| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 May 2018 03:25:23 +0100
From: Dmitry Safonov <0x7f454c46@...il.com>
To: Dmitry Safonov <dima@...sta.com>
Cc: Andy Lutomirski <luto@...nel.org>,
LKML <linux-kernel@...r.kernel.org>, izbyshev@...ras.ru,
Alexander Monakov <amonakov@...ras.ru>,
Borislav Petkov <bp@...e.de>,
Cyrill Gorcunov <gorcunov@...nvz.org>,
"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Thomas Gleixner <tglx@...utronix.de>,
Linux-MM <linux-mm@...ck.org>, X86 ML <x86@...nel.org>,
stable <stable@...r.kernel.org>
Subject: Re: [PATCH] x86/mm: Drop TS_COMPAT on 64-bit exec() syscall
2018-05-19 3:22 GMT+01:00 Dmitry Safonov <dima@...sta.com>:
> On Fri, 2018-05-18 at 19:05 -0700, Andy Lutomirski wrote:
>> > On May 18, 2018, at 4:10 PM, Dmitry Safonov <0x7f454c46@...il.com>
>> > cpu family : 6
>> > model : 142
>> > model name : Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz
>> > But I usually test kernels in VM. So, I use virt-manager as it's
>> > easier to manage
>> > multiple VMs. The thing is that I've chosen "Copy host CPU
>> > configuration"
>> > and for some reason, I don't quite follow virt-manager makes model
>>
>> "Opteron_G4".
>> > I'm on Fedora 27, virt-manager 1.4.3, qemu 2.9.1(qemu-2.9.1-
>> > 2.fc26).
>> > So, cpuinfo in VM says:
>> > cpu family : 21
>> > model : 1
>> > model name : AMD Opteron 62xx class CPU
>>
>> What does guest cpuinfo say for vendor_id?
>>
>> There are multiple potential screwups here.
>>
>> 1. (What I *thought* was going on) AMD CPUs have screwy IRET behavior
>> that’s different from Intel’s, and the test case was definitely
>> wrong. But
>> KVM has no way to influence it. Are you sure you’re using KVM and
>> not QEMU
>> TCG? Anyway, the IRET thing is minor compared to your other problems,
>> so
>> let’s try to fix them first.
>>
>> 2. Compat fast syscalls are wildly different on AMD and Intel.
>> Because of
>> this issue, QEMU with KVM is supposed to always report the real
>> vendor_id
>> no matter -cpu asks for. If we get the wrong vendor_id, then we’re
>> at the
>> mercy of KVM’s emulation and performance will suck. On older
>> kernels, this
>> would cause hideous kernel crashes. On new kernels, I would expect
>> it to
>> merely crash 32-bit user programs or be slow.
>
> Heh, I didn't know those details, so it looks like it's (2),
> vendor_id : AuthenticAMD
> in guest.
>
>>
>> > What's worse than registers changes is that some selftests actually
>> > lead
>>
>> to
>> > Oops's. The same reason for criu-ia32 fails.
>> > I've tested so far v4.15 and v4.16 releases besides master
>> > (2c71d338bef2),
>> > so it looks to be not a recent regression.
>> > Full Oopses:
>> > [ 189.100174] BUG: unable to handle kernel paging request at
>>
>> 00000000417bafe8
>> > [ 189.100174] PGD 69ed4067 P4D 69ed4067 PUD 707fc067 PMD 6c535067
>> > PTE
>>
>> 6991f067
>> > [ 189.100174] Oops: 0001 [#3] SMP NOPTI
>>
>> Whoa there! 0001 means a failed *kernel* access.
>>
>> > [ 189.100174] Modules linked in:
>> > [ 189.100174] CPU: 0 PID: 2443 Comm: sysret_ss_attrs Tainted: G
>>
>> Was this sysret_ss_attrs_32 or sysret_ss_attrs_64?
>
> sysret_ss_attrs_32 survives
>
>>
>> > D 4.17.0-rc5+ #11
>> > [ 189.103187] Hardware name: QEMU Standard PC (i440FX + PIIX,
>> > 1996),
>> > BIOS 1.10.2-1.fc26 04/01/2014
>> > [ 189.103187] RIP: 0033:0x40085a
>>
>> The oops was caused from CPL 3 at what looks like a totally sensible
>> user
>> address. Can you disassemble the offending binary and tell me what
>> the
>> code at 0x40085a is?
>
> Here is the function:
> 0000000000400842 <call32_from_64>:
> 400842: 53 push %rbx
> 400843: 55 push %rbp
> 400844: 41 54 push %r12
> 400846: 41 55 push %r13
> 400848: 41 56 push %r14
> 40084a: 41 57 push %r15
> 40084c: 9c pushfq
> 40084d: 48 89 27 mov %rsp,(%rdi)
> 400850: 48 89 fc mov %rdi,%rsp
> 400853: 6a 23 pushq $0x23
> 400855: 68 5c 08 40 00 pushq $0x40085c
> 40085a: 48 cb lretq
> 40085c: ff d6 callq *%rsi
> 40085e: ea (bad)
> 40085f: 65 08 40 00 or %al,%gs:0x0(%rax)
> 400863: 33 00 xor (%rax),%eax
> 400865: 48 8b 24 24 mov (%rsp),%rsp
> 400869: 9d popfq
> 40086a: 41 5f pop %r15
> 40086c: 41 5e pop %r14
> 40086e: 41 5d pop %r13
> 400870: 41 5c pop %r12
> 400872: 5d pop %rbp
> 400873: 5b pop %rbx
> 400874: c3 retq
> 400875: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
> 40087c: 00 00 00
> 40087f: 90 nop
>
> Looks like mov between registers caused it? The hell.
Oh, it's not 400850, I missloked, but 40085a so lretq might case it.
>
>>
>> > [ 189.103187] RSP: 002b:00000000417bafe8 EFLAGS: 00000206
>> > [ 189.103187] RAX: 0000000000000000 RBX: 00000000000003e8 RCX:
>>
>> 0000000000000000
>> > [ 189.103187] RDX: 0000000000000000 RSI: 0000000000400830 RDI:
>>
>> 00000000417baff8
>> > [ 189.103187] RBP: 00000000417baff8 R08: 0000000000000000 R09:
>>
>> 0000000000000077
>> > [ 189.103187] R10: 0000000000000006 R11: 0000000000000000 R12:
>>
>> 00000000417ba000
>> > [ 189.103187] R13: 00007ffc05207840 R14: 0000000000000000 R15:
>>
>> 0000000000000000
>> > [ 189.103187] FS: 00007f98566ecb40(0000)
>> > GS:ffff9740ffc00000(0000)
>> > knlGS:0000000000000000
>> > [ 189.103187] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>
>> CS here is the value of CS that the *kernel* has, so 0x10 is normal.
>>
>> > [ 189.103187] CR2: 00000000417bafe8 CR3: 0000000069dc4000 CR4:
>>
>> 00000000007406f0
>>
>> CR2 is in user space.
>>
>> So the big question is: what happened here? Why did the CPU (or
>> emulated
>> CPU) attempt a privileged access to a user address while running user
>> code?
>
> No idea, but looks like it's not a kernel fault.
>
> --
> Thanks,
> Dmitry
--
Dmitry
Powered by blists - more mailing lists