| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 May 2018 03:22:27 +0100
From: Dmitry Safonov <dima@...sta.com>
To: Andy Lutomirski <luto@...nel.org>,
Dmitry Safonov <0x7f454c46@...il.com>
Cc: LKML <linux-kernel@...r.kernel.org>, izbyshev@...ras.ru,
Alexander Monakov <amonakov@...ras.ru>,
Borislav Petkov <bp@...e.de>,
Cyrill Gorcunov <gorcunov@...nvz.org>,
"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Thomas Gleixner <tglx@...utronix.de>,
Linux-MM <linux-mm@...ck.org>, X86 ML <x86@...nel.org>,
stable <stable@...r.kernel.org>
Subject: Re: [PATCH] x86/mm: Drop TS_COMPAT on 64-bit exec() syscall
On Fri, 2018-05-18 at 19:05 -0700, Andy Lutomirski wrote:
> > On May 18, 2018, at 4:10 PM, Dmitry Safonov <0x7f454c46@...il.com>
> > cpu family : 6
> > model : 142
> > model name : Intel(R) Core(TM) i7-7600U CPU @ 2.80GHz
> > But I usually test kernels in VM. So, I use virt-manager as it's
> > easier to manage
> > multiple VMs. The thing is that I've chosen "Copy host CPU
> > configuration"
> > and for some reason, I don't quite follow virt-manager makes model
>
> "Opteron_G4".
> > I'm on Fedora 27, virt-manager 1.4.3, qemu 2.9.1(qemu-2.9.1-
> > 2.fc26).
> > So, cpuinfo in VM says:
> > cpu family : 21
> > model : 1
> > model name : AMD Opteron 62xx class CPU
>
> What does guest cpuinfo say for vendor_id?
>
> There are multiple potential screwups here.
>
> 1. (What I *thought* was going on) AMD CPUs have screwy IRET behavior
> that’s different from Intel’s, and the test case was definitely
> wrong. But
> KVM has no way to influence it. Are you sure you’re using KVM and
> not QEMU
> TCG? Anyway, the IRET thing is minor compared to your other problems,
> so
> let’s try to fix them first.
>
> 2. Compat fast syscalls are wildly different on AMD and Intel.
> Because of
> this issue, QEMU with KVM is supposed to always report the real
> vendor_id
> no matter -cpu asks for. If we get the wrong vendor_id, then we’re
> at the
> mercy of KVM’s emulation and performance will suck. On older
> kernels, this
> would cause hideous kernel crashes. On new kernels, I would expect
> it to
> merely crash 32-bit user programs or be slow.
Heh, I didn't know those details, so it looks like it's (2),
vendor_id : AuthenticAMD
in guest.
>
> > What's worse than registers changes is that some selftests actually
> > lead
>
> to
> > Oops's. The same reason for criu-ia32 fails.
> > I've tested so far v4.15 and v4.16 releases besides master
> > (2c71d338bef2),
> > so it looks to be not a recent regression.
> > Full Oopses:
> > [ 189.100174] BUG: unable to handle kernel paging request at
>
> 00000000417bafe8
> > [ 189.100174] PGD 69ed4067 P4D 69ed4067 PUD 707fc067 PMD 6c535067
> > PTE
>
> 6991f067
> > [ 189.100174] Oops: 0001 [#3] SMP NOPTI
>
> Whoa there! 0001 means a failed *kernel* access.
>
> > [ 189.100174] Modules linked in:
> > [ 189.100174] CPU: 0 PID: 2443 Comm: sysret_ss_attrs Tainted: G
>
> Was this sysret_ss_attrs_32 or sysret_ss_attrs_64?
sysret_ss_attrs_32 survives
>
> > D 4.17.0-rc5+ #11
> > [ 189.103187] Hardware name: QEMU Standard PC (i440FX + PIIX,
> > 1996),
> > BIOS 1.10.2-1.fc26 04/01/2014
> > [ 189.103187] RIP: 0033:0x40085a
>
> The oops was caused from CPL 3 at what looks like a totally sensible
> user
> address. Can you disassemble the offending binary and tell me what
> the
> code at 0x40085a is?
Here is the function:
0000000000400842 <call32_from_64>:
400842: 53 push %rbx
400843: 55 push %rbp
400844: 41 54 push %r12
400846: 41 55 push %r13
400848: 41 56 push %r14
40084a: 41 57 push %r15
40084c: 9c pushfq
40084d: 48 89 27 mov %rsp,(%rdi)
400850: 48 89 fc mov %rdi,%rsp
400853: 6a 23 pushq $0x23
400855: 68 5c 08 40 00 pushq $0x40085c
40085a: 48 cb lretq
40085c: ff d6 callq *%rsi
40085e: ea (bad)
40085f: 65 08 40 00 or %al,%gs:0x0(%rax)
400863: 33 00 xor (%rax),%eax
400865: 48 8b 24 24 mov (%rsp),%rsp
400869: 9d popfq
40086a: 41 5f pop %r15
40086c: 41 5e pop %r14
40086e: 41 5d pop %r13
400870: 41 5c pop %r12
400872: 5d pop %rbp
400873: 5b pop %rbx
400874: c3 retq
400875: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
40087c: 00 00 00
40087f: 90 nop
Looks like mov between registers caused it? The hell.
>
> > [ 189.103187] RSP: 002b:00000000417bafe8 EFLAGS: 00000206
> > [ 189.103187] RAX: 0000000000000000 RBX: 00000000000003e8 RCX:
>
> 0000000000000000
> > [ 189.103187] RDX: 0000000000000000 RSI: 0000000000400830 RDI:
>
> 00000000417baff8
> > [ 189.103187] RBP: 00000000417baff8 R08: 0000000000000000 R09:
>
> 0000000000000077
> > [ 189.103187] R10: 0000000000000006 R11: 0000000000000000 R12:
>
> 00000000417ba000
> > [ 189.103187] R13: 00007ffc05207840 R14: 0000000000000000 R15:
>
> 0000000000000000
> > [ 189.103187] FS: 00007f98566ecb40(0000)
> > GS:ffff9740ffc00000(0000)
> > knlGS:0000000000000000
> > [ 189.103187] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>
> CS here is the value of CS that the *kernel* has, so 0x10 is normal.
>
> > [ 189.103187] CR2: 00000000417bafe8 CR3: 0000000069dc4000 CR4:
>
> 00000000007406f0
>
> CR2 is in user space.
>
> So the big question is: what happened here? Why did the CPU (or
> emulated
> CPU) attempt a privileged access to a user address while running user
> code?
No idea, but looks like it's not a kernel fault.
--
Thanks,
Dmitry
Powered by blists - more mailing lists