PATCHES/patches/stable-x86-kaslr-fix-the-vaddr_end-mess.patch

From 1dddd25125112ba49706518ac9077a1026a18f37 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Thu, 4 Jan 2018 12:32:03 +0100
Subject: x86/kaslr: Fix the vaddr_end mess

From: Thomas Gleixner <tglx@linutronix.de>

commit 1dddd25125112ba49706518ac9077a1026a18f37 upstream.

vaddr_end for KASLR is only documented in the KASLR code itself and is
adjusted depending on config options. So it's not surprising that a change
of the memory layout causes KASLR to have the wrong vaddr_end. This can map
arbitrary stuff into other areas causing hard to understand problems.

Remove the whole ifdef magic and define the start of the cpu_entry_area to
be the end of the KASLR vaddr range.

Add documentation to that effect.

Fixes: 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap")
Reported-by: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Benjamin Gilbert <benjamin.gilbert@coreos.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Garnier <thgarnie@google.com>,
Cc: Alexander Kuleshov <kuleshovmail@gmail.com>
Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801041320360.1771@nanos
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/x86/x86_64/mm.txt         |    6 ++++++
 arch/x86/include/asm/pgtable_64_types.h |    8 +++++++-
 arch/x86/mm/kaslr.c                     |   32 +++++++++-----------------------
 3 files changed, 22 insertions(+), 24 deletions(-)

--- a/Documentation/x86/x86_64/mm.txt
+++ b/Documentation/x86/x86_64/mm.txt
@@ -12,6 +12,7 @@ ffffea0000000000 - ffffeaffffffffff (=40
 ... unused hole ...
 ffffec0000000000 - fffffbffffffffff (=44 bits) kasan shadow memory (16TB)
 ... unused hole ...
+                                   vaddr_end for KASLR
 fffffe0000000000 - fffffe7fffffffff (=39 bits) cpu_entry_area mapping
 fffffe8000000000 - fffffeffffffffff (=39 bits) LDT remap for PTI
 ffffff0000000000 - ffffff7fffffffff (=39 bits) %esp fixup stacks
@@ -37,6 +38,7 @@ ffd4000000000000 - ffd5ffffffffffff (=49
 ... unused hole ...
 ffdf000000000000 - fffffc0000000000 (=53 bits) kasan shadow memory (8PB)
 ... unused hole ...
+                                   vaddr_end for KASLR
 fffffe0000000000 - fffffe7fffffffff (=39 bits) cpu_entry_area mapping
 ... unused hole ...
 ffffff0000000000 - ffffff7fffffffff (=39 bits) %esp fixup stacks
@@ -71,3 +73,7 @@ during EFI runtime calls.
 Note that if CONFIG_RANDOMIZE_MEMORY is enabled, the direct mapping of all
 physical memory, vmalloc/ioremap space and virtual memory map are randomized.
 Their order is preserved but their base will be offset early at boot time.
+
+Be very careful vs. KASLR when changing anything here. The KASLR address
+range must not overlap with anything except the KASAN shadow area, which is
+correct as KASAN disables KASLR.
--- a/arch/x86/include/asm/pgtable_64_types.h
+++ b/arch/x86/include/asm/pgtable_64_types.h
@@ -75,7 +75,13 @@ typedef struct { pteval_t pte; } pte_t;
 #define PGDIR_SIZE     (_AC(1, UL) << PGDIR_SHIFT)
 #define PGDIR_MASK     (~(PGDIR_SIZE - 1))
 
-/* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */
+/*
+ * See Documentation/x86/x86_64/mm.txt for a description of the memory map.
+ *
+ * Be very careful vs. KASLR when changing anything here. The KASLR address
+ * range must not overlap with anything except the KASAN shadow area, which
+ * is correct as KASAN disables KASLR.
+ */
 #define MAXMEM                 _AC(__AC(1, UL) << MAX_PHYSMEM_BITS, UL)
 
 #ifdef CONFIG_X86_5LEVEL
--- a/arch/x86/mm/kaslr.c
+++ b/arch/x86/mm/kaslr.c
@@ -34,25 +34,14 @@
 #define TB_SHIFT 40
 
