lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 18 Apr 2018 21:59:33 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     Linux Memory Management List <linux-mm@...ck.org>
Cc:     Alexander Viro <viro@...iv.linux.org.uk>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Kees Cook <keescook@...omium.org>,
        Serge Hallyn <serge@...lyn.com>,
        James Morris <james.l.morris@...cle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        lkp@...org
Subject: [do_execve] attempted to set unsupported pgprot

Hello,

FYI this happens in mainline kernel 4.17.0-rc1.
It looks like a new regression.

It occurs in 4 out of 4 boots.

[   12.345562] Write protecting the kernel text: 14376k
[   12.346649] Write protecting the kernel read-only data: 4740k
[   12.347584] rodata_test: all tests were successful
[   12.348499] ------------[ cut here ]------------
[   12.349193] attempted to set unsupported pgprot: 8000000000000025 bits: 8000000000000000 supported: 7fffffffffffffff
[   12.350792] WARNING: CPU: 0 PID: 1 at arch/x86/include/asm/pgtable.h:540 handle_mm_fault+0xfc1/0xfe0:
						check_pgprot at arch/x86/include/asm/pgtable.h:535
						 (inlined by) pfn_pte at arch/x86/include/asm/pgtable.h:549
						 (inlined by) do_anonymous_page at mm/memory.c:3169
						 (inlined by) handle_pte_fault at mm/memory.c:3961
						 (inlined by) __handle_mm_fault at mm/memory.c:4087
						 (inlined by) handle_mm_fault at mm/memory.c:4124
[   12.352294] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.17.0-rc1 #172
[   12.353357] EIP: handle_mm_fault+0xfc1/0xfe0:
						check_pgprot at arch/x86/include/asm/pgtable.h:535
						 (inlined by) pfn_pte at arch/x86/include/asm/pgtable.h:549
						 (inlined by) do_anonymous_page at mm/memory.c:3169
						 (inlined by) handle_pte_fault at mm/memory.c:3961
						 (inlined by) __handle_mm_fault at mm/memory.c:4087
						 (inlined by) handle_mm_fault at mm/memory.c:4124
[   12.354047] EFLAGS: 00210296 CPU: 0
[   12.354581] EAX: 00000068 EBX: 80000000 ECX: 00000002 EDX: 00000038
[   12.362768] ESI: 00000025 EDI: cc679000 EBP: cf02de70 ESP: cf02ddf0
[   12.363657]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   12.364458] CR0: 80050033 CR2: c1e1e110 CR3: 024a6000 CR4: 000006b0
[   12.365413] Call Trace:
[   12.365885]  ? touch_atime+0x5e/0xa0:
						touch_atime at include/linux/fs.h:1502
[   12.366451]  __get_user_pages+0x104/0x3a0:
						faultin_page at mm/gup.c:503
						 (inlined by) __get_user_pages at mm/gup.c:699
[   12.374172]  get_user_pages_remote+0xf3/0x1c0:
						__get_user_pages_locked at mm/gup.c:872
						 (inlined by) get_user_pages_remote at mm/gup.c:1062
[   12.374959]  copy_strings+0x12d/0x380:
						get_arg_page at fs/exec.c:218
						 (inlined by) copy_strings at fs/exec.c:557
[   12.375478]  copy_strings_kernel+0x26/0x40:
						set_fs at arch/x86/include/asm/uaccess.h:32
						 (inlined by) copy_strings_kernel at fs/exec.c:603
[   12.376087]  do_execveat_common+0x486/0x6a0:
						do_execveat_common at fs/exec.c:1803
[   12.376718]  ? rest_init+0x100/0x100:
						kernel_init at init/main.c:1050
[   12.377275]  do_execve+0x14/0x20:
						do_execve at fs/exec.c:1863
[   12.377769]  run_init_process+0x1c/0x20:
						run_init_process at init/main.c:1006
[   12.378364]  kernel_init+0x46/0x100:
						kernel_init at init/main.c:1067
[   12.378876]  ret_from_fork+0x2e/0x40:
						ret_from_fork at arch/x86/entry/entry_32.S:311
