lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 08 Aug 2018 17:26:53 +0800
From:   kernel test robot <lkp@...el.com>
To:     Joerg Roedel <jroedel@...e.de>
Cc:     LKP <lkp@...org>, linux-kernel@...r.kernel.org,
        Thomas Gleixner <tglx@...utronix.de>
Subject: 30514effc9 ("x86/mm/pti: Don't clear permissions in .."):
  WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:283 note_page

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git x86/pti

commit 30514effc9206d4e084ec32239ae221db157d43a
Author:     Joerg Roedel <jroedel@...e.de>
AuthorDate: Tue Aug 7 12:24:30 2018 +0200
Commit:     Thomas Gleixner <tglx@...utronix.de>
CommitDate: Tue Aug 7 23:36:02 2018 +0200

    x86/mm/pti: Don't clear permissions in pti_clone_pmd()
    
    The function sets the global-bit on cloned PMD entries, which only makes
    sense when the permissions are identical between the user and the kernel
    page-table. Further, only write-permissions are cleared for entry-text and
    kernel-text sections, which are not writeable at the end of the boot
    process.
    
    The reason why this RW clearing exists is that in the early PTI
    implementations the cloned kernel areas were set up during early boot
    before the kernel text is set to read only and not touched afterwards.
    
    This is not longer true. The cloned areas are still set up early to get the
    entry code working for interrupts and other things, but after the kernel
    text has been set RO the clone is repeated which copies the RO PMD/PTEs
    over to the user visible clone. That means the initial clearing of the
    writable bit can be avoided.
    
    [ tglx: Amended changelog ]
    
    Signed-off-by: Joerg Roedel <jroedel@...e.de>
    Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
    Acked-by: Dave Hansen <dave.hansen@...el.com>
    Cc: "H . Peter Anvin" <hpa@...or.com>
    Cc: linux-mm@...ck.org
    Cc: Linus Torvalds <torvalds@...ux-foundation.org>
    Cc: Andy Lutomirski <luto@...nel.org>
    Cc: Josh Poimboeuf <jpoimboe@...hat.com>
    Cc: Juergen Gross <jgross@...e.com>
    Cc: Peter Zijlstra <peterz@...radead.org>
    Cc: Borislav Petkov <bp@...en8.de>
    Cc: Jiri Kosina <jkosina@...e.cz>
    Cc: Boris Ostrovsky <boris.ostrovsky@...cle.com>
    Cc: Brian Gerst <brgerst@...il.com>
    Cc: David Laight <David.Laight@...lab.com>
    Cc: Denys Vlasenko <dvlasenk@...hat.com>
    Cc: Eduardo Valentin <eduval@...zon.com>
    Cc: Greg KH <gregkh@...uxfoundation.org>
    Cc: Will Deacon <will.deacon@....com>
    Cc: aliguori@...zon.com
    Cc: daniel.gruss@...k.tugraz.at
    Cc: hughd@...gle.com
    Cc: keescook@...gle.com
    Cc: Andrea Arcangeli <aarcange@...hat.com>
    Cc: Waiman Long <llong@...hat.com>
    Cc: Pavel Machek <pavel@....cz>
    Cc: "David H . Gutteridge" <dhgutteridge@...patico.ca>
    Cc: joro@...tes.org
    Link: https://lkml.kernel.org/r/1533637471-30953-3-git-send-email-joro@8bytes.org

88c6f8a397  x86/mm/pti: Fix 32 bit PCID check
30514effc9  x86/mm/pti: Don't clear permissions in pti_clone_pmd()
16a3fe634f  x86/mm/pti: Clone kernel-image on PTE level for 32 bit
5d09a26943  Merge branch 'x86/urgent'
+-----------------------------------------------------+------------+------------+------------+------------+
|                                                     | 88c6f8a397 | 30514effc9 | 16a3fe634f | 5d09a26943 |
+-----------------------------------------------------+------------+------------+------------+------------+
| boot_successes                                      | 35         | 0          | 0          | 0          |
| boot_failures                                       | 0          | 15         | 13         | 11         |
| WARNING:at_arch/x86/mm/dump_pagetables.c:#note_page | 0          | 15         | 13         | 11         |
| RIP:note_page                                       | 0          | 15         | 13         | 11         |
+-----------------------------------------------------+------------+------------+------------+------------+

