Re: [PATCH v15 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
On Sat, Aug 14, 2021 at 8:59 AM Fabiano Rosas wrote:
>
> Laurent Vivier writes:
>
> >
> > since this patch is merged my VM is experiencing a crash at boot (20% of
> > the time):
> >
> > [8.496850] kernel tried to execute exec-protected page
> > (c00804073278) - exploit
> > attempt? (uid: 0)
> > [8.496921] BUG: Unable to handle kernel instruction fetch
> > [8.496954] Faulting instruction address: 0xc00804073278
> > [8.496994] Oops: Kernel access of bad area, sig: 11 [#1]
> > [8.497028] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
> > [8.497071] Modules linked in: drm virtio_console fuse
> > drm_panel_orientation_quirks xfs
> > libcrc32c virtio_net net_failover virtio_blk vmx_crypto failover dm_mirror
> > dm_region_hash
> > dm_log dm_mod
> > [8.497186] CPU: 3 PID: 44 Comm: kworker/3:1 Not tainted 5.14.0-rc4+ #12
> > [8.497228] Workqueue: events control_work_handler [virtio_console]
> > [8.497272] NIP: c00804073278 LR: c00804073278 CTR:
> > c01e9de0
> > [8.497320] REGS: c0002e4ef7e0 TRAP: 0400 Not tainted
> > (5.14.0-rc4+)
> > [8.497361] MSR: 80004280b033
> > CR: 24002822
> > XER: 200400cf
> > [8.497426] CFAR: c01e9e44 IRQMASK: 1
> > [8.497426] GPR00: c00804073278 c0002e4efa80 c2a26b00
> > c00042c39520
> > [8.497426] GPR04: 0001
> > 00ff
> > [8.497426] GPR08: 0001 c00042c39520 0001
> > c00804076008
> > [8.497426] GPR12: c01e9de0 c001fffccb00 c018ba88
> > c0002c91d400
> > [8.497426] GPR16:
> >
> > [8.497426] GPR20:
> > c00804080340
> > [8.497426] GPR24: c008040a01e8
> > c0002e0975c0
> > [8.497426] GPR28: c0002ce72940 c00042c39520 0048
> > 0038
> > [8.497891] NIP [c00804073278] fill_queue+0xf0/0x210 [virtio_console]
> > [8.497934] LR [c00804073278] fill_queue+0xf0/0x210 [virtio_console]
> > [8.497976] Call Trace:
> > [8.497993] [c0002e4efa80] [c0080407323c] fill_queue+0xb4/0x210
> > [virtio_console] (unreliable)
> > [8.498052] [c0002e4efae0] [c00804073a90] add_port+0x1a8/0x470
> > [virtio_console]
> > [8.498102] [c0002e4efbb0] [c008040750f4]
> > control_work_handler+0xbc/0x1e8
> > [virtio_console]
> > [8.498160] [c0002e4efc60] [c017f4f0]
> > process_one_work+0x290/0x590
> > [8.498212] [c0002e4efd00] [c017f878]
> > worker_thread+0x88/0x620
> > [8.498256] [c0002e4efda0] [c018bc14] kthread+0x194/0x1a0
> > [8.498299] [c0002e4efe10] [c000cf54]
> > ret_from_kernel_thread+0x5c/0x64
> > [8.498349] Instruction dump:
> > [8.498374] 7da96b78 a14d0c8a 419c00b0 2f8a 419eff88 b32d0c8a
> > 7c0004ac 4b7c
> > [8.498430] 6000 6000 7fa3eb78 48002d95 3860
> > 480025e1 e8410018
> > [8.498485] ---[ end trace 16ee10903290b647 ]---
> > [8.501433]
> > [9.502601] Kernel panic - not syncing: Fatal exception
> >
> > add_port+0x1a8/0x470 :
> >
> > 1420
> > 1421/* We can safely ignore ENOSPC because it means
> > 1422 * the queue already has buffers. Buffers are removed
> > 1423 * only by virtcons_remove(), not by unplug_port()
> > 1424 */
> > ->1425err = fill_queue(port->in_vq, >inbuf_lock);
> > 1426if (err < 0 && err != -ENOSPC) {
> > 1427dev_err(port->dev, "Error allocating
> > inbufs\n");
> > 1428goto free_device;
> > 1429}
> >
> > fill_queue+0x90/0x210 :
> >
> > 1326static int fill_queue(struct virtqueue *vq, spinlock_t *lock)
> > 1327{
> > 1328struct port_buffer *buf;
> > 1329int nr_added_bufs;
> > 1330int ret;
> > 1331
> > 1332nr_added_bufs = 0;
> > 1333do {
> > 1334buf = alloc_buf(vq->vdev, PAGE_SIZE, 0);
> > 1335if (!buf)
> > 1336return -ENOMEM;
> > 1337
> > ->1338spin_lock_irq(lock);
> >
> > I'm using an upstream kernel (5.14-rc4, 251a1524293d) in the VM.
