]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commitdiff
projects / mirror_ubuntu-bionic-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 34239c5)
x86/mm/init: Pass unconverted symbol addresses to free_init_pages()
authorDave Hansen <dave.hansen@linux.intel.com>
Thu, 2 Aug 2018 22:58:28 +0000 (15:58 -0700)
committerStefan Bader <stefan.bader@canonical.com>
Mon, 1 Apr 2019 12:37:29 +0000 (14:37 +0200)
CVE-2017-5754

The x86 code has several places where it frees parts of kernel image:

 1. Unused SMP alternative
 2. __init code
 3. The hole between text and rodata
 4. The hole between rodata and data

We call free_init_pages() to do this.  Strangely, we convert the symbol
addresses to kernel direct map addresses in some cases (#3, #4) but not
others (#1, #2).

The virt_to_page() and the other code in free_reserved_area() now works
fine for for symbol addresses on x86, so don't bother converting the
addresses to direct map addresses before freeing them.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: keescook@google.com
Cc: aarcange@redhat.com
Cc: jgross@suse.com
Cc: jpoimboe@redhat.com
Cc: gregkh@linuxfoundation.org
Cc: peterz@infradead.org
Cc: hughd@google.com
Cc: torvalds@linux-foundation.org
Cc: bp@alien8.de
Cc: luto@kernel.org
Cc: ak@linux.intel.com
Cc: Kees Cook <keescook@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Andi Kleen <ak@linux.intel.com>
Link: https://lkml.kernel.org/r/20180802225828.89B2D0E2@viggo.jf.intel.com
(cherry picked from commit 9f515cdb411ef34f1aaf4c40bb0c932cf6db5de1)
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
arch/x86/mm/init_64.c patch | blob | blame | history

diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index 5d8094995bb0ec3fa9ca4beaebb52b93a65cc596..1055d3029b1924fa39cb11e33031962af136adad 100644 (file)
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1272,12 +1272,8 @@ void mark_rodata_ro(void)
        set_memory_ro(start, (end-start) >> PAGE_SHIFT);
 #endif
 
-       free_init_pages("unused kernel",
-                       (unsigned long) __va(__pa_symbol(text_end)),
-                       (unsigned long) __va(__pa_symbol(rodata_start)));
-       free_init_pages("unused kernel",
-                       (unsigned long) __va(__pa_symbol(rodata_end)),
-                       (unsigned long) __va(__pa_symbol(_sdata)));
+       free_init_pages("unused kernel", text_end, rodata_start);
+       free_init_pages("unused kernel", rodata_end, _sdata);
 
        debug_checkwx();
 }
ubuntu-bionic-kernel mirror