lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrX-ZGks2v556rNH+WgU9R4JfP8sasr2w3WE==pQ8vm+Ng@mail.gmail.com>
Date:   Fri, 19 May 2017 11:27:08 -0700
From:   Andy Lutomirski <luto@...nel.org>
To:     Catalin Marinas <catalin.marinas@....com>
Cc:     "Luis R. Rodriguez" <mcgrof@...nel.org>,
        Steven Rostedt <srostedt@...hat.com>,
        Kees Cook <keescook@...omium.org>,
        Stephen Smalley <sds@...ho.nsa.gov>,
        Ingo Molnar <mingo@...nel.org>,
        Michal Hocko <mhocko@...nel.org>,
        Vlastimil Babka <vbabka@...e.cz>,
        Andrew Morton <akpm@...ux-foundation.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Mateusz Guzik <mguzik@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: next-20170515: WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:236
 note_page+0x630/0x7e0

On Fri, May 19, 2017 at 10:35 AM, Catalin Marinas
<catalin.marinas@....com> wrote:
> On Fri, May 19, 2017 at 05:40:16PM +0200, Luis R. Rodriguez wrote:
>> If the following is a legit forced way to get query the kernel to ask it
>> who owns a page then perhaps this technique can be used in the future to
>> figure out who the hell caused this. Catalin, can you confirm? In this
>> case this is perhaps not a leaked page but I am trying to abuse the
>> kmemleak debugfs API to query who allocated the page. Is that fine?
>>
>> [    0.916771] WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:235 note_page+0x63c/0x7e0
>> [    0.917636] x86/mm: Found insecure W+X mapping at address ffffffffc03d5000/0xffffffffc03d5000
>> [    0.918502] Modules linked in:
>> [    0.918819] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.11.0-mcgrof-force-config #340
>> [    0.919631] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
>> [    0.920011] Call Trace:
>> [    0.920011]  dump_stack+0x63/0x81
>> [    0.920011]  __warn+0xcb/0xf0
>> [    0.920011]  warn_slowpath_fmt+0x5a/0x80
>> [    0.920011]  note_page+0x63c/0x7e0
>> [    0.920011]  ptdump_walk_pgd_level_core+0x3b1/0x460
>> [    0.920011]  ? 0xffffffff86c00000
>> [    0.920011]  ptdump_walk_pgd_level_checkwx+0x17/0x20
>> [    0.920011]  mark_rodata_ro+0xf4/0x100
>> [    0.920011]  ? rest_init+0x80/0x80
>> [    0.920011]  kernel_init+0x2a/0x100
>> [    0.920011]  ret_from_fork+0x2c/0x40
>> [    0.925474] ---[ end trace dca00cd779490a2b ]---
>> [    0.925959] x86/mm: Checked W+X mappings: FAILED, 1 W+X pages found.
>>
>> echo dump=0xffffffffc03d5000 > /sys/kernel/debug/kmemleak
>> dmesg | tail
>>
>> [   49.209565] kmemleak: Object 0xffffffffc03d5000 (size 335):
>> [   49.210814] kmemleak:   comm "swapper/0", pid 1, jiffies 4294892440
>> [   49.212148] kmemleak:   min_count = 2
>> [   49.212852] kmemleak:   count = 0
>> [   49.213363] kmemleak:   flags = 0x1
>> [   49.213363] kmemleak:   checksum = 0
>> [   49.213363] kmemleak:   backtrace:
>> [   49.213363]      kmemleak_alloc+0x4a/0xa0
>> [   49.213363]      __vmalloc_node_range+0x20a/0x2b0
>> [   49.213363]      module_alloc+0x67/0xc0
>> [   49.213363]      arch_ftrace_update_trampoline+0xba/0x260
>> [   49.213363]      ftrace_startup+0x90/0x210
>> [   49.213363]      register_ftrace_function+0x4b/0x60
>> [   49.213363]      arm_kprobe+0x84/0xe0
>> [   49.213363]      register_kprobe+0x56e/0x5b0
>> [   49.213363]      init_test_probes+0x61/0x560
>> [   49.213363]      init_kprobes+0x1e3/0x206
>> [   49.213363]      do_one_initcall+0x52/0x1a0
>> [   49.213363]      kernel_init_freeable+0x178/0x200
>> [   49.213363]      kernel_init+0xe/0x100
>> [   49.213363]      ret_from_fork+0x2c/0x40
>> [   49.213363]      0xffffffffffffffff
>
> You could as well use kmemleak this way since it tracks the memory
> allocations. However, it doesn't track alloc_pages and also doesn't
> track mapping existing pages (vmap etc.)

One thing I've pondered: can we make some debugging mode (kmemleak,
perhaps?) check that freed memory is RW at the time it's freed?  I
once wrote some buggy code that freed an R page and caused an OOPS
much later, and this bug here seems likely to be some code that frees
RWX memory.

--Andy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