 /*
- * Virtual address start and end range for randomization. The end changes base
- * on configuration to have the highest amount of space for randomization.
- * It increases the possible random position for each randomized region.
+ * Virtual address start and end range for randomization.
  *
- * You need to add an if/def entry if you introduce a new memory region
- * compatible with KASLR. Your entry must be in logical order with memory
- * layout. For example, ESPFIX is before EFI because its virtual address is
- * before. You also need to add a BUILD_BUG_ON() in kernel_randomize_memory() to
- * ensure that this order is correct and won't be changed.
+ * The end address could depend on more configuration options to make the
+ * highest amount of space for randomization available, but that's too hard
+ * to keep straight and caused issues already.
  */
 static const unsigned long vaddr_start = __PAGE_OFFSET_BASE;
-
-#if defined(CONFIG_X86_ESPFIX64)
-static const unsigned long vaddr_end = ESPFIX_BASE_ADDR;
-#elif defined(CONFIG_EFI)
-static const unsigned long vaddr_end = EFI_VA_END;
-#else
-static const unsigned long vaddr_end = __START_KERNEL_map;
-#endif
+static const unsigned long vaddr_end = CPU_ENTRY_AREA_BASE;
 
 /* Default values */
 unsigned long page_offset_base = __PAGE_OFFSET_BASE;
@@ -101,15 +90,12 @@ void __init kernel_randomize_memory(void
        unsigned long remain_entropy;
 
        /*
-        * All these BUILD_BUG_ON checks ensures the memory layout is
-        * consistent with the vaddr_start/vaddr_end variables.
+        * These BUILD_BUG_ON checks ensure the memory layout is consistent
+        * with the vaddr_start/vaddr_end variables. These checks are very
+        * limited....
         */
        BUILD_BUG_ON(vaddr_start >= vaddr_end);
-       BUILD_BUG_ON(IS_ENABLED(CONFIG_X86_ESPFIX64) &&
-                    vaddr_end >= EFI_VA_END);
-       BUILD_BUG_ON((IS_ENABLED(CONFIG_X86_ESPFIX64) ||
-                     IS_ENABLED(CONFIG_EFI)) &&
-                    vaddr_end >= __START_KERNEL_map);
+       BUILD_BUG_ON(vaddr_end != CPU_ENTRY_AREA_BASE);
        BUILD_BUG_ON(vaddr_end > __START_KERNEL_map);
 
