From patchwork Wed Jul 27 15:59:56 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Garnier <thgarnie@google.com>
X-Patchwork-Id: 9250027
Return-Path: 
 <kernel-hardening-return-4113-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	F0D0D607F0 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 27 Jul 2016 16:00:54 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E0471212DA
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 27 Jul 2016 16:00:54 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D2C6927CEA; Wed, 27 Jul 2016 16:00:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id F0BAB212DA
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 27 Jul 2016 16:00:53 +0000 (UTC)
Received: (qmail 24029 invoked by uid 550); 27 Jul 2016 16:00:50 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Reply-To: kernel-hardening@lists.openwall.com
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 24002 invoked from network); 27 Jul 2016 16:00:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=2TUbcjqGz1nxDWmt6iWJfoxzMKuHDzorsXjfFh8q2GE=;
	b=eTOijKfDJRLQ436irOB3SGvdT1/VAeGg1LBCZRbTDLNCBe9djEEhMnrNgE1XpUBET+
	HarwffV3ilG5wuwXqLQ6F61noAsCPKq98x2uHaH/W/QspJvk6YdMxhTwk7wEa1OW2uv6
	NJeb2z1Suq4hXHZdZYiznkfuI1dkjgNY4bBZuhXl7dP7bhQ9u28/qy2gL/PT3egdg7Su
	H9RUsQmdnm9g4H6BeFP7tbDTMx55FZwDit3Ws5Yw6hF2o3qzH5/sDC6UKjpX+LXCT2Q5
	VRHHrtD8sxjG7JPCfYR0Bmc9zQWAR8dVBbMG2HAKxt2A2TIdnKALtLWCT4mM8LPUVjSE
	hpfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=2TUbcjqGz1nxDWmt6iWJfoxzMKuHDzorsXjfFh8q2GE=;
	b=B0r24/bDHebRMATcFVBePP7E1zo1dFnZLRRzKYKk5I7ivXC4AEefdXnFfYkCXMtlSY
	IveFuYU+hyqzE88gKn0YZGit9uHvM6Z1y0I+B0FS7a6G3J29Y+mVgFFBBZUYmTHpoG/d
	ruX211sauzPr54Jpwc1REg9Ye6GCri2Xg2O3IcseyeiJieE027auk2qAUGwBrIYjK1aE
	ZqBlhqfcyE2nAtUi/Z+Emy6+Q4tYdyettCRiMFOsBYqbH0QSc5p992cffkiFr4fWBF3I
	EMsHZn3ZnGzq2DcyGzklAO5X8kgz6lBrVA0l1XBuUpxj3vuwkiPkiY8FPlsnIwXBRLD6
	6GEA==
X-Gm-Message-State: 
 AEkoouun6bV3K8CPjmNHxHHmJsfdash3SuhYPrOnsTXRqBdDvwvVWnA2mASHLJCzwYQYKV8z
X-Received: by 10.66.47.196 with SMTP id f4mr50460390pan.126.1469635237198;
	Wed, 27 Jul 2016 09:00:37 -0700 (PDT)
From: Thomas Garnier <thgarnie@google.com>
To: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
	"H . Peter Anvin" <hpa@zytor.com>, Thomas Garnier <thgarnie@google.com>,
	Kees Cook <keescook@chromium.org>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Date: Wed, 27 Jul 2016 08:59:56 -0700
Message-Id: <1469635196-122447-1-git-send-email-thgarnie@google.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
Subject: [kernel-hardening] [PATCH] x86/mm: Enable KASLR for vmemmap memory
	region (x86_64)
X-Virus-Scanned: ClamAV using ClamSMTP

Add vmemmap in the list of randomized memory regions.

The vmemmap region holds a representation of the physical memory (through
a struct page array). An attacker could use this region to disclose the
kernel memory layout (walking the page linked list).

