Re: [PATCH] kexec: avoid out of bounds in crash_exclude_mem_range()

From: fuqiang wang
Date: Wed Dec 13 2023 - 08:20:38 EST

Next message: Ronald Monthero: "Re: [PATCH] mm/zswap: Improve with alloc_workqueue() call"
Previous message: Jason Gunthorpe: "Re: [PATCH v2 3/6] iommufd: Initializing and releasing IO page fault data"
In reply to: Baoquan He: "Re: [PATCH] kexec: avoid out of bounds in crash_exclude_mem_range()"
Next in thread: Baoquan He: "Re: [PATCH] kexec: avoid out of bounds in crash_exclude_mem_range()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

在 2023/12/13 12:44, Baoquan He 写道:

On 11/30/23 at 09:20pm, fuqiang wang wrote:

On 2023/11/30 15:44, Baoquan He wrote:

On 11/27/23 at 10:56am, fuqiang wang wrote:

When the split happened, judge whether mem->nr_ranges is equal to
mem->max_nr_ranges. If it is true, return -ENOMEM.

The advantage of doing this is that it can avoid array bounds caused by
some bugs. E.g., Before commit 4831be702b95 ("arm64/kexec: Fix missing
extra range for crashkres_low."), reserve both high and low memories for
the crashkernel may cause out of bounds.

On the other hand, move this code before the split to ensure that the
array will not be changed when return error.

If out of array boundary is caused, means the laoding failed, whether
the out of boundary happened or not. I don't see how this code change
makes sense. Do I miss anything?

Thanks
Baoquan

Hi baoquan,

In some configurations, out of bounds may not cause crash_exclude_mem_range()
returns error, then the load will succeed.

E.g.
There is a cmem before execute crash_exclude_mem_range():

cmem = {
    max_nr_ranges = 3
    nr_ranges = 2
    ranges = {
       {start = 1,      end = 1000}
       {start = 1001,    end = 2000}
    }
}

After executing twice crash_exclude_mem_range() with the start/end params
100/200, 300/400 respectively, the cmem will be:

cmem = {
    max_nr_ranges = 3
    nr_ranges = 4                    <== nr_ranges > max_nr_ranges
    ranges = {
      {start = 1,       end = 99 }
      {start = 201,     end = 299 }
      {start = 401,     end = 1000}
      {start = 1001,    end = 2000} <== OUT OF BOUNDS
    }
}

When an out of bounds occurs during the second execution, the function will not
return error.

Additionally, when the function returns error, means the load failed. It seems
meaningless to keep the original data unchanged. But in my opinion, this will
make this function more rigorous and more versatile. (However, I am not sure if
it is self-defeating and I hope to receive more suggestions).

Sorry for late reply.

I checked the code again, there seems to be cases out of bounds occur
very possiblly. We may need to enlarge the cmem array to avoid the risk.

In below draft code, we need add another slot to exclude the low 1M area
when preparing elfcorehdr. And to exclude the elf header region from
crash kernel region, we need create the cmem with 2 slots.

With these change, we can absolutely avoid out of bounds occurence.
What do you think?

diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
index 1715e5f06a59..21facabcf699 100644
--- a/arch/x86/kernel/crash.c
+++ b/arch/x86/kernel/crash.c
@@ -147,10 +147,10 @@ static struct crash_mem *fill_up_crash_elf_data(void)
return NULL;
/*
- * Exclusion of crash region and/or crashk_low_res may cause
- * another range split. So add extra two slots here.
+ * Exclusion of low 1M, crash region and/or crashk_low_res may
+ * cause another range split. So add extra two slots here.
*/
- nr_ranges += 2;
+ nr_ranges += 3;
cmem = vzalloc(struct_size(cmem, ranges, nr_ranges));
if (!cmem)
return NULL;

Hi baoquan,

Exclusion of low 1M may not cause new region. Because when calling
crash_exclude_mem_range(), the start parameter is 0 and the condition for
splitting a new region is that the start, end parameters are both in a certain
existing region in cmem and cannot be equal to existing region's start or end.
Obviously, start (0) cannot meet this condition.

@@ -282,7 +282,7 @@ int crash_setup_memmap_entries(struct kimage *image, struct boot_params *params)
struct crash_memmap_data cmd;
struct crash_mem *cmem;
- cmem = vzalloc(struct_size(cmem, ranges, 1));
+ cmem = vzalloc(struct_size(cmem, ranges, 2));
if (!cmem)
return -ENOMEM;

Yes, you are right. Exclude the elf header region from crash kernel region may
cause split a new region. And there seems to be another issue with this code
path: Before calling crash_exclude_mem_range(), cmem->max_nr_ranges was not
initialized.

In my opinion, these change can absolutely avoid out of bounds occurence. But
when we forget to modify max_nr_ranges due to a mistakes in the future, is it
better to report it by returning an error through crash_exclude_mem_range().
What do you think about it?

Thanks
fuqiang

Next message: Ronald Monthero: "Re: [PATCH] mm/zswap: Improve with alloc_workqueue() call"
Previous message: Jason Gunthorpe: "Re: [PATCH v2 3/6] iommufd: Initializing and releasing IO page fault data"
In reply to: Baoquan He: "Re: [PATCH] kexec: avoid out of bounds in crash_exclude_mem_range()"
Next in thread: Baoquan He: "Re: [PATCH] kexec: avoid out of bounds in crash_exclude_mem_range()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]