Re: [PATCH] rtas: Validate rtas entry before calling enter_rtas
On Sat, 2015-10-17 at 10:04 +0530, Vasant Hegde wrote: > On 10/16/2015 11:49 PM, Denis Kirjanov wrote: > > On 10/16/15, Vasant Hegdewrote: > > > On 10/16/2015 04:02 PM, Denis Kirjanov wrote: > > > > On 10/16/15, Vasant Hegde wrote: > > > > > Currently we do not validate rtas entry before calling enter_rtas(). > > > > > > > > have you figured out why we have null entry? > > > Yes... On PowerNV platform we don't have RTAS.. Hence it's not > > > initialized. > > But why do we have CONFIG_PPC_RTAS on OPAL machines then? > Today we use single config to build kernel for both PowerNV and PAPR guest. So > that same ISO can be used in different environment (PAPR LPAR, PowerNV host, > guest). I believe most distro also following this method. Hence we need this > validation. Yes that's right. Many of our platforms can coexist. So for example you can build a 64-bit big endian kernel with support for G5, pSeries, Powernv, PS3, IBM Cell Blades, Pasemi, & Maple (Bimini). That means code that is #ifdef'ed to depend on one of those platforms, may end up running on another platform. So we usually also need a runtime check to make sure code doesn't run in the wrong places. You'll see a lot of initcalls are machine_xxx_initcalls(), which means they only run if the correct platform was detected. There's also firmware_has_feature() checks, and then also device tree based detection. This one seems to have slipped through the cracks because the tools that call sys_rtas() are not used on powernv machines, so no one has though to call that syscall. And on pseries machines rtas is always present, though obviously the code should have still checked rtas.entry to be safe. cheers ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] rtas: Validate rtas entry before calling enter_rtas
On 10/16/15, Vasant Hegdewrote: > On 10/16/2015 04:02 PM, Denis Kirjanov wrote: >> On 10/16/15, Vasant Hegde wrote: >>> Currently we do not validate rtas entry before calling enter_rtas(). >>> This >>> is resulting in a kernel oops (see below) when user space calls rtas >>> system >>> call on PowerNV platform. We hit below oops when we ran trinity (system >>> call >>> fuzzer) on PowerNV. This patch adds code to validate rtas entry before >>> making >>> enter_rtas() call. >> >> Hi, >> have you figured out why we have null entry? > > Denis, > > Yes... On PowerNV platform we don't have RTAS.. Hence it's not initialized. But why do we have CONFIG_PPC_RTAS on OPAL machines then? > > -Vasant > >> >> Thanks! >>> >>> dmesg: >>> - >>> [22061.541428] Oops: Exception in kernel mode, sig: 4 [#1] >>> [22061.541446] SMP NR_CPUS=1024 NUMA PowerNV >>> [22061.541453] Modules linked in: rfcomm bnep nfnetlink >>> scsi_transport_iscsi >>> hidp nfc af_802154 ieee802154 bluetooth rfkill pppoe pppox ppp_generic >>> slhc >>> irda crc_ccitt af_key sctp libcrc32c atm appletalk ipx p8023 psnap p8022 >>> ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_CHECKSUM tun ip6t_rpfilter >>> ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack >>> ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables >>> ip6table_mangle ip6table_security ip6table_raw ip6table_filter >>> ip6_tables >>> iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat >>> nf_conntrack >>> iptable_mangle iptable_security iptable_raw windfarm_smu_sat ses >>> enclosure >>> windfarm_pid shpchp i2c_opal i2c_core kvm_hv kvm_pr dm_multipath kvm >>> lpfc >>> tg3 ptp pps_core scsi_transport_fc >>> [22061.541561] CPU: 40 PID: 57748 Comm: trinity-c11 Not tainted >>> 3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le #1 >>> [22061.541566] task: c4294b80 ti: c007e1a78000 task.ti: >>> c007e1a78000 >>> [22061.541570] NIP: LR: 9c14 CTR: >>> c0423140 >>> [22061.541573] REGS: c007e1a7b920 TRAP: 0e40 Not tainted >>> (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le) >>> [22061.541577] MSR: 10081000 