        if (!kaslr_memory_enabled())
1	From 1dddd25125112ba49706518ac9077a1026a18f37 Mon Sep 17 00:00:00 2001
2	From: Thomas Gleixner <tglx@linutronix.de>
3	Date: Thu, 4 Jan 2018 12:32:03 +0100
4	Subject: x86/kaslr: Fix the vaddr_end mess
5
6	From: Thomas Gleixner <tglx@linutronix.de>
7
8	commit 1dddd25125112ba49706518ac9077a1026a18f37 upstream.
9
10	vaddr_end for KASLR is only documented in the KASLR code itself and is
11	adjusted depending on config options. So it's not surprising that a change
12	of the memory layout causes KASLR to have the wrong vaddr_end. This can map
13	arbitrary stuff into other areas causing hard to understand problems.
14
15	Remove the whole ifdef magic and define the start of the cpu_entry_area to
16	be the end of the KASLR vaddr range.
17
18	Add documentation to that effect.
19
20	Fixes: 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap")
21	Reported-by: Benjamin Gilbert <benjamin.gilbert@coreos.com>
22	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
23	Tested-by: Benjamin Gilbert <benjamin.gilbert@coreos.com>
24	Cc: Andy Lutomirski <luto@kernel.org>
25	Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
26	Cc: Dave Hansen <dave.hansen@linux.intel.com>
27	Cc: Peter Zijlstra <peterz@infradead.org>
28	Cc: Thomas Garnier <thgarnie@google.com>,
29	Cc: Alexander Kuleshov <kuleshovmail@gmail.com>
30	Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801041320360.1771@nanos
31	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
32
33	---
34	Documentation/x86/x86_64/mm.txt \| 6 ++++++
35	arch/x86/include/asm/pgtable_64_types.h \| 8 +++++++-
36	arch/x86/mm/kaslr.c \| 32 +++++++++-----------------------
37	3 files changed, 22 insertions(+), 24 deletions(-)
38
39	--- a/Documentation/x86/x86_64/mm.txt
40	+++ b/Documentation/x86/x86_64/mm.txt
41	@@ -12,6 +12,7 @@ ffffea0000000000 - ffffeaffffffffff (=40
42	... unused hole ...
43	ffffec0000000000 - fffffbffffffffff (=44 bits) kasan shadow memory (16TB)
44	... unused hole ...
45	+ vaddr_end for KASLR
46	fffffe0000000000 - fffffe7fffffffff (=39 bits) cpu_entry_area mapping
47	fffffe8000000000 - fffffeffffffffff (=39 bits) LDT remap for PTI
48	ffffff0000000000 - ffffff7fffffffff (=39 bits) %esp fixup stacks
49	@@ -37,6 +38,7 @@ ffd4000000000000 - ffd5ffffffffffff (=49
50	... unused hole ...
51	ffdf000000000000 - fffffc0000000000 (=53 bits) kasan shadow memory (8PB)
52	... unused hole ...
53	+ vaddr_end for KASLR
54	fffffe0000000000 - fffffe7fffffffff (=39 bits) cpu_entry_area mapping
55	... unused hole ...
56	ffffff0000000000 - ffffff7fffffffff (=39 bits) %esp fixup stacks
57	@@ -71,3 +73,7 @@ during EFI runtime calls.
58	Note that if CONFIG_RANDOMIZE_MEMORY is enabled, the direct mapping of all
59	physical memory, vmalloc/ioremap space and virtual memory map are randomized.
60	Their order is preserved but their base will be offset early at boot time.
61	+
62	+Be very careful vs. KASLR when changing anything here. The KASLR address
63	+range must not overlap with anything except the KASAN shadow area, which is
64	+correct as KASAN disables KASLR.
65	--- a/arch/x86/include/asm/pgtable_64_types.h
66	+++ b/arch/x86/include/asm/pgtable_64_types.h
67	@@ -75,7 +75,13 @@ typedef struct { pteval_t pte; } pte_t;
68	#define PGDIR_SIZE (_AC(1, UL) << PGDIR_SHIFT)
69	#define PGDIR_MASK (~(PGDIR_SIZE - 1))
70
71	-/* See Documentation/x86/x86_64/mm.txt for a description of the memory map. */
72	+/*
73	+ * See Documentation/x86/x86_64/mm.txt for a description of the memory map.
74	+ *
75	+ * Be very careful vs. KASLR when changing anything here. The KASLR address
76	+ * range must not overlap with anything except the KASAN shadow area, which
77	+ * is correct as KASAN disables KASLR.
78	+ */
79	#define MAXMEM _AC(__AC(1, UL) << MAX_PHYSMEM_BITS, UL)
80
81	#ifdef CONFIG_X86_5LEVEL
82	--- a/arch/x86/mm/kaslr.c
83	+++ b/arch/x86/mm/kaslr.c
84	@@ -34,25 +34,14 @@
85	#define TB_SHIFT 40
86
87	/*
88	- * Virtual address start and end range for randomization. The end changes base
89	- * on configuration to have the highest amount of space for randomization.
90	- * It increases the possible random position for each randomized region.
91	+ * Virtual address start and end range for randomization.
92	*
93	- * You need to add an if/def entry if you introduce a new memory region
94	- * compatible with KASLR. Your entry must be in logical order with memory
95	- * layout. For example, ESPFIX is before EFI because its virtual address is
96	- * before. You also need to add a BUILD_BUG_ON() in kernel_randomize_memory() to
97	- * ensure that this order is correct and won't be changed.
98	+ * The end address could depend on more configuration options to make the
99	+ * highest amount of space for randomization available, but that's too hard
100	+ * to keep straight and caused issues already.
101	*/
102	static const unsigned long vaddr_start = __PAGE_OFFSET_BASE;
103	-
104	-#if defined(CONFIG_X86_ESPFIX64)
105	-static const unsigned long vaddr_end = ESPFIX_BASE_ADDR;
106	-#elif defined(CONFIG_EFI)
107	-static const unsigned long vaddr_end = EFI_VA_END;
108	-#else
109	-static const unsigned long vaddr_end = __START_KERNEL_map;
110	-#endif
111	+static const unsigned long vaddr_end = CPU_ENTRY_AREA_BASE;
112
113	/* Default values */
114	unsigned long page_offset_base = __PAGE_OFFSET_BASE;
115	@@ -101,15 +90,12 @@ void __init kernel_randomize_memory(void
116	unsigned long remain_entropy;
117
118	/*
119	- * All these BUILD_BUG_ON checks ensures the memory layout is
120	- * consistent with the vaddr_start/vaddr_end variables.
121	+ * These BUILD_BUG_ON checks ensure the memory layout is consistent
122	+ * with the vaddr_start/vaddr_end variables. These checks are very
123	+ * limited....
124	*/
125	BUILD_BUG_ON(vaddr_start >= vaddr_end);
126	- BUILD_BUG_ON(IS_ENABLED(CONFIG_X86_ESPFIX64) &&
127	- vaddr_end >= EFI_VA_END);
128	- BUILD_BUG_ON((IS_ENABLED(CONFIG_X86_ESPFIX64) \|\|
129	- IS_ENABLED(CONFIG_EFI)) &&
130	- vaddr_end >= __START_KERNEL_map);
131	+ BUILD_BUG_ON(vaddr_end != CPU_ENTRY_AREA_BASE);
132	BUILD_BUG_ON(vaddr_end > __START_KERNEL_map);
133
134	if (!kaslr_memory_enabled())