WNPsMwiOEIKs3Xr+ooJcVJ5cqD96 Pypfa+AZRCAukqrmyId1I5uh42T+82oU5ZSh5wiEt5E5Dk5XhUoxEVPbhMi9oz2R LTtrlnJDmHUOiic6BMIjaFRrtb6ahw2EHNwery0hSfjMoqM2pRthkTzT8jvlhEGX 58vxJ6+q1KKmsgrAQovpM0eaNb/xkZkRkt6IB3yawjFqbBGmxdJp2CY1zuXHaRvJ ZFIUCtiS6/tpMpyp9dChoKcaCnbXXA== =2UF1 -----END PGP SIGNATURE----- --=-z3EnKr3kBd390TWl4hRd--