2019-06-03 08:44:46 +03:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-06-26 01:57:52 +04:00
|
|
|
/*
|
2015-09-10 01:38:55 +03:00
|
|
|
* kexec.c - kexec_load system call
|
2005-06-26 01:57:52 +04:00
|
|
|
* Copyright (C) 2002-2004 Eric Biederman <ebiederm@xmission.com>
|
|
|
|
*/
|
|
|
|
|
kexec: use file name as the output message prefix
kexec output message misses the prefix "kexec", when Dave Young split the
kexec code. Now, we use file name as the output message prefix.
Currently, the format of output message:
[ 140.290795] SYSC_kexec_load: hello, world
[ 140.291534] kexec: sanity_check_segment_list: hello, world
Ideally, the format of output message:
[ 30.791503] kexec: SYSC_kexec_load, Hello, world
[ 79.182752] kexec_core: sanity_check_segment_list, Hello, world
Remove the custom prefix "kexec" in output message.
Signed-off-by: Minfei Huang <mnfhuang@gmail.com>
Acked-by: Dave Young <dyoung@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-11-07 03:32:45 +03:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
2006-01-11 23:17:46 +03:00
|
|
|
#include <linux/capability.h>
|
2005-06-26 01:57:52 +04:00
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/file.h>
|
2018-07-13 21:05:57 +03:00
|
|
|
#include <linux/security.h>
|
2005-06-26 01:57:52 +04:00
|
|
|
#include <linux/kexec.h>
|
2008-08-15 11:40:27 +04:00
|
|
|
#include <linux/mutex.h>
|
2005-06-26 01:57:52 +04:00
|
|
|
#include <linux/list.h>
|
|
|
|
#include <linux/syscalls.h>
|
2015-09-10 01:38:51 +03:00
|
|
|
#include <linux/vmalloc.h>
|
2015-09-10 01:38:55 +03:00
|
|
|
#include <linux/slab.h>
|
2005-06-26 01:57:52 +04:00
|
|
|
|
2015-09-10 01:38:51 +03:00
|
|
|
#include "kexec_internal.h"
|
|
|
|
|
2014-08-09 01:25:45 +04:00
|
|
|
static int copy_user_segment_list(struct kimage *image,
|
|
|
|
unsigned long nr_segments,
|
|
|
|
struct kexec_segment __user *segments)
|
2005-06-26 01:57:52 +04:00
|
|
|
{
|
2014-08-09 01:25:45 +04:00
|
|
|
int ret;
|
2005-06-26 01:57:52 +04:00
|
|
|
size_t segment_bytes;
|
|
|
|
|
|
|
|
/* Read in the segments */
|
|
|
|
image->nr_segments = nr_segments;
|
|
|
|
segment_bytes = nr_segments * sizeof(*segments);
|
2014-08-09 01:25:45 +04:00
|
|
|
ret = copy_from_user(image->segment, segments, segment_bytes);
|
|
|
|
if (ret)
|
|
|
|
ret = -EFAULT;
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2014-08-09 01:25:48 +04:00
|
|
|
static int kimage_alloc_init(struct kimage **rimage, unsigned long entry,
|
|
|
|
unsigned long nr_segments,
|
|
|
|
struct kexec_segment __user *segments,
|
|
|
|
unsigned long flags)
|
2005-06-26 01:57:52 +04:00
|
|
|
{
|
2014-08-09 01:25:48 +04:00
|
|
|
int ret;
|
2005-06-26 01:57:52 +04:00
|
|
|
struct kimage *image;
|
2014-08-09 01:25:48 +04:00
|
|
|
bool kexec_on_panic = flags & KEXEC_ON_CRASH;
|
|
|
|
|
|
|
|
if (kexec_on_panic) {
|
|
|
|
/* Verify we have a valid entry point */
|
2016-08-03 00:06:04 +03:00
|
|
|
if ((entry < phys_to_boot_phys(crashk_res.start)) ||
|
|
|
|
(entry > phys_to_boot_phys(crashk_res.end)))
|
2014-08-09 01:25:48 +04:00
|
|
|
return -EADDRNOTAVAIL;
|
|
|
|
}
|
2005-06-26 01:57:52 +04:00
