lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160125234108.GA16175@google.com>
Date:	Mon, 25 Jan 2016 15:41:08 -0800
From:	Brian Norris <computersforpeace@...il.com>
To:	Lothar Wassmann <LW@...O-electronics.de>
Cc:	Rusty Russell <rusty@...tcorp.com.au>, linux-kernel@...r.kernel.org
Subject: Re: module: Fix regression introduced by commit: b0d7290e85a5
 "module: clean up RO/NX handling."

On Mon, Jan 25, 2016 at 12:11:51PM +0100, Lothar Wassmann wrote:
> commit b0d7290e85a5 ("module: clean up RO/NX handling.")
> threw away the size checks which were in place before calling the
> set_memory_*() functions.
> This produces a kernel bug upon module load with
> CONFIG_DEBUG_SET_MODULE_RONX=y:
> 
> kernel BUG at mm/memory.c:1898!
> Internal error: Oops - BUG: 0 [#1] ARM
> Modules linked in:
> CPU: 0 PID: 825 Comm: modprobe Not tainted 4.4.0-next-20160121+ #53
> Hardware name: Freescale MXS (Device Tree)
> task: cef6c380 ti: ce93a000 task.ti: ce93a000
> PC is at apply_to_page_range+0x190/0x1bc
> LR is at change_memory_common+0x74/0xcc
> pc : [<c0082d80>]    lr : [<c0011ce0>]    psr: 60000013
> sp : ce93be40  ip : bf011000  fp : bf012000
> r10: bf012000  r9 : bf0091d4  r8 : ce93be80
> r7 : 00000000  r6 : bf012000  r5 : 00000001  r4 : bf012000
> r3 : c0011d38  r2 : 00000000  r1 : bf012000  r0 : c0633458
> Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
> Control: 0005317f  Table: 4ef0c000  DAC: 00000051
> Process modprobe (pid: 825, stack limit = 0xce93a190)
> Stack: (0xce93be40 to 0xce93c000)
> be40: c0633458 bf012000 00000000 bf012000 00000001 bf012000 00000000 00000080
> be60: bf0091d4 ce93bef4 00000000 c0011ce0 ce93be80 00000000 bf0071dc bf0091e4
> be80: 00000080 00000000 bf009100 ce93bf48 00000001 bf00910c bf009100 00000000
> bea0: bf0091d4 c005d2a0 00000000 cfbd8de0 00000000 00000014 007fb980 00000000
> bec0: d0a1d01c bf009250 bf00910c 00000000 d0a19000 b6e4b000 00000f80 755f6f74
> bee0: 5f726573 bf007024 00000032 bf0071b4 00000006 00000000 00000000 00000000
> bf00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> bf20: c005da70 0000306c 00000000 b6e4f06c d0a1d06c ce93a000 007fb980 00000051
> bf40: 007fbbd8 c005dae0 d0a0a000 0001306c d0a1c98c d0a13c07 d0a177c8 0000a000
> bf60: 0000cbe0 00000000 00000000 00000000 0000002a 0000002b 00000020 00000024
> bf80: 00000018 00000000 b6f83228 bec859f8 00000000 00000080 c000a4e4 ce93a000
> bfa0: 00000000 c000a340 b6f83228 bec859f8 b6e3c000 0001306c 007fb980 00000000
> bfc0: b6f83228 bec859f8 00000000 00000080 007fb980 00000008 00000000 007fbbd8
> bfe0: b6f1fa70 bec856c8 0000aab4 b6f1fa80 60000010 b6e3c000 00000000 00000000
> [<c0082d80>] (apply_to_page_range) from [<c0011ce0>] (change_memory_common+0x74/0xcc)
> [<c0011ce0>] (change_memory_common) from [<c005d2a0>] (load_module+0x16c8/0x1e3c)
> [<c005d2a0>] (load_module) from [<c005dae0>] (SyS_init_module+0xcc/0x138)
> [<c005dae0>] (SyS_init_module) from [<c000a340>] (ret_fast_syscall+0x0/0x38)
> Code: e0834104 eaffffc3 e5191008 eaffffbb (e7f001f2)
> ---[ end trace fbf287e335e94b28 ]---
> 
> This happens because the set_memory_*() functions are eventually being
> called with a zero <size> parameter and thus apply_to_page_range() in
> mm/memory.c barfs due to:
> 	unsigned long end = addr + size;
> ...
> 	BUG_ON(addr >= end);

Hit this BUG_ON() on a mt8173 platform with v4.5-rc1.

> Reinstate the size checks, as they were before the offending commit.
> 
> Signed-off-by: Lothar Waßmann <LW@...O-electronics.de>

Gets me back to a prompt, so:

Tested-by: Brian Norris <computersforpeace@...il.com>

> ---
> kernel/module.c | 15 +++++++++------
>  1 file changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/kernel/module.c b/kernel/module.c
> index 8358f46..40d8e42 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -1863,8 +1863,9 @@ static void frob_text(const struct module_layout *layout,
>  {
>  	BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
>  	BUG_ON((unsigned long)layout->text_size & (PAGE_SIZE-1));
> -	set_memory((unsigned long)layout->base,
> -		   layout->text_size >> PAGE_SHIFT);
> +	if (layout->text_size)
> +		set_memory((unsigned long)layout->base,
> +			layout->text_size >> PAGE_SHIFT);
>  }
>  
>  static void frob_rodata(const struct module_layout *layout,
> @@ -1873,8 +1874,9 @@ static void frob_rodata(const struct module_layout *layout,
>  	BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
>  	BUG_ON((unsigned long)layout->text_size & (PAGE_SIZE-1));
>  	BUG_ON((unsigned long)layout->ro_size & (PAGE_SIZE-1));
> -	set_memory((unsigned long)layout->base + layout->text_size,
> -		   (layout->ro_size - layout->text_size) >> PAGE_SHIFT);
> +	if (layout->ro_size > layout->text_size)
> +		set_memory((unsigned long)layout->base + layout->text_size,
> +			(layout->ro_size - layout->text_size) >> PAGE_SHIFT);
>  }
>  
>  static void frob_writable_data(const struct module_layout *layout,
> @@ -1883,8 +1885,9 @@ static void frob_writable_data(const struct module_layout *layout,
>  	BUG_ON((unsigned long)layout->base & (PAGE_SIZE-1));
>  	BUG_ON((unsigned long)layout->ro_size & (PAGE_SIZE-1));
>  	BUG_ON((unsigned long)layout->size & (PAGE_SIZE-1));
> -	set_memory((unsigned long)layout->base + layout->ro_size,
> -		   (layout->size - layout->ro_size) >> PAGE_SHIFT);
> +	if (layout->size > layout->ro_size)
> +		set_memory((unsigned long)layout->base + layout->ro_size,
> +			(layout->size - layout->ro_size) >> PAGE_SHIFT);
>  }
>  
>  /* livepatching wants to disable read-only so it can frob module. */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