| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Jan 2016 15:41:08 -0800
From: Brian Norris <computersforpeace@...il.com>
To: Lothar Wassmann <LW@...O-electronics.de>
Cc: Rusty Russell <rusty@...tcorp.com.au>, linux-kernel@...r.kernel.org
Subject: Re: module: Fix regression introduced by commit: b0d7290e85a5
"module: clean up RO/NX handling."
On Mon, Jan 25, 2016 at 12:11:51PM +0100, Lothar Wassmann wrote:
> commit b0d7290e85a5 ("module: clean up RO/NX handling.")
> threw away the size checks which were in place before calling the
> set_memory_*() functions.
> This produces a kernel bug upon module load with
> CONFIG_DEBUG_SET_MODULE_RONX=y:
>
> kernel BUG at mm/memory.c:1898!
> Internal error: Oops - BUG: 0 [#1] ARM
> Modules linked in:
> CPU: 0 PID: 825 Comm: modprobe Not tainted 4.4.0-next-20160121+ #53
> Hardware name: Freescale MXS (Device Tree)
> task: cef6c380 ti: ce93a000 task.ti: ce93a000
> PC is at apply_to_page_range+0x190/0x1bc
> LR is at change_memory_common+0x74/0xcc
> pc : [<c0082d80>] lr : [<c0011ce0>] psr: 60000013
> sp : ce93be40 ip : bf011000 fp : bf012000
> r10: bf012000 r9 : bf0091d4 r8 : ce93be80
> r7 : 00000000 r6 : bf012000 r5 : 00000001 r4 : bf012000
> r3 : c0011d38 r2 : 00000000 r1 : bf012000 r0 : c0633458
> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 0005317f Table: 4ef0c000 DAC: 00000051
> Process modprobe (pid: 825, stack limit = 0xce93a190)
> Stack: (0xce93be40 to 0xce93c000)
> be40: c0633458 bf012000 00000000 bf012000 00000001 bf012000 00000000 00000080
> be60: bf0091d4 ce93bef4 00000000 c0011ce0 ce93be80 00000000 bf0071dc bf0091e4
> be80: 00000080 00000000 bf009100 ce93bf48 00000001 bf00910c bf009100 00000000
> bea0: bf0091d4 c005d2a0 00000000 cfbd8de0 00000000 00000014 007fb980 00000000
> bec0: d0a1d01c bf009250 bf00910c 00000000 d0a19000 b6e4b000 00000f80 755f6f74
> bee0: 5f726573 bf007024 00000032 bf0071b4 00000006 00000000 00000000 00000000
> bf00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> bf20: c005da70 0000306c 00000000 b6e4f06c d0a1d06c ce93a000 007fb980 00000051
> bf40: 007fbbd8 c005dae0 d0a0a000 0001306c d0a1c98c d0a13c07 d0a177c8 0000a000
> bf60: 0000cbe0 00000000 00000000 00000000 0000002a 0000002b 00000020 00000024
> bf80: 00000018 00000000 b6f83228 bec859f8 00000000 00000080 c000a4e4 ce93a000
> bfa0: 00000000 c000a340 b6f83228 bec859f8 b6e3c000 0001306c 007fb980 00000000
> bfc0: b6f83228 bec859f8 00000000 00000080 007fb980 00000008 00000000 007fbbd8
> bfe0: b6f1fa70 bec856c8 0000aab4 b6f1fa80 60000010 b6e3c000 00000000 00000000
> [<c0082d80>] (apply_to_page_range) from [<c0011ce0>] (change_memory_common+0x74/0xcc)
> [<c0011ce0>] (change_memory_common) from [<c005d2a0>] (load_module+0x16c8/0x1e3c)
> [<c005d2a0>] (load_module) from [<c005dae0>] (SyS_init_module+0xcc/0x138)
> [<c005dae0>] (SyS_init_module) from [<c000a340>] (ret_fast_syscall+0x0/0x38)
> Code: e0834104 eaffffc3 e5191008 eaffffbb (e7f001f2)
> ---[ end trace fbf287e335e94b28 ]---
>
> This happens because the set_memory_*() functions are eventually being
> called with a zero <size> parameter and thus apply_to_page_range() in
> mm/memory.c barfs due to:
> unsigned long end = addr + size;
> ...
> BUG_ON(addr >= end);
Hit this BUG_ON() on a mt8173 platform with v4.5-rc1.
> Reinstate the size checks, as they were before the offending commit.
>
> Signed-off-by: Lothar Waßmann <LW@...O-electronics.de>
Gets me back to a prompt, so:
Tested-by: Brian Norris <computersforpeace@...il.com>
> ---
> kernel/module.c | 15 +++++++++------
> 1 file changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/module.c b/kernel/module.c
> index 8358f46..40d8e42 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -1863,8 +1863,9 @@ static void frob_text(const struct module_layout *layout,
> {
> BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->text_size & (PAGE_SIZE-1));
> - set_memory((unsigned long)layout->base,
> - layout->text_size >> PAGE_SHIFT);
> + if (layout->text_size)
> + set_memory((unsigned long)layout->base,
> + layout->text_size >> PAGE_SHIFT);
> }
>
> static void frob_rodata(const struct module_layout *layout,
> @@ -1873,8 +1874,9 @@ static void frob_rodata(const struct module_layout *layout,
> BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->text_size & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->ro_size & (PAGE_SIZE-1));
> - set_memory((unsigned long)layout->base + layout->text_size,
> - (layout->ro_size - layout->text_size) >> PAGE_SHIFT);
> + if (layout->ro_size > layout->text_size)
> + set_memory((unsigned long)layout->base + layout->text_size,
> + (layout->ro_size - layout->text_size) >> PAGE_SHIFT);
> }
>
> static void frob_writable_data(const struct module_layout *layout,
> @@ -1883,8 +1885,9 @@ static void frob_writable_data(const struct module_layout *layout,
> BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->ro_size & (PAGE_SIZE-1));
> BUG_ON((unsigned long)layout->size & (PAGE_SIZE-1));
> - set_memory((unsigned long)layout->base + layout->ro_size,
> - (layout->size - layout->ro_size) >> PAGE_SHIFT);
> + if (layout->size > layout->ro_size)
> + set_memory((unsigned long)layout->base + layout->ro_size,
> + (layout->size - layout->ro_size) >> PAGE_SHIFT);
> }
>
> /* livepatching wants to disable read-only so it can frob module. */
Powered by blists - more mailing lists