|
|
|
|
|
|
|
/* Allocate and initialize a controlling structure */
|
2014-08-09 01:25:45 +04:00
|
|
|
image = do_kimage_alloc_init();
|
|
|
|
if (!image)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
image->start = entry;
|
|
|
|
|
2014-08-09 01:25:48 +04:00
|
|
|
ret = copy_user_segment_list(image, nr_segments, segments);
|
|
|
|
if (ret)
|
2014-08-09 01:25:45 +04:00
|
|
|
goto out_free_image;
|
|
|
|
|
2014-08-09 01:25:48 +04:00
|
|
|
if (kexec_on_panic) {
|
2016-01-21 02:00:31 +03:00
|
|
|
/* Enable special crash kernel control page alloc policy. */
|
2014-08-09 01:25:48 +04:00
|
|
|
image->control_page = crashk_res.start;
|
|
|
|
image->type = KEXEC_TYPE_CRASH;
|
|
|
|
}
|
|
|
|
|
2016-01-21 02:00:31 +03:00
|
|
|
ret = sanity_check_segment_list(image);
|
|
|
|
if (ret)
|
|
|
|
goto out_free_image;
|
|
|
|
|
2005-06-26 01:57:52 +04:00
|
|
|
/*
|
|
|
|
* Find a location for the control code buffer, and add it
|
|
|
|
* the vector of segments so that it's pages will also be
|
|
|
|
* counted as destination pages.
|
|
|
|
*/
|
2014-08-09 01:25:48 +04:00
|
|
|
ret = -ENOMEM;
|
2005-06-26 01:57:52 +04:00
|
|
|
image->control_code_page = kimage_alloc_control_pages(image,
|
2008-08-15 11:40:22 +04:00
|
|
|
get_order(KEXEC_CONTROL_PAGE_SIZE));
|
2005-06-26 01:57:52 +04:00
|
|
|
if (!image->control_code_page) {
|
2014-06-07 01:37:09 +04:00
|
|
|
pr_err("Could not allocate control_code_buffer\n");
|
2014-08-09 01:25:45 +04:00
|
|
|
goto out_free_image;
|
2005-06-26 01:57:52 +04:00
|
|
|
}
|
|
|
|
|
2014-08-09 01:25:48 +04:00
|
|
|
if (!kexec_on_panic) {
|
|
|
|
image->swap_page = kimage_alloc_control_pages(image, 0);
|
|
|
|
if (!image->swap_page) {
|
|
|
|
pr_err("Could not allocate swap buffer\n");
|
|
|
|
goto out_free_control_pages;
|
|
|
|
}
|
2008-07-26 06:45:07 +04:00
|
|
|
}
|
|
|
|
|
2013-02-28 05:03:29 +04:00
|
|
|
*rimage = image;
|
|
|
|
return 0;
|
2014-08-09 01:25:45 +04:00
|
|
|
out_free_control_pages:
|
2013-02-28 05:03:29 +04:00
|
|
|
kimage_free_page_list(&image->control_pages);
|
2014-08-09 01:25:45 +04:00
|
|
|
out_free_image:
|
2013-02-28 05:03:29 +04:00
|
|
|
kfree(image);
|
2014-08-09 01:25:48 +04:00
|
|
|
return ret;
|
2005-06-26 01:57:52 +04:00
|
|
|
}
|
|
|
|
|
2016-05-24 02:24:19 +03:00
|
|
|
static int do_kexec_load(unsigned long entry, unsigned long nr_segments,
|
|
|
|
struct kexec_segment __user *segments, unsigned long flags)
|
|
|
|
{
|
|
|
|
struct kimage **dest_image, *image;
|
|
|
|
unsigned long i;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (flags & KEXEC_ON_CRASH) {
|
|
|
|
dest_image = &kexec_crash_image;
|
|
|
|
if (kexec_crash_image)
|
|
|
|
arch_kexec_unprotect_crashkres();
|
|
|
|
} else {
|
|
|
|
dest_image = &kexec_image;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nr_segments == 0) {
|
|
|
|
/* Uninstall image */
|
|
|
|
kimage_free(xchg(dest_image, NULL));
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (flags & KEXEC_ON_CRASH) {
|
|
|
|
/*
|
|
|
|
* Loading another kernel to switch to if this one
|
|
|
|
* crashes. Free any current crash dump kernel before
|
|
|
|
* we corrupt it.
