| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Sep 2020 13:51:58 -0700
From: Nick Desaulniers <ndesaulniers@...gle.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Borislav Petkov <bp@...en8.de>,
Alexander Potapenko <glider@...gle.com>,
Marco Elver <elver@...gle.com>,
syzbot <syzbot+ce179bc99e64377c24bc@...kaller.appspotmail.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>, Jiri Olsa <jolsa@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
Mark Rutland <mark.rutland@....com>,
Ingo Molnar <mingo@...hat.com>,
Namhyung Kim <namhyung@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Thomas Gleixner <tglx@...utronix.de>,
"the arch/x86 maintainers" <x86@...nel.org>,
clang-built-linux <clang-built-linux@...glegroups.com>
Subject: Re: general protection fault in perf_misc_flags
On Mon, Sep 28, 2020 at 3:34 AM 'Dmitry Vyukov' via Clang Built Linux
<clang-built-linux@...glegroups.com> wrote:
>
> On Mon, Sep 28, 2020 at 10:54 AM Borislav Petkov <bp@...en8.de> wrote:
> >
> > On Mon, Sep 28, 2020 at 10:40:19AM +0200, Dmitry Vyukov wrote:
> > > I meant the kernel self-corrupts itself, that just wasn't detected by
> > > KASAN, page protections, etc.
> >
> > Well, Nick already asked this but we're marking all kernel text RO early
> > during boot. So it either is happening before that or something else
> > altogether is going on.
On Sun, Sep 27, 2020 at 11:06 PM 'Dmitry Vyukov' via Clang Built Linux
<clang-built-linux@...glegroups.com> wrote:
>
> Interestingly there is a new crash, which looks similar:
>
> general protection fault in map_vdso
> https://syzkaller.appspot.com/bug?extid=c2ae01c2b1b385384a06
>
> The code is also with 4 0's:
> Code: 00 00 00 48 b8 00 00 00 00 00 fc ff df 41 57 49 89 ff 41 56 41
> 55 41 54 55 65 48 8b 2c 25 c0 fe 01 00 48 8d bd 28 04 00 00 53 <48> 00
> 00 00 00 fa 48 83 ec 10 48 c1 ea 03 80 3c 02 00 0f 85 51 02
>
> But it happened with gcc.
>
> Also I found this older one:
> general protection fault in map_vdso_randomized
> https://syzkaller.appspot.com/bug?id=8366fd024559946137b9db23b26fd2235d43b383
>
> which also has code smashed and happened with gcc:
> Code: 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 eb 00 00 00
> 65 48 8b 1c 25 c0 fe 01 00 48 8d bb 28 04 00 00 41 2b 54 24 20 <00> 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
If this is related to vdso's, they seem mapped as `r-xp` (not `w):
$ sudo cat /proc/1/maps | grep vdso
7ffc667f5000-7ffc667f7000 r-xp 00000000 00:00 0 [vdso]
map_vdso() in arch/x86/entry/vdso/vma.c doesn't map the VMA as
writable, but it uses VM_MAYWRITE with a comment about GDB setting
breakpoints.
So it sounds like the page protections on the vdso can be changed at
runtime (via mprotect). Maybe syzkaller is tickling that first?
map_vdso_randomized() does call map_vdso(). Maybe if we mprotect the
vdso to be writable, it may be easier to spot the write.
--
Thanks,
~Nick Desaulniers
Powered by blists - more mailing lists