[   12.379408] Code: ff c6 05 55 fc 3b c2 01 52 50 8b 5d b0 89 4d a0 31 f3 89 d8 8b 5d b4 31 cb 53 50 ff 75 b4 ff 75 b0 68 18 b0 15 c2 e8 bf cc f0 ff <0f> 0b 8b 4d a0 83 c4 1c 89 75 b0 89 4d b4 e9 ee fa ff ff be 02
[   12.382173] ---[ end trace 0276fe2191187186 ]---
[   12.383485] ------------[ cut here ]------------
[   12.383485] ------------[ cut here ]------------
[   12.384245] attempted to set unsupported pgprot: 8000000000000025 bits: 8000000000000000 supported: 7fffffffffffffff
[   12.391613] WARNING: CPU: 0 PID: 1 at arch/x86/include/asm/pgtable.h:540 change_protection_range+0x721/0x8a0:
						check_pgprot at arch/x86/include/asm/pgtable.h:535
						 (inlined by) pte_modify at arch/x86/include/asm/pgtable.h:573
						 (inlined by) change_pte_range at mm/mprotect.c:114
						 (inlined by) change_pmd_range at mm/mprotect.c:210
						 (inlined by) change_pud_range at mm/mprotect.c:238
						 (inlined by) change_p4d_range at mm/mprotect.c:258
						 (inlined by) change_protection_range at mm/mprotect.c:283
[   12.393324] CPU: 0 PID: 1 Comm: init Tainted: G        W         4.17.0-rc1 #172
[   12.394400] EIP: change_protection_range+0x721/0x8a0:
						check_pgprot at arch/x86/include/asm/pgtable.h:535
						 (inlined by) pte_modify at arch/x86/include/asm/pgtable.h:573
						 (inlined by) change_pte_range at mm/mprotect.c:114
						 (inlined by) change_pmd_range at mm/mprotect.c:210
						 (inlined by) change_pud_range at mm/mprotect.c:238
						 (inlined by) change_p4d_range at mm/mprotect.c:258
						 (inlined by) change_protection_range at mm/mprotect.c:283
[   12.395106] EFLAGS: 00010292 CPU: 0
[   12.395607] EAX: 00000068 EBX: 00000000 ECX: 00000003 EDX: 00000054
[   12.396527] ESI: b7f40000 EDI: cc67ea00 EBP: cf02df10 ESP: cf02de60
[   12.397472]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   12.398286] CR0: 80050033 CR2: b7f40dc4 CR3: 0c698000 CR4: 000006b0
[   12.399207] Call Trace:
[   12.399582]  mprotect_fixup+0xba/0x240:
						mprotect_fixup at mm/mprotect.c:389
[   12.400109]  sys_mprotect+0x13d/0x220:
						do_mprotect_pkey at mm/mprotect.c:507
						 (inlined by) __do_sys_mprotect at mm/mprotect.c:531
						 (inlined by) __se_sys_mprotect at mm/mprotect.c:528
[   12.400637]  do_int80_syscall_32+0x49/0x140:
						do_syscall_32_irqs_on at arch/x86/entry/common.c:331
						 (inlined by) do_int80_syscall_32 at arch/x86/entry/common.c:346
[   12.401250]  entry_INT80_32+0x31/0x31:
						restore_all at arch/x86/entry/entry_32.S:551
[   12.401802] EIP: 0xb7f858fd
[   12.402237] EFLAGS: 00000206 CPU: 0
[   12.402761] EAX: ffffffda EBX: b7f40000 ECX: 00001000 EDX: 00000001
[   12.403681] ESI: b7f7d8b0 EDI: b7f7d8b0 EBP: bff7cd94 ESP: bff7cd88
[   12.404633]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
[   12.405416] Code: 89 9d 74 ff ff ff 8b 45 88 89 85 78 ff ff ff ff b5 78 ff ff ff ff b5 74 ff ff ff ff 75 0c ff 75 08 68 18 b0 15 c2 e8 9f 48 f0 ff <0f> 0b 83 c4 1c 8b 85 70 ff ff ff 8b 95 6c ff ff ff e9 27 fe ff
[   12.408185] ---[ end trace 0276fe2191187187 ]---
[   12.422790] init: Console is alive

Attached the full dmesg, kconfig and reproduce scripts.

Thanks,
Fengguang

View attachment "dmesg-vm-intel12-openwrt-i386-8:20180418045844:i386-randconfig-b0-04180440:4.17.0-rc1:172" of type "text/plain" (57002 bytes)

View attachment ".config" of type "text/plain" (113941 bytes)

View attachment "job-script" of type "text/plain" (3966 bytes)

View attachment "reproduce-vm-intel12-openwrt-i386-8:20180418045844:i386-randconfig-b0-04180440:4.17.0-rc1:172" of type "text/plain" (2207 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