|
|
|
|
*/
|
|
|
|
kimage_free(xchg(&kexec_crash_image, NULL));
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = kimage_alloc_init(&image, entry, nr_segments, segments, flags);
|
|
|
|
if (ret)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
if (flags & KEXEC_PRESERVE_CONTEXT)
|
|
|
|
image->preserve_context = 1;
|
|
|
|
|
|
|
|
ret = machine_kexec_prepare(image);
|
|
|
|
if (ret)
|
|
|
|
goto out;
|
|
|
|
|
kdump: protect vmcoreinfo data under the crash memory
Currently vmcoreinfo data is updated at boot time subsys_initcall(), it
has the risk of being modified by some wrong code during system is
running.
As a result, vmcore dumped may contain the wrong vmcoreinfo. Later on,
when using "crash", "makedumpfile", etc utility to parse this vmcore, we
probably will get "Segmentation fault" or other unexpected errors.
E.g. 1) wrong code overwrites vmcoreinfo_data; 2) further crashes the
system; 3) trigger kdump, then we obviously will fail to recognize the
crash context correctly due to the corrupted vmcoreinfo.
Now except for vmcoreinfo, all the crash data is well
protected(including the cpu note which is fully updated in the crash
path, thus its correctness is guaranteed). Given that vmcoreinfo data
is a large chunk prepared for kdump, we better protect it as well.
To solve this, we relocate and copy vmcoreinfo_data to the crash memory
when kdump is loading via kexec syscalls. Because the whole crash
memory will be protected by existing arch_kexec_protect_crashkres()
mechanism, we naturally protect vmcoreinfo_data from write(even read)
access under kernel direct mapping after kdump is loaded.
Since kdump is usually loaded at the very early stage after boot, we can
trust the correctness of the vmcoreinfo data copied.
On the other hand, we still need to operate the vmcoreinfo safe copy
when crash happens to generate vmcoreinfo_note again, we rely on vmap()
to map out a new kernel virtual address and update to use this new one
instead in the following crash_save_vmcoreinfo().
BTW, we do not touch vmcoreinfo_note, because it will be fully updated
using the protected vmcoreinfo_data after crash which is surely correct
just like the cpu crash note.
Link: http://lkml.kernel.org/r/1493281021-20737-3-git-send-email-xlpang@redhat.com
Signed-off-by: Xunlei Pang <xlpang@redhat.com>
Tested-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Dave Young <dyoung@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Hari Bathini <hbathini@linux.vnet.ibm.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-13 00:33:21 +03:00
|
|
|
/*
|
|
|
|
* Some architecture(like S390) may touch the crash memory before
|
|
|
|
* machine_kexec_prepare(), we must copy vmcoreinfo data after it.
|
|
|
|
*/
|
|
|
|
ret = kimage_crash_copy_vmcoreinfo(image);
|
|
|
|
if (ret)
|
|
|
|
goto out;
|
|
|
|
|
2016-05-24 02:24:19 +03:00
|
|
|
for (i = 0; i < nr_segments; i++) {
|
|
|
|
ret = kimage_load_segment(image, &image->segment[i]);
|
|
|
|
if (ret)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
kimage_terminate(image);
|
|
|
|
|
|
|
|
/* Install the new kernel and uninstall the old */
|
|
|
|
image = xchg(dest_image, image);
|
|
|
|
|
|
|
|
out:
|
|
|
|
if ((flags & KEXEC_ON_CRASH) && kexec_crash_image)
|
|
|
|
arch_kexec_protect_crashkres();
|
|
|
|
|
|
|
|
kimage_free(image);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2005-06-26 01:57:52 +04:00
|
|
|
/*
|
|
|
|
* Exec Kernel system call: for obvious reasons only root may call it.
|
|
|
|
*
|
|
|
|
* This call breaks up into three pieces.
|
|
|
|
* - A generic part which loads the new kernel from the current
|
|
|
|
* address space, and very carefully places the data in the
|
|
|
|
* allocated pages.
|
|
|
|
*
|
|
|
|
* - A generic part that interacts with the kernel and tells all of
|
|
|
|
* the devices to shut down. Preventing on-going dmas, and placing
|
|
|
|
* the devices in a consistent state so a later kernel can
|
|
|
|
* reinitialize them.
