| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <15CE600C-3006-4C4D-A65E-9B608D55DD35@amacapital.net>
Date: Mon, 28 Sep 2020 14:19:57 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Nick Desaulniers <ndesaulniers@...gle.com>
Cc: Dmitry Vyukov <dvyukov@...gle.com>, Borislav Petkov <bp@...en8.de>,
Alexander Potapenko <glider@...gle.com>,
Marco Elver <elver@...gle.com>,
syzbot <syzbot+ce179bc99e64377c24bc@...kaller.appspotmail.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>, Jiri Olsa <jolsa@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
Mark Rutland <mark.rutland@....com>,
Ingo Molnar <mingo@...hat.com>,
Namhyung Kim <namhyung@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Thomas Gleixner <tglx@...utronix.de>,
the arch/x86 maintainers <x86@...nel.org>,
clang-built-linux <clang-built-linux@...glegroups.com>
Subject: Re: general protection fault in perf_misc_flags
> On Sep 28, 2020, at 1:52 PM, Nick Desaulniers <ndesaulniers@...gle.com> wrote:
>
> On Mon, Sep 28, 2020 at 3:34 AM 'Dmitry Vyukov' via Clang Built Linux
> <clang-built-linux@...glegroups.com> wrote:
>>
>>> On Mon, Sep 28, 2020 at 10:54 AM Borislav Petkov <bp@...en8.de> wrote:
>>>
>>> On Mon, Sep 28, 2020 at 10:40:19AM +0200, Dmitry Vyukov wrote:
>>>> I meant the kernel self-corrupts itself, that just wasn't detected by
>>>> KASAN, page protections, etc.
>>>
>>> Well, Nick already asked this but we're marking all kernel text RO early
>>> during boot. So it either is happening before that or something else
>>> altogether is going on.
>
>> On Sun, Sep 27, 2020 at 11:06 PM 'Dmitry Vyukov' via Clang Built Linux
>> <clang-built-linux@...glegroups.com> wrote:
>>
>> Interestingly there is a new crash, which looks similar:
>>
>> general protection fault in map_vdso
>> https://syzkaller.appspot.com/bug?extid=c2ae01c2b1b385384a06
>>
>> The code is also with 4 0's:
>> Code: 00 00 00 48 b8 00 00 00 00 00 fc ff df 41 57 49 89 ff 41 56 41
>> 55 41 54 55 65 48 8b 2c 25 c0 fe 01 00 48 8d bd 28 04 00 00 53 <48> 00
>> 00 00 00 fa 48 83 ec 10 48 c1 ea 03 80 3c 02 00 0f 85 51 02
>>
>> But it happened with gcc.
>>
>> Also I found this older one:
>> general protection fault in map_vdso_randomized
>> https://syzkaller.appspot.com/bug?id=8366fd024559946137b9db23b26fd2235d43b383
>>
>> which also has code smashed and happened with gcc:
>> Code: 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 eb 00 00 00
>> 65 48 8b 1c 25 c0 fe 01 00 48 8d bb 28 04 00 00 41 2b 54 24 20 <00> 00
>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
> If this is related to vdso's, they seem mapped as `r-xp` (not `w):
> $ sudo cat /proc/1/maps | grep vdso
> 7ffc667f5000-7ffc667f7000 r-xp 00000000 00:00 0 [vdso]
>
> map_vdso() in arch/x86/entry/vdso/vma.c doesn't map the VMA as
> writable, but it uses VM_MAYWRITE with a comment about GDB setting
> breakpoints.
>
> So it sounds like the page protections on the vdso can be changed at
> runtime (via mprotect). Maybe syzkaller is tickling that first?
>
> map_vdso_randomized() does call map_vdso(). Maybe if we mprotect the
> vdso to be writable, it may be easier to spot the write.
>
>
The kernel shouldn’t be executing the vDSO code. Unless I’ve misread it, Te crash is that the map_vdso() text itself was corrupted. This isn’t the same thing.
The VM_MAYWRITE means that a program may CoW the page and write to the copy, which still won’t allow changing the vDSO text or executing it inside the kernel.
Powered by blists - more mailing lists