[   16.937839] Freeing unused kernel image memory: 556K
[   16.954368] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   16.956696] x86/mm: Checking user space page tables
[   16.973108] ------------[ cut here ]------------
[   16.975052] x86/mm: Found insecure W+X mapping at address (____ptrval____)/native_usergs_sysret64+0x0/0x10
[   16.978787] WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:283 note_page+0xdd/0x890
[   16.982965] CPU: 0 PID: 1 Comm: swapper Tainted: G                T 4.18.0-rc8-00058-g30514eff #1
[   16.986506] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   16.989935] RIP: 0010:note_page+0xdd/0x890
[   16.991679] Code: 74 f4 4d 85 c9 78 ef 80 3d 95 ec 20 02 00 48 8b 76 18 75 1c 48 89 f2 48 c7 c7 18 49 d3 84 c6 05 7e ec 20 02 01 e8 33 b9 06 00 <0f> 0b 48 8b 73 18 4c 8b 4b 20 4c 89 c8 48 29 f0 48 c1 e8 0c 48 01 
[   16.998255] RSP: 0000:ffff88001f457e08 EFLAGS: 00010282
[   17.000269] RAX: 0000000000000000 RBX: ffff88001f457ec8 RCX: 0000000000000000
[   17.002692] RDX: ffff88001f450040 RSI: 0000000000000001 RDI: 0000000000000246
[   17.005129] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   17.007555] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[   17.009980] R13: 0000000000000004 R14: 0000000000000000 R15: ffff88001f457ec8
[   17.012399] FS:  0000000000000000(0000) GS:ffffffff85087000(0000) knlGS:0000000000000000
[   17.015931] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   17.018052] CR2: 0000000000000000 CR3: 000000000cc62001 CR4: 00000000001606f0
[   17.020485] Call Trace:
[   17.021888]  ptdump_walk_pgd_level_core+0x3e7/0x510
[   17.023814]  ? __kprobes_text_end+0x76488/0x76488
[   17.025713]  ? __irqentry_text_end+0x1fe4ee/0x1fe4ee
[   17.027666]  ? rest_init+0xa0/0xa0
[   17.029876]  kernel_init+0x27/0xf0
[   17.031488]  ret_from_fork+0x3a/0x50
[   17.033135] irq event stamp: 9170668
[   17.034781] hardirqs last  enabled at (9170667): [<ffffffff831061d1>] console_unlock+0x451/0x4e0
[   17.038310] hardirqs last disabled at (9170668): [<ffffffff844011b9>] error_entry+0x89/0x110
[   17.041745] softirqs last  enabled at (9170648): [<ffffffff84600214>] __do_softirq+0x214/0x254
[   17.045231] softirqs last disabled at (9170631): [<ffffffff830bcfb1>] irq_exit+0x61/0xc0
[   17.050776] ---[ end trace e678f3f9b7a7f5ff ]---
[   17.054226] x86/mm: Checked W+X mappings: FAILED, 512 W+X pages found.

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 59f242421e6bc986692795d8b1d0289ec0ded657 1ffaddd029c867d134a1dde39f540dcc8c52e274 --
git bisect  bad 49b82b310744d2f1e0e0c7c1783f025b1f925dd9  # 13:38  B      0     7   21   0  Merge 'perf/perf/core' into devel-catchup-201808081129
git bisect good 93fac2021c2785544dc3a400401df7cda0ffaf3f  # 13:49  G     11     0    0   0  Merge 'bluetooth-next/master' into devel-catchup-201808081129
git bisect  bad 49f5b4024f21f256aecd546ee8258e792088fb96  # 13:59  B      0     5   19   0  Merge 'tip/x86/pti' into devel-catchup-201808081129
git bisect good 5d27748d8731b478e3148ea1f3d5564f9eeaa4a8  # 14:14  G     11     0    0   0  Merge 'vfio/next' into devel-catchup-201808081129
git bisect good ff829964a0914aece6b461a1fc9b97bc68663d72  # 14:34  G     11     0    0   0  Merge 'tip/x86/urgent' into devel-catchup-201808081129
git bisect good 1ac228a7c87f697d1d01eb6362a6b5246705b0dd  # 14:45  G     11     0    0   0  x86/mm/pti: Keep permissions when cloning kernel text in pti_clone_kernel_text()
git bisect good d5e84c21dbf5ea458897f88346dc979909eed913  # 14:58  G     11     0    0   0  x86/entry/32: Check for VM86 mode in slow-path check
git bisect good 706d51681d636a0c4a5ef53395ec3b803e45ed4d  # 15:11  G     10     0    1   1  x86/speculation: Support Enhanced IBRS on future CPUs
git bisect good c40a56a7818cfe735fc93a69e1875f8bba834483  # 15:23  G     11     0    0   0  x86/mm/init: Remove freed kernel image areas from alias mapping
git bisect good 88c6f8a3977cc35997b47e2f99f080a15559c1eb  # 15:41  G     11     0    0   0  x86/mm/pti: Fix 32 bit PCID check
git bisect  bad 16a3fe634f6a568c6234b8747e5d50487fed3526  # 15:56  B      0     5   20   1  x86/mm/pti: Clone kernel-image on PTE level for 32 bit
git bisect  bad 30514effc9206d4e084ec32239ae221db157d43a  # 16:11  B      0    11   25   0  x86/mm/pti: Don't clear permissions in pti_clone_pmd()
# first bad commit: [30514effc9206d4e084ec32239ae221db157d43a] x86/mm/pti: Don't clear permissions in pti_clone_pmd()
git bisect good 88c6f8a3977cc35997b47e2f99f080a15559c1eb  # 16:13  G     31     0    0   0  x86/mm/pti: Fix 32 bit PCID check
# extra tests with debug options
git bisect  bad 30514effc9206d4e084ec32239ae221db157d43a  # 16:55  B      0     1   15   0  x86/mm/pti: Don't clear permissions in pti_clone_pmd()
# extra tests on HEAD of linux-devel/devel-catchup-201808081129
git bisect  bad 59f242421e6bc986692795d8b1d0289ec0ded657  # 17:01  B      0   365  382   0  0day head guard for 'devel-catchup-201808081129'
# extra tests on tree/branch tip/x86/pti
git bisect  bad 16a3fe634f6a568c6234b8747e5d50487fed3526  # 17:03  B      0    11   25   0  x86/mm/pti: Clone kernel-image on PTE level for 32 bit
# extra tests on tree/branch tip/master
git bisect  bad 5d09a2694308dff4b0bc9b550b7906b11dc9da91  # 17:21  B      0     4   18   0  Merge branch 'x86/urgent'

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/lkp                          Intel Corporation

Download attachment "dmesg-yocto-ivb41-116:20180808161126:x86_64-randconfig-s4-08081131:4.18.0-rc8-00058-g30514eff:1.gz" of type "application/gzip" (23137 bytes)

View attachment "reproduce-yocto-ivb41-116:20180808161126:x86_64-randconfig-s4-08081131:4.18.0-rc8-00058-g30514eff:1" of type "text/plain" (922 bytes)

View attachment "config-4.18.0-rc8-00058-g30514eff" of type "text/plain" (130224 bytes)

Powered by blists - more mailing lists