|
|
|
|
*
|
|
|
|
* - A machine specific part that includes the syscall number
|
2013-09-15 13:35:37 +04:00
|
|
|
* and then copies the image to it's final destination. And
|
2005-06-26 01:57:52 +04:00
|
|
|
* jumps into the image at entry.
|
|
|
|
*
|
|
|
|
* kexec does not sync, or unmount filesystems so if you need
|
|
|
|
* that to happen you need to do that yourself.
|
|
|
|
*/
|
2008-08-15 11:40:27 +04:00
|
|
|
|
2018-03-17 17:18:30 +03:00
|
|
|
static inline int kexec_load_check(unsigned long nr_segments,
|
|
|
|
unsigned long flags)
|
2005-06-26 01:57:52 +04:00
|
|
|
{
|
2018-07-13 21:05:57 +03:00
|
|
|
int result;
|
|
|
|
|
2005-06-26 01:57:52 +04:00
|
|
|
/* We only trust the superuser with rebooting the system. */
|
kexec: add sysctl to disable kexec_load
For general-purpose (i.e. distro) kernel builds it makes sense to build
with CONFIG_KEXEC to allow end users to choose what kind of things they
want to do with kexec. However, in the face of trying to lock down a
system with such a kernel, there needs to be a way to disable kexec_load
(much like module loading can be disabled). Without this, it is too easy
for the root user to modify kernel memory even when CONFIG_STRICT_DEVMEM
and modules_disabled are set. With this change, it is still possible to
load an image for use later, then disable kexec_load so the image (or lack
of image) can't be altered.
The intention is for using this in environments where "perfect"
enforcement is hard. Without a verified boot, along with verified
modules, and along with verified kexec, this is trying to give a system a
better chance to defend itself (or at least grow the window of
discoverability) against attack in the face of a privilege escalation.
In my mind, I consider several boot scenarios:
1) Verified boot of read-only verified root fs loading fd-based
verification of kexec images.
2) Secure boot of writable root fs loading signed kexec images.
3) Regular boot loading kexec (e.g. kcrash) image early and locking it.
4) Regular boot with no control of kexec image at all.
1 and 2 don't exist yet, but will soon once the verified kexec series has
landed. 4 is the state of things now. The gap between 2 and 4 is too
large, so this change creates scenario 3, a middle-ground above 4 when 2
and 1 are not possible for a system.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-01-24 03:55:59 +04:00
|
|
|
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
|
2005-06-26 01:57:52 +04:00
|
|
|
return -EPERM;
|
|
|
|
|
2018-07-13 21:05:57 +03:00
|
|
|
/* Permit LSMs and IMA to fail the kexec */
|
|
|
|
result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
|
|
|
|
if (result < 0)
|
|
|
|
return result;
|
|
|
|
|
2019-08-20 03:17:42 +03:00
|
|
|
/*
|
|
|
|
* kexec can be used to circumvent module loading restrictions, so
|
|
|
|
* prevent loading in that case
|
|
|
|
*/
|
|
|
|
result = security_locked_down(LOCKDOWN_KEXEC);
|
|
|
|
if (result)
|
|
|
|
return result;
|
|
|
|
|
2005-06-26 01:57:52 +04:00
|
|
|
/*
|
|
|
|
* Verify we have a legal set of flags
|
|
|
|
* This leaves us room for future extensions.
|
|
|
|
*/
|
|
|
|
if ((flags & KEXEC_FLAGS) != (flags & ~KEXEC_ARCH_MASK))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* Put an artificial cap on the number
|
|
|
|
* of segments passed to kexec_load.
|
|
|
|
*/
|
|
|
|
if (nr_segments > KEXEC_SEGMENT_MAX)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2018-03-17 17:18:30 +03:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
|
|
|
struct kexec_segment __user *, segments, unsigned long, flags)
|
|
|
|
{
|
|
|
|
int result;
|
|
|
|
|
|
|
|
result = kexec_load_check(nr_segments, flags);
|
|
|
|
if (result)
|
|
|
|
return result;
|
|
|
|
|
|
|
|
/* Verify we are on the appropriate architecture */
|
|
|
|
if (((flags & KEXEC_ARCH_MASK) != KEXEC_ARCH) &&
|
|
|
|
((flags & KEXEC_ARCH_MASK) != KEXEC_ARCH_DEFAULT))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2005-06-26 01:57:52 +04:00
|
|
|
/* Because we write directly to the reserved memory
|
|
|
|
* region when loading crash kernels we need a mutex here to
|
|
|
|
* prevent multiple crash kernels from attempting to load
|
|
|
|
* simultaneously, and to prevent a crash kernel from loading
|
|
|
|
* over the top of a in use crash kernel.