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Missing patch didn't pick-up by the tip bot on KASLR memory randomization.
Resending after rebase on tip and tests as discussed with Ingo.
Based on tip 4bcc8cf6ab5932cbb2511c8e18065e61b069f21c
---
 arch/x86/include/asm/kaslr.h            |  1 +
 arch/x86/include/asm/pgtable_64_types.h |  4 +++-
 arch/x86/mm/kaslr.c                     | 24 +++++++++++++++++++++++-
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/kaslr.h b/arch/x86/include/asm/kaslr.h
index 2674ee3..1052a79 100644
--- a/arch/x86/include/asm/kaslr.h
+++ b/arch/x86/include/asm/kaslr.h
@@ -6,6 +6,7 @@ unsigned long kaslr_get_random_long(const char *purpose);
 #ifdef CONFIG_RANDOMIZE_MEMORY
 extern unsigned long page_offset_base;
 extern unsigned long vmalloc_base;
+extern unsigned long vmemmap_base;
 
 void kernel_randomize_memory(void);
 #else
diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
index 6fdef9e..3a26420 100644
--- a/arch/x86/include/asm/pgtable_64_types.h
+++ b/arch/x86/include/asm/pgtable_64_types.h
@@ -57,11 +57,13 @@ typedef struct { pteval_t pte; } pte_t;
 #define MAXMEM		_AC(__AC(1, UL) << MAX_PHYSMEM_BITS, UL)
 #define VMALLOC_SIZE_TB	_AC(32, UL)
 #define __VMALLOC_BASE	_AC(0xffffc90000000000, UL)
-#define VMEMMAP_START	_AC(0xffffea0000000000, UL)
+#define __VMEMMAP_BASE	_AC(0xffffea0000000000, UL)
 #ifdef CONFIG_RANDOMIZE_MEMORY
 #define VMALLOC_START	vmalloc_base
+#define VMEMMAP_START	vmemmap_base
 #else
 #define VMALLOC_START	__VMALLOC_BASE
+#define VMEMMAP_START	__VMEMMAP_BASE
 #endif /* CONFIG_RANDOMIZE_MEMORY */
 #define VMALLOC_END	(VMALLOC_START + _AC((VMALLOC_SIZE_TB << 40) - 1, UL))
 #define MODULES_VADDR    (__START_KERNEL_map + KERNEL_IMAGE_SIZE)
diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c
index 26dccd6..3e9875f 100644
--- a/arch/x86/mm/kaslr.c
+++ b/arch/x86/mm/kaslr.c
@@ -44,13 +44,22 @@
  * ensure that this order is correct and won't be changed.
  */
 static const unsigned long vaddr_start = __PAGE_OFFSET_BASE;
-static const unsigned long vaddr_end = VMEMMAP_START;
+
+#if defined(CONFIG_X86_ESPFIX64)
+static const unsigned long vaddr_end = ESPFIX_BASE_ADDR;
+#elif defined(CONFIG_EFI)
+static const unsigned long vaddr_end = EFI_VA_START;
+#else
+static const unsigned long vaddr_end = __START_KERNEL_map;
+#endif
 
 /* Default values */
 unsigned long page_offset_base = __PAGE_OFFSET_BASE;
 EXPORT_SYMBOL(page_offset_base);
 unsigned long vmalloc_base = __VMALLOC_BASE;
 EXPORT_SYMBOL(vmalloc_base);
+unsigned long vmemmap_base = __VMEMMAP_BASE;
+EXPORT_SYMBOL(vmemmap_base);
 
 /*
  * Memory regions randomized by KASLR (except modules that use a separate logic
@@ -63,6 +72,7 @@ static __initdata struct kaslr_memory_region {
 } kaslr_regions[] = {
 	{ &page_offset_base, 64/* Maximum */ },
 	{ &vmalloc_base, VMALLOC_SIZE_TB },
+	{ &vmemmap_base, 1 },
 };
 
 /* Get size in bytes used by the memory region */
@@ -89,6 +99,18 @@ void __init kernel_randomize_memory(void)
 	struct rnd_state rand_state;
 	unsigned long remain_entropy;
 
+	/*
+	 * All these BUILD_BUG_ON checks ensures the memory layout is
+	 * consistent with the vaddr_start/vaddr_end variables.
+	 */
+	BUILD_BUG_ON(vaddr_start >= vaddr_end);
+	BUILD_BUG_ON(config_enabled(CONFIG_X86_ESPFIX64) &&
+		     vaddr_end >= EFI_VA_START);
+	BUILD_BUG_ON((config_enabled(CONFIG_X86_ESPFIX64) ||
+		      config_enabled(CONFIG_EFI)) &&
+		     vaddr_end >= __START_KERNEL_map);
+	BUILD_BUG_ON(vaddr_end > __START_KERNEL_map);
+
 	if (!kaslr_memory_enabled())
 		return;