CR: XER: >>> >>> [22061.541585] CFAR: c0009c0c SOFTE: 0 >>> GPR00: 90001031 c007e1a7bba0 c12b1d00 >>> 01338840 >>> GPR04: 10001000 >>> 90001033 >>> GPR08: 4000 80002933 3fff9e9d0068 >>> >>> GPR12: 00ff c7db7c00 >>> >>> GPR16: >>> >>> GPR20: >>> >>> GPR24: dc58 0001 >>> c01ee716e000 >>> GPR28: c1338840 3fff9db3 >>> >>> [22061.541629] NIP [] (null) >>> [22061.541637] LR [9c14] 0x9c14 >>> [22061.541640] Call Trace: >>> [22061.541649] [c007e1a7bba0] [c041a7f4] >>> avc_has_perm_noaudit+0x54/0x110 (unreliable) >>> [22061.541657] [c007e1a7bd80] [c002ddc0] >>> ppc_rtas+0x150/0x2d0 >>> [22061.541662] [c007e1a7be30] [c0009358] >>> syscall_exit+0x0/0x98 >>> [22061.541666] Instruction dump: >>> [22061.541669] >>> >>> [22061.541675] 6000 6000 >>> 6000 6000 >>> [22061.541688] ---[ end trace 6f9bf0b3d32096aa ]--- >>> >>> Reported-by: NAGESWARA R. SASTRY >>> Signed-off-by: Vasant Hegde >>> --- >>> arch/powerpc/kernel/rtas.c |3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c >>> index 84bf934..5a753fa 100644 >>> --- a/arch/powerpc/kernel/rtas.c >>> +++ b/arch/powerpc/kernel/rtas.c >>> @@ -1043,6 +1043,9 @@ asmlinkage int ppc_rtas(struct rtas_args __user >>> *uargs) >>> if (!capable(CAP_SYS_ADMIN)) >>> return -EPERM; >>> >>> + if (!rtas.entry) >>> + return -EINVAL; >>> + >>> if (copy_from_user(, uargs, 3 * sizeof(u32)) != 0) >>> return -EFAULT; >>> >>> >>> ___ >>> Linuxppc-dev mailing list >>> Linuxppc-dev@lists.ozlabs.org >>> https://lists.ozlabs.org/listinfo/linuxppc-dev >> > > ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] rtas: Validate rtas entry before calling enter_rtas
On 10/16/15, Vasant Hegdewrote: > Currently we do not validate rtas entry before calling enter_rtas(). This > is resulting in a kernel oops (see below) when user space calls rtas system > call on PowerNV platform. We hit below oops when we ran trinity (system call > fuzzer) on PowerNV. This patch adds code to validate rtas entry before > making > enter_rtas() call. Hi, have you figured out why we have null entry? Thanks! > > dmesg: > - > [22061.541428] Oops: Exception in kernel mode, sig: 4 [#1] > [22061.541446] SMP NR_CPUS=1024 NUMA PowerNV > [22061.541453] Modules linked in: rfcomm bnep nfnetlink scsi_transport_iscsi > hidp nfc af_802154 ieee802154 bluetooth rfkill pppoe pppox ppp_generic slhc > irda crc_ccitt af_key sctp libcrc32c atm appletalk ipx p8023 psnap p8022 > ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_CHECKSUM tun ip6t_rpfilter > ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack > ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables > ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables > iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack > iptable_mangle iptable_security iptable_raw windfarm_smu_sat ses enclosure > windfarm_pid shpchp i2c_opal i2c_core kvm_hv kvm_pr dm_multipath kvm lpfc > tg3 ptp pps_core scsi_transport_fc > [22061.541561] CPU: 40 PID: 57748 Comm: trinity-c11 Not tainted > 3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le #1 > [22061.541566] task: c4294b80 ti: c007e1a78000 task.ti: > c007e1a78000 > [22061.541570] NIP: LR: 9c14 CTR: > c0423140 > [22061.541573] REGS: c007e1a7b920 TRAP: 0e40 Not tainted > (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le) > [22061.541577] MSR: 10081000 CR: XER: > > [22061.541585] CFAR: c0009c0c SOFTE: 0 > GPR00: 90001031 c007e1a7bba0 c12b1d00 > 01338840 > GPR04: 10001000 > 90001033 > GPR08: 4000 80002933 3fff9e9d0068 > > GPR12: 00ff c7db7c00 > > GPR16: > > GPR20: > > GPR24: dc58 0001 > c01ee716e000 > GPR28: c1338840 3fff9db3 > > [22061.541629] NIP [] (null) > [22061.541637] LR [9c14] 0x9c14 > [22061.541640] Call Trace: > [22061.541649] [c007e1a7bba0] [c041a7f4] > avc_has_perm_noaudit+0x54/0x110 (unreliable) > [22061.541657] [c007e1a7bd80] [c002ddc0] > ppc_rtas+0x150/0x2d0 > [22061.541662] [c007e1a7be30] [c0009358] > syscall_exit+0x0/0x98 > [22061.541666] Instruction dump: > [22061.541669] > > [22061.541675] 6000 6000 > 6000 6000 > [22061.541688] ---[ end trace 6f9bf0b3d32096aa ]--- > > Reported-by: NAGESWARA R. SASTRY > Signed-off-by: Vasant Hegde > --- > arch/powerpc/kernel/rtas.c |3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c > index 84bf934..5a753fa 100644 > --- a/arch/powerpc/kernel/rtas.c > +++ b/arch/powerpc/kernel/rtas.c > @@ -1043,6 +1043,9 @@ asmlinkage int ppc_rtas(struct rtas_args __user > *uargs) > if (!capable(CAP_SYS_ADMIN)) > return -EPERM; > > + if (!rtas.entry) > + return -EINVAL; > + > if (copy_from_user(, uargs, 3 * sizeof(u32)) != 0) > return -EFAULT; > > > ___ > Linuxppc-dev mailing list > Linuxppc-dev@lists.ozlabs.org > https://lists.ozlabs.org/listinfo/linuxppc-dev ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
[PATCH] rtas: Validate rtas entry before calling enter_rtas
Currently we do not validate rtas entry before calling enter_rtas(). This is resulting in a kernel oops (see below) when user space calls rtas system call on PowerNV platform. We hit below oops when we ran trinity (system call fuzzer) on PowerNV. This patch adds code to validate rtas entry before making enter_rtas() call. dmesg: - [22061.541428] Oops: Exception in kernel mode, sig: 4 [#1] [22061.541446] SMP NR_CPUS=1024 NUMA PowerNV [22061.541453] Modules linked in: rfcomm bnep nfnetlink scsi_transport_iscsi hidp nfc af_802154 ieee802154 bluetooth rfkill pppoe pppox ppp_generic slhc irda crc_ccitt af_key sctp libcrc32c atm appletalk ipx p8023 psnap p8022 ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_CHECKSUM tun ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw windfarm_smu_sat ses enclosure windfarm_pid shpchp i2c_opal i2c_core kvm_hv kvm_pr dm_multipath kvm lpfc tg3 ptp pps_core scsi_transport_fc [22061.541561] CPU: 40 PID: 57748 Comm: trinity-c11 Not tainted 3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le #1 [22061.541566] task: c4294b80 ti: c007e1a78000 task.ti: c007e1a78000 [22061.541570] NIP: LR: 9c14 CTR: c0423140 [22061.541573] REGS: c007e1a7b920 TRAP: 0e40 Not tainted (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le) [22061.541577] MSR: 10081000CR: XER: [22061.541585] CFAR: c0009c0c SOFTE: 0 GPR00: 90001031 c007e1a7bba0 c12b1d00 01338840 GPR04: 10001000 90001033 GPR08: 4000 80002933 3fff9e9d0068 GPR12: 00ff c7db7c00 GPR16: GPR20: GPR24: dc58 0001 c01ee716e000 GPR28: c1338840 3fff9db3 [22061.541629] NIP [] (null) [22061.541637] LR [9c14] 0x9c14 [22061.541640] Call Trace: [22061.541649] [c007e1a7bba0] [c041a7f4] avc_has_perm_noaudit+0x54/0x110 (unreliable) [22061.541657] [c007e1a7bd80] [c002ddc0] ppc_rtas+0x150/0x2d0 [22061.541662] [c007e1a7be30] [c0009358] syscall_exit+0x0/0x98 [22061.541666] Instruction dump: [22061.541669] [22061.541675] 6000 6000 6000 6000 [22061.541688] ---[ end trace 6f9bf0b3d32096aa ]--- Reported-by: NAGESWARA R. SASTRY Signed-off-by: Vasant Hegde --- arch/powerpc/kernel/rtas.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 84bf934..5a753fa 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -1043,6 +1043,9 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs) if (!capable(CAP_SYS_ADMIN)) return -EPERM; + if (!rtas.entry) + return -EINVAL; + if (copy_from_user(, uargs, 3 * sizeof(u32)) != 0) return -EFAULT; ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] rtas: Validate rtas entry before calling enter_rtas