|
|
|
|
*
|
|
|
|
* KISS: always take the mutex.
|
|
|
|
*/
|
2008-08-15 11:40:27 +04:00
|
|
|
if (!mutex_trylock(&kexec_mutex))
|
2005-06-26 01:57:52 +04:00
|
|
|
return -EBUSY;
|
2005-06-26 01:58:28 +04:00
|
|
|
|
2016-05-24 02:24:19 +03:00
|
|
|
result = do_kexec_load(entry, nr_segments, segments, flags);
|
2005-06-26 01:57:52 +04:00
|
|
|
|
2008-08-15 11:40:27 +04:00
|
|
|
mutex_unlock(&kexec_mutex);
|
2005-06-26 01:58:28 +04:00
|
|
|
|
2005-06-26 01:57:52 +04:00
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
2014-03-04 20:13:42 +04:00
|
|
|
COMPAT_SYSCALL_DEFINE4(kexec_load, compat_ulong_t, entry,
|
|
|
|
compat_ulong_t, nr_segments,
|
|
|
|
struct compat_kexec_segment __user *, segments,
|
|
|
|
compat_ulong_t, flags)
|
2005-06-26 01:57:52 +04:00
|
|
|
{
|
|
|
|
struct compat_kexec_segment in;
|
|
|
|
struct kexec_segment out, __user *ksegments;
|
|
|
|
unsigned long i, result;
|
|
|
|
|
2018-03-17 17:18:30 +03:00
|
|
|
result = kexec_load_check(nr_segments, flags);
|
|
|
|
if (result)
|
|
|
|
return result;
|
|
|
|
|
2005-06-26 01:57:52 +04:00
|
|
|
/* Don't allow clients that don't understand the native
|
|
|
|
* architecture to do anything.
|
|
|
|
*/
|
2005-06-26 01:58:28 +04:00
|
|
|
if ((flags & KEXEC_ARCH_MASK) == KEXEC_ARCH_DEFAULT)
|
2005-06-26 01:57:52 +04:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
ksegments = compat_alloc_user_space(nr_segments * sizeof(out));
|
2014-06-07 01:37:09 +04:00
|
|
|
for (i = 0; i < nr_segments; i++) {
|
2005-06-26 01:57:52 +04:00
|
|
|
result = copy_from_user(&in, &segments[i], sizeof(in));
|
2005-06-26 01:58:28 +04:00
|
|
|
if (result)
|
2005-06-26 01:57:52 +04:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
out.buf = compat_ptr(in.buf);
|
|
|
|
out.bufsz = in.bufsz;
|
|
|
|
out.mem = in.mem;
|
|
|
|
out.memsz = in.memsz;
|
|
|
|
|
|
|
|
result = copy_to_user(&ksegments[i], &out, sizeof(out));
|
2005-06-26 01:58:28 +04:00
|
|
|
if (result)
|
2005-06-26 01:57:52 +04:00
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
2018-03-17 17:18:30 +03:00
|
|
|
/* Because we write directly to the reserved memory
|
|
|
|
* region when loading crash kernels we need a mutex here to
|
|
|
|
* prevent multiple crash kernels from attempting to load
|
|
|
|
* simultaneously, and to prevent a crash kernel from loading
|
|
|
|
* over the top of a in use crash kernel.
|
|
|
|
*
|
|
|
|
* KISS: always take the mutex.
|
|
|
|
*/
|
|
|
|
if (!mutex_trylock(&kexec_mutex))
|
|
|
|
return -EBUSY;
|
|
|
|
|
|
|
|
result = do_kexec_load(entry, nr_segments, ksegments, flags);
|
|
|
|
|
|
|
|
mutex_unlock(&kexec_mutex);
|
|
|
|
|
|
|
|
return result;
|
2005-06-26 01:57:52 +04:00
|
|
|
}
|
|
|
|
#endif
|