x86/KASLR: Parse all 'memmap=' boot option entries

In commit:

  f28442497b5c ("x86/boot: Fix KASLR and memmap= collision")

... the memmap= option is parsed so that KASLR can avoid those reserved
regions. It uses cmdline_find_option() to get the value if memmap=
is specified, however the problem is that cmdline_find_option() can only
find the last entry if multiple memmap entries are provided. This
is not correct.

Address this by checking each command line token for a "memmap=" match
and parse each instance instead of using cmdline_find_option().

Signed-off-by: Baoquan He <bhe@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dan.j.williams@intel.com
Cc: douly.fnst@cn.fujitsu.com
Cc: dyoung@redhat.com
Cc: m.mizuma@jp.fujitsu.com
Link: http://lkml.kernel.org/r/1494654390-23861-2-git-send-email-bhe@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>

diff --git a/arch/x86/boot/compressed/cmdline.c b/arch/x86/boot/compressed/cmdline.c
index 73ccf63..9dc1ce6 100644 (file)
--- a/arch/x86/boot/compressed/cmdline.c
+++ b/arch/x86/boot/compressed/cmdline.c
@@ -13,7 +13,7 @@ static inline char rdfs8(addr_t addr)
        return *((char *)(fs + addr));
 }
 #include "../cmdline.c"
-static unsigned long get_cmd_line_ptr(void)
+unsigned long get_cmd_line_ptr(void)
 {
        unsigned long cmd_line_ptr = boot_params->hdr.cmd_line_ptr;
 

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 54c24f0..106e13b 100644 (file)
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -9,16 +9,41 @@
  * contain the entire properly aligned running kernel image.
  *
  */
+
+/*
+ * isspace() in linux/ctype.h is expected by next_args() to filter
+ * out "space/lf/tab". While boot/ctype.h conflicts with linux/ctype.h,
+ * since isdigit() is implemented in both of them. Hence disable it
+ * here.
+ */
+#define BOOT_CTYPE_H
+
+/*
+ * _ctype[] in lib/ctype.c is needed by isspace() of linux/ctype.h.
+ * While both lib/ctype.c and lib/cmdline.c will bring EXPORT_SYMBOL
+ * which is meaningless and will cause compiling error in some cases.
+ * So do not include linux/export.h and define EXPORT_SYMBOL(sym)
+ * as empty.
+ */
+#define _LINUX_EXPORT_H
+#define EXPORT_SYMBOL(sym)
+
 #include "misc.h"
 #include "error.h"
-#include "../boot.h"
 
 #include <generated/compile.h>
 #include <linux/module.h>
 #include <linux/uts.h>
 #include <linux/utsname.h>
+#include <linux/ctype.h>
 #include <generated/utsrelease.h>
 
+/* Macros used by the included decompressor code below. */
+#define STATIC
+#include <linux/decompress/mm.h>
+
+extern unsigned long get_cmd_line_ptr(void);
+
 /* Simplified build-specific string for starting entropy. */
 static const char build_str[] = UTS_RELEASE " (" LINUX_COMPILE_BY "@"
                LINUX_COMPILE_HOST ") (" LINUX_COMPILER ") " UTS_VERSION;
@@ -62,6 +87,7 @@ struct mem_vector {
 
 static bool memmap_too_large;
 
+
 enum mem_avoid_index {
        MEM_AVOID_ZO_RANGE = 0,
        MEM_AVOID_INITRD,
@@ -85,49 +111,14 @@ static bool mem_overlaps(struct mem_vector *one, struct mem_vector *two)
        return true;
 }
 
-/**
- *     _memparse - Parse a string with mem suffixes into a number
- *     @ptr: Where parse begins
- *     @retptr: (output) Optional pointer to next char after parse completes
- *
- *     Parses a string into a number.  The number stored at @ptr is
- *     potentially suffixed with K, M, G, T, P, E.
- */
-static unsigned long long _memparse(const char *ptr, char **retptr)
+char *skip_spaces(const char *str)
 {
-       char *endptr;   /* Local pointer to end of parsed string */
-
-       unsigned long long ret = simple_strtoull(ptr, &endptr, 0);
-
-       switch (*endptr) {
-       case 'E':
-       case 'e':
-               ret <<= 10;
-       case 'P':
-       case 'p':
-               ret <<= 10;
-       case 'T':
-       case 't':
-               ret <<= 10;
-       case 'G':
-       case 'g':
-               ret <<= 10;
-       case 'M':
-       case 'm':
-               ret <<= 10;
-       case 'K':
-       case 'k':
-               ret <<= 10;
-               endptr++;
-       default:
-               break;
-       }
-
-       if (retptr)
-               *retptr = endptr;
-
-       return ret;
+       while (isspace(*str))
+               ++str;
+       return (char *)str;
 }
+#include "../../../../lib/ctype.c"
+#include "../../../../lib/cmdline.c"
 