On 10/16/2015 04:02 PM, Denis Kirjanov wrote: > On 10/16/15, Vasant Hegdewrote: >> Currently we do not validate rtas entry before calling enter_rtas(). This >> is resulting in a kernel oops (see below) when user space calls rtas system >> call on PowerNV platform. We hit below oops when we ran trinity (system call >> fuzzer) on PowerNV. This patch adds code to validate rtas entry before >> making >> enter_rtas() call. > > Hi, > have you figured out why we have null entry? Denis, Yes... On PowerNV platform we don't have RTAS.. Hence it's not initialized. -Vasant > > Thanks! >> >> dmesg: >> - >> [22061.541428] Oops: Exception in kernel mode, sig: 4 [#1] >> [22061.541446] SMP NR_CPUS=1024 NUMA PowerNV >> [22061.541453] Modules linked in: rfcomm bnep nfnetlink scsi_transport_iscsi >> hidp nfc af_802154 ieee802154 bluetooth rfkill pppoe pppox ppp_generic slhc >> irda crc_ccitt af_key sctp libcrc32c atm appletalk ipx p8023 psnap p8022 >> ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_CHECKSUM tun ip6t_rpfilter >> ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack >> ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables >> ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables >> iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack >> iptable_mangle iptable_security iptable_raw windfarm_smu_sat ses enclosure >> windfarm_pid shpchp i2c_opal i2c_core kvm_hv kvm_pr dm_multipath kvm lpfc >> tg3 ptp pps_core scsi_transport_fc >> [22061.541561] CPU: 40 PID: 57748 Comm: trinity-c11 Not tainted >> 3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le #1 >> [22061.541566] task: c4294b80 ti: c007e1a78000 task.ti: >> c007e1a78000 >> [22061.541570] NIP: LR: 9c14 CTR: >> c0423140 >> [22061.541573] REGS: c007e1a7b920 TRAP: 0e40 Not tainted >> (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le) >> [22061.541577] MSR: 10081000 CR: XER: >> >> [22061.541585] CFAR: c0009c0c SOFTE: 0 >> GPR00: 90001031 c007e1a7bba0 c12b1d00 >> 01338840 >> GPR04: 10001000 >> 90001033 >> GPR08: 4000 80002933 3fff9e9d0068 >> >> GPR12: 00ff c7db7c00 >> >> GPR16: >> >> GPR20: >> >> GPR24: dc58 0001 >> c01ee716e000 >> GPR28: c1338840 3fff9db3 >> >> [22061.541629] NIP [] (null) >> [22061.541637] LR [9c14] 0x9c14 >> [22061.541640] Call Trace: >> [22061.541649] [c007e1a7bba0] [c041a7f4] >> avc_has_perm_noaudit+0x54/0x110 (unreliable) >> [22061.541657] [c007e1a7bd80] [c002ddc0] >> ppc_rtas+0x150/0x2d0 >> [22061.541662] [c007e1a7be30] [c0009358] >> syscall_exit+0x0/0x98 >> [22061.541666] Instruction dump: >> [22061.541669] >> >> [22061.541675] 6000 6000 >> 6000 6000 >> [22061.541688] ---[ end trace 6f9bf0b3d32096aa ]--- >> >> Reported-by: NAGESWARA R. SASTRY >> Signed-off-by: Vasant Hegde >> --- >> arch/powerpc/kernel/rtas.c |3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c >> index 84bf934..5a753fa 100644 >> --- a/arch/powerpc/kernel/rtas.c >> +++ b/arch/powerpc/kernel/rtas.c >> @@ -1043,6 +1043,9 @@ asmlinkage int ppc_rtas(struct rtas_args __user >> *uargs) >> if (!capable(CAP_SYS_ADMIN)) >> return -EPERM; >> >> +if (!rtas.entry) >> +return -EINVAL; >> + >> if (copy_from_user(, uargs, 3 * sizeof(u32)) != 0) >> return -EFAULT; >> >> >> ___ >> Linuxppc-dev mailing list >> Linuxppc-dev@lists.ozlabs.org >> https://lists.ozlabs.org/listinfo/linuxppc-dev > ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] rtas: Validate rtas entry before calling enter_rtas
On 10/16/2015 11:49 PM, Denis Kirjanov wrote: > On 10/16/15, Vasant Hegdewrote: >> On 10/16/2015 04:02 PM, Denis Kirjanov wrote: >>> On 10/16/15, Vasant Hegde wrote: Currently we do not validate rtas entry before calling enter_rtas(). This is resulting in a kernel oops (see below) when user space calls rtas system call on PowerNV platform. We hit below oops when we ran trinity (system call fuzzer) on PowerNV. This patch adds code to validate rtas entry before making enter_rtas() call. >>> >>> Hi, >>> have you figured out why we have null entry? >> >> Denis, Denis, >> >> Yes... On PowerNV platform we don't have RTAS.. Hence it's not initialized. > But why do we have CONFIG_PPC_RTAS on OPAL machines then? Sorry. I should have elaborated little bit.. Today we use single config to build kernel for both PowerNV and PAPR guest. So that same ISO can be used in different environment (PAPR LPAR, PowerNV host, guest). I believe most distro also following this method. Hence we need this validation. -Vasant ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev