[resend Patch v3 1/2] kaslr: check if kernel location is changed

Baoquan He bhe at redhat.com
Wed Oct 8 07:40:05 PDT 2014 

On 09/30/14 at 02:21pm, H. Peter Anvin wrote:
> On 09/30/2014 12:08 AM, Baoquan He wrote:
> > Function handle_relocations() is used to do the relocations handling
> > for i686 and kaslr of x86_64. For 32 bit the relocation handling is
> > mandotary to perform. For x86_64 only when kaslr is enabled and a
> > random kernel location is chosen successfully the relocation handling
> > shound be done. However previous implementation only compared the
> > kernel loading address and LOAD_PHYSICAL_ADDR where kernel were
> > compiled to run at. This would casue system to be exceptional in
> > few conditions like when delta between load address and compiled
> > address is bigger than what 32bit signed relocations can handle.
> > Also there will be limitations that delta can't be too big otherwise
> > kernel text virtual addresses will overflow in module address space.
> > 
> > So in this patch check if kernel location is changed after
> > choose_kernel_location() when x86_64. If and only if in x86_64
> > and kernel location is changed, we say a kaslr random kernel
> > location is chosen, then the relocation handling is needed.
> > 
> > Signed-off-by: Baoquan He <bhe at redhat.com>
> > Acked-by: Vivek Goyal <vgoyal at redhat.com>
> > Acked-by: Kees Cook <keescook at chromium.org>
> > Tested-by: Thomas D. <whissi at whissi.de>
> > Cc: stable at vger.kernel.org
> 
> Could you clarify under what conditions we may end up with 32-bit signed
> overflow, and yet have a functional kernel?

Hi hpa,

As Vivek has replied, and from my test result, in x86_64 when kernel is
loaded above 2G by bootloader, the 32-bit signed overflow will happen.
Meanwhile the error() in arch/x86/boot/compressed/misc.c will be called,
this function will execute 'hlt' instruction, then system halted.

In current kaslr, there are 3 hebaviours. Since the candidate slot for
randomized kernel location is only between kernel loaded address and 1G,
it doesn't choose a new kernel location when kernel is loaded above 1G.

1) Kernel is loaded between 0x1000000 and 1G, kaslr works well.

2)kernel is loaded between 1G and 2G, kernel doesn't choose a new kernel
location, so the ourput_orig==output > 1G. But current code compares the
output with LOAD_PHYSICAL_ADDR, relocation handling is still taken and
this cause kenrel text mapping stomps module mapping space. So in this
case form printing we can see kaslr passed, but kernel reboot to bios
immediately.

3) When kernel is loaded above 2G, this is the 32-bit signed overflow as
we discussed above.

So this patch can fix case 2  and case 3. 

Thanks
Baoquan
> 
>

More information about the kexec mailing list