 static int
 parse_memmap(char *p, unsigned long long *start, unsigned long long *size)
@@ -142,7 +133,7 @@ parse_memmap(char *p, unsigned long long *start, unsigned long long *size)
                return -EINVAL;
 
        oldp = p;
-       *size = _memparse(p, &p);
+       *size = memparse(p, &p);
        if (p == oldp)
                return -EINVAL;
 
@@ -155,27 +146,21 @@ parse_memmap(char *p, unsigned long long *start, unsigned long long *size)
        case '#':
        case '$':
        case '!':
-               *start = _memparse(p + 1, &p);
+               *start = memparse(p + 1, &p);
                return 0;
        }
 
        return -EINVAL;
 }
 
-static void mem_avoid_memmap(void)
+static void mem_avoid_memmap(char *str)
 {
-       char arg[128];
+       static int i;
        int rc;
-       int i;
-       char *str;
 
-       /* See if we have any memmap areas */
-       rc = cmdline_find_option("memmap", arg, sizeof(arg));
-       if (rc <= 0)
+       if (i >= MAX_MEMMAP_REGIONS)
                return;
 
-       i = 0;
-       str = arg;
        while (str && (i < MAX_MEMMAP_REGIONS)) {
                int rc;
                unsigned long long start, size;
@@ -202,6 +187,49 @@ static void mem_avoid_memmap(void)
                memmap_too_large = true;
 }
 
+
+/*
+ * handle_mem_memmap will also cover 'mem=' issue in next patch. Will remove
+ * this note later.
+ */
+static int handle_mem_memmap(void)
+{
+       char *args = (char *)get_cmd_line_ptr();
+       size_t len = strlen((char *)args);
+       char *tmp_cmdline;
+       char *param, *val;
+
+       if (!strstr(args, "memmap="))
+               return 0;
+
+       tmp_cmdline = malloc(len + 1);
+       if (!tmp_cmdline )
+               error("Failed to allocate space for tmp_cmdline");
+
+       memcpy(tmp_cmdline, args, len);
+       tmp_cmdline[len] = 0;
+       args = tmp_cmdline;
+
+       /* Chew leading spaces */
+       args = skip_spaces(args);
+
+       while (*args) {
+               args = next_arg(args, &param, &val);
+               /* Stop at -- */
+               if (!val && strcmp(param, "--") == 0) {
+                       warn("Only '--' specified in cmdline");
+                       free(tmp_cmdline);
+                       return -1;
+               }
+
+               if (!strcmp(param, "memmap"))
+                       mem_avoid_memmap(val);
+       }
+
+       free(tmp_cmdline);
+       return 0;
+}
+
 /*
  * In theory, KASLR can put the kernel anywhere in the range of [16M, 64T).
  * The mem_avoid array is used to store the ranges that need to be avoided
@@ -323,7 +351,7 @@ static void mem_avoid_init(unsigned long input, unsigned long input_size,
        /* We don't need to set a mapping for setup_data. */
 
        /* Mark the memmap regions we need to avoid */
-       mem_avoid_memmap();
+       handle_mem_memmap();
 
 #ifdef CONFIG_X86_VERBOSE_BOOTUP
        /* Make sure video RAM can be used. */

diff --git a/arch/x86/boot/string.c b/arch/x86/boot/string.c
index 5457b02..630e366 100644 (file)
--- a/arch/x86/boot/string.c
+++ b/arch/x86/boot/string.c
@@ -122,6 +122,14 @@ unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int bas
        return result;
 }
 
+long simple_strtol(const char *cp, char **endp, unsigned int base)
+{
+       if (*cp == '-')
+               return -simple_strtoull(cp + 1, endp, base);
+
+       return simple_strtoull(cp, endp, base);
+}
+
 /**
  * strlen - Find the length of a string
  * @s: The string to be sized