| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55BF5B29-880D-4489-A93D-E8CEE5C09045@vmware.com>
Date: Tue, 18 Jun 2019 05:59:44 +0000
From: Nadav Amit <namit@...are.com>
To: Yang Yingliang <yangyingliang@...wei.com>
CC: LKML <linux-kernel@...r.kernel.org>, Jessica Yu <jeyu@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
"cj.chengjian@...wei.com" <cj.chengjian@...wei.com>,
Borislav Petkov <bp@...en8.de>
Subject: Re: [PATCH] modules: fix BUG when load module with rodata=n
> On Jun 16, 2019, at 11:59 PM, Yang Yingliang <yangyingliang@...wei.com> wrote:
>
> When loading a module with rodata=n, it causes an executing
> NX-protected page BUG.
>
> [ 32.379191] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> [ 32.382917] BUG: unable to handle page fault for address: ffffffffc0005000
> [ 32.385947] #PF: supervisor instruction fetch in kernel mode
> [ 32.387662] #PF: error_code(0x0011) - permissions violation
> [ 32.389352] PGD 240c067 P4D 240c067 PUD 240e067 PMD 421a52067 PTE 8000000421a53063
> [ 32.391396] Oops: 0011 [#1] SMP PTI
> [ 32.392478] CPU: 7 PID: 2697 Comm: insmod Tainted: G O 5.2.0-rc5+ #202
> [ 32.394588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> [ 32.398157] RIP: 0010:ko_test_init+0x0/0x1000 [ko_test]
> [ 32.399662] Code: Bad RIP value.
> [ 32.400621] RSP: 0018:ffffc900029f3ca8 EFLAGS: 00010246
> [ 32.402171] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [ 32.404332] RDX: 00000000000004c7 RSI: 0000000000000cc0 RDI: ffffffffc0005000
> [ 32.406347] RBP: ffffffffc0005000 R08: ffff88842fbebc40 R09: ffffffff810ede4a
> [ 32.408392] R10: ffffea00108e3480 R11: 0000000000000000 R12: ffff88842bee21a0
> [ 32.410472] R13: 0000000000000001 R14: 0000000000000001 R15: ffffc900029f3e78
> [ 32.412609] FS: 00007fb4f0c0a700(0000) GS:ffff88842fbc0000(0000) knlGS:0000000000000000
> [ 32.414722] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 32.416290] CR2: ffffffffc0004fd6 CR3: 0000000421a90004 CR4: 0000000000020ee0
> [ 32.418471] Call Trace:
> [ 32.419136] do_one_initcall+0x41/0x1df
> [ 32.420199] ? _cond_resched+0x10/0x40
> [ 32.421433] ? kmem_cache_alloc_trace+0x36/0x160
> [ 32.422827] do_init_module+0x56/0x1f7
> [ 32.423946] load_module+0x1e67/0x2580
> [ 32.424947] ? __alloc_pages_nodemask+0x150/0x2c0
> [ 32.426413] ? map_vm_area+0x2d/0x40
> [ 32.427530] ? __vmalloc_node_range+0x1ef/0x260
> [ 32.428850] ? __do_sys_init_module+0x135/0x170
> [ 32.430060] ? _cond_resched+0x10/0x40
> [ 32.431249] __do_sys_init_module+0x135/0x170
> [ 32.432547] do_syscall_64+0x43/0x120
> [ 32.433853] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Because if rodata=n, set_memory_x() cann't be called, fix this by
> calling set_memory_x in complete_formation();
>
> Fixes: f2c65fb3221a ("x86/modules: Avoid breaking W^X while loading modules")
> Suggested-by: Jian Cheng <cj.chengjian@...wei.com>
> Signed-off-by: Yang Yingliang <yangyingliang@...wei.com>
> ---
> kernel/module.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/module.c b/kernel/module.c
> index 80c7c09584cf..1a5d879573c3 100644
> --- a/kernel/module.c
> +++ b/kernel/module.c
> @@ -1949,12 +1949,10 @@ void module_enable_ro(const struct module *mod, bool after_init)
> set_vm_flush_reset_perms(mod->core_layout.base);
> set_vm_flush_reset_perms(mod->init_layout.base);
> frob_text(&mod->core_layout, set_memory_ro);
> - frob_text(&mod->core_layout, set_memory_x);
>
> frob_rodata(&mod->core_layout, set_memory_ro);
>
> frob_text(&mod->init_layout, set_memory_ro);
> - frob_text(&mod->init_layout, set_memory_x);
>
> frob_rodata(&mod->init_layout, set_memory_ro);
>
> @@ -2018,6 +2016,12 @@ void set_all_modules_text_ro(void)
> static void module_enable_nx(const struct module *mod) { }
> #endif
>
> +static void module_enable_x(const struct module *mod)
> +{
> + frob_text(&mod->core_layout, set_memory_x);
> + frob_text(&mod->init_layout, set_memory_x);
> +}
> +
> #ifdef CONFIG_LIVEPATCH
> /*
> * Persist Elf information about a module. Copy the Elf header,
> @@ -3616,6 +3620,7 @@ static int complete_formation(struct module *mod, struct load_info *info)
>
> module_enable_ro(mod, false);
> module_enable_nx(mod);
> + module_enable_x(mod);
>
> /* Mark state as coming so strong_try_module_get() ignores us,
> * but kallsyms etc. can see us. */
> --
> 2.17.1
It does seem that I screwed up (thanks for fixing it!).
Makes me wonder why module_enable_ro() is needed to be called twice
(excluding the write-protecting of the core_layout). I wonder since this
patch would eliminate some calls to set_memory_x(), which indeed do not seem
necessary.
Skimming 444d13ff10fb1 ("modules: add ro_after_init support”), I could
not understand why.
Anyhow,
Reviewed-by: Nadav Amit <namit@...are.com>
Powered by blists - more mailing lists