Re: [tip:x86/urgent] x86/mm: Avoid VLA in pgd_alloc()

[Arnd Bergmann]

On Tue, Oct 9, 2018 at 1:28 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Mon, Oct 8, 2018 at 1:22 PM, Borislav Petkov <bp@xxxxxxxxx> wrote:
> > On Fri, Oct 05, 2018 at 09:24:53AM -0700, tip-bot for Arnd Bergmann wrote:

> >
> > For whatever reason - probably because it forced
> > MAX_PREALLOCATED_USER_PMDS be KERNEL_PGD_PTRS and not 0 (and I don't
> > have CONFIG_PAGE_TABLE_ISOLATION so it was 0 here with my .config
> > before) but this patch causes the fun below.
> >
> > If I revert it, no splat.
> >
> > Also, config has CONFIG_X86_PAE=y. And CONFIG_STACKPROTECTOR_STRONG=y. If I
> > disable _STRONG, it boots too. Attached.
>
> This really should mean that the stack canary changed. Either the
> stack canary wasn't prepared yet (but this is from run_init_process(),
> which is WELL after boot_init_stack_canary()), or the canary was
> actually stomped on, which would certainly be a bug in the existing
> code.
>
> Ah! I see it now. "pmds" shouldn't have changed, it's not .._USER_PMDS...
>
> -       pmd_t *u_pmds[PREALLOCATED_USER_PMDS];
> -       pmd_t *pmds[PREALLOCATED_PMDS];
> +       pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS];
> +       pmd_t *pmds[MAX_PREALLOCATED_USER_PMDS];

Ah, cool, thanks for the analysis. Is the patch already reverted?
I.e. should I send a replacement patch, or a relative fix, or is
someone else already on it?

      Arnd