[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrX-ZGks2v556rNH+WgU9R4JfP8sasr2w3WE==pQ8vm+Ng@mail.gmail.com>
Date: Fri, 19 May 2017 11:27:08 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Catalin Marinas <catalin.marinas@....com>
Cc: "Luis R. Rodriguez" <mcgrof@...nel.org>,
Steven Rostedt <srostedt@...hat.com>,
Kees Cook <keescook@...omium.org>,
Stephen Smalley <sds@...ho.nsa.gov>,
Ingo Molnar <mingo@...nel.org>,
Michal Hocko <mhocko@...nel.org>,
Vlastimil Babka <vbabka@...e.cz>,
Andrew Morton <akpm@...ux-foundation.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Mateusz Guzik <mguzik@...hat.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: next-20170515: WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:236
note_page+0x630/0x7e0
On Fri, May 19, 2017 at 10:35 AM, Catalin Marinas
<catalin.marinas@....com> wrote:
> On Fri, May 19, 2017 at 05:40:16PM +0200, Luis R. Rodriguez wrote:
>> If the following is a legit forced way to get query the kernel to ask it
>> who owns a page then perhaps this technique can be used in the future to
>> figure out who the hell caused this. Catalin, can you confirm? In this
>> case this is perhaps not a leaked page but I am trying to abuse the
>> kmemleak debugfs API to query who allocated the page. Is that fine?
>>
>> [ 0.916771] WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:235 note_page+0x63c/0x7e0
>> [ 0.917636] x86/mm: Found insecure W+X mapping at address ffffffffc03d5000/0xffffffffc03d5000
>> [ 0.918502] Modules linked in:
>> [ 0.918819] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.11.0-mcgrof-force-config #340
>> [ 0.919631] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
>> [ 0.920011] Call Trace:
>> [ 0.920011] dump_stack+0x63/0x81
>> [ 0.920011] __warn+0xcb/0xf0
>> [ 0.920011] warn_slowpath_fmt+0x5a/0x80
>> [ 0.920011] note_page+0x63c/0x7e0
>> [ 0.920011] ptdump_walk_pgd_level_core+0x3b1/0x460
>> [ 0.920011] ? 0xffffffff86c00000
>> [ 0.920011] ptdump_walk_pgd_level_checkwx+0x17/0x20
>> [ 0.920011] mark_rodata_ro+0xf4/0x100
>> [ 0.920011] ? rest_init+0x80/0x80
>> [ 0.920011] kernel_init+0x2a/0x100
>> [ 0.920011] ret_from_fork+0x2c/0x40
>> [ 0.925474] ---[ end trace dca00cd779490a2b ]---
>> [ 0.925959] x86/mm: Checked W+X mappings: FAILED, 1 W+X pages found.
>>
>> echo dump=0xffffffffc03d5000 > /sys/kernel/debug/kmemleak
>> dmesg | tail
>>
>> [ 49.209565] kmemleak: Object 0xffffffffc03d5000 (size 335):
>> [ 49.210814] kmemleak: comm "swapper/0", pid 1, jiffies 4294892440
>> [ 49.212148] kmemleak: min_count = 2
>> [ 49.212852] kmemleak: count = 0
>> [ 49.213363] kmemleak: flags = 0x1
>> [ 49.213363] kmemleak: checksum = 0
>> [ 49.213363] kmemleak: backtrace:
>> [ 49.213363] kmemleak_alloc+0x4a/0xa0
>> [ 49.213363] __vmalloc_node_range+0x20a/0x2b0
>> [ 49.213363] module_alloc+0x67/0xc0
>> [ 49.213363] arch_ftrace_update_trampoline+0xba/0x260
>> [ 49.213363] ftrace_startup+0x90/0x210
>> [ 49.213363] register_ftrace_function+0x4b/0x60
>> [ 49.213363] arm_kprobe+0x84/0xe0
>> [ 49.213363] register_kprobe+0x56e/0x5b0
>> [ 49.213363] init_test_probes+0x61/0x560
>> [ 49.213363] init_kprobes+0x1e3/0x206
>> [ 49.213363] do_one_initcall+0x52/0x1a0
>> [ 49.213363] kernel_init_freeable+0x178/0x200
>> [ 49.213363] kernel_init+0xe/0x100
>> [ 49.213363] ret_from_fork+0x2c/0x40
>> [ 49.213363] 0xffffffffffffffff
>
> You could as well use kmemleak this way since it tracks the memory
> allocations. However, it doesn't track alloc_pages and also doesn't
> track mapping existing pages (vmap etc.)
One thing I've pondered: can we make some debugging mode (kmemleak,
perhaps?) check that freed memory is RW at the time it's freed? I
once wrote some buggy code that freed an R page and caused an OOPS
much later, and this bug here seems likely to be some code that frees
RWX memory.
--Andy
Powered by blists - more mailing lists