> >
> > My host is a RHEL 8.5/POWER9: qemu-kvm-6.0.0-21 and kernel-4.18.0-325
> >
> > My qemu command line is:
> >
> > /usr/libexec/qemu-kvm \
> > -M pseries,accel=kvm \
> > -nographic -nodefaults \
> > -device virtio-serial-pci \
> > -device virtconsole \
> > -device virtio-net-pci,mac=9a:2b:2c:2d:2e:2f,netdev=hostnet0 \
> > -blockdev
> > node-name=disk1,file.driver=file,driver=qcow2,file.driver=file,file.filename=disk.qcow2
> > \
> >
Re: [PATCH v15 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
Laurent Vivier writes:
>
> since this patch is merged my VM is experiencing a crash at boot (20% of the
> time):
>
> [8.496850] kernel tried to execute exec-protected page (c00804073278)
> - exploit
> attempt? (uid: 0)
> [8.496921] BUG: Unable to handle kernel instruction fetch
> [8.496954] Faulting instruction address: 0xc00804073278
> [8.496994] Oops: Kernel access of bad area, sig: 11 [#1]
> [8.497028] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
> [8.497071] Modules linked in: drm virtio_console fuse
> drm_panel_orientation_quirks xfs
> libcrc32c virtio_net net_failover virtio_blk vmx_crypto failover dm_mirror
> dm_region_hash
> dm_log dm_mod
> [8.497186] CPU: 3 PID: 44 Comm: kworker/3:1 Not tainted 5.14.0-rc4+ #12
> [8.497228] Workqueue: events control_work_handler [virtio_console]
> [8.497272] NIP: c00804073278 LR: c00804073278 CTR:
> c01e9de0
> [8.497320] REGS: c0002e4ef7e0 TRAP: 0400 Not tainted (5.14.0-rc4+)
> [8.497361] MSR: 80004280b033 CR:
> 24002822
> XER: 200400cf
> [8.497426] CFAR: c01e9e44 IRQMASK: 1
> [8.497426] GPR00: c00804073278 c0002e4efa80 c2a26b00
> c00042c39520
> [8.497426] GPR04: 0001
> 00ff
> [8.497426] GPR08: 0001 c00042c39520 0001
> c00804076008
> [8.497426] GPR12: c01e9de0 c001fffccb00 c018ba88
> c0002c91d400
> [8.497426] GPR16:
>
> [8.497426] GPR20:
> c00804080340
> [8.497426] GPR24: c008040a01e8
> c0002e0975c0
> [8.497426] GPR28: c0002ce72940 c00042c39520 0048
> 0038
> [8.497891] NIP [c00804073278] fill_queue+0xf0/0x210 [virtio_console]
> [8.497934] LR [c00804073278] fill_queue+0xf0/0x210 [virtio_console]
> [8.497976] Call Trace:
> [8.497993] [c0002e4efa80] [c0080407323c] fill_queue+0xb4/0x210
> [virtio_console] (unreliable)
> [8.498052] [c0002e4efae0] [c00804073a90] add_port+0x1a8/0x470
> [virtio_console]
> [8.498102] [c0002e4efbb0] [c008040750f4]
> control_work_handler+0xbc/0x1e8
> [virtio_console]
> [8.498160] [c0002e4efc60] [c017f4f0]
> process_one_work+0x290/0x590
> [8.498212] [c0002e4efd00] [c017f878] worker_thread+0x88/0x620
> [8.498256] [c0002e4efda0] [c018bc14] kthread+0x194/0x1a0
> [8.498299] [c0002e4efe10] [c000cf54]
> ret_from_kernel_thread+0x5c/0x64
> [8.498349] Instruction dump:
> [8.498374] 7da96b78 a14d0c8a 419c00b0 2f8a 419eff88 b32d0c8a 7c0004ac
> 4b7c
> [8.498430] 6000 6000 7fa3eb78 48002d95 3860
> 480025e1 e8410018
> [8.498485] ---[ end trace 16ee10903290b647 ]---
> [8.501433]
> [9.502601] Kernel panic - not syncing: Fatal exception
>
> add_port+0x1a8/0x470 :
>
> 1420
> 1421/* We can safely ignore ENOSPC because it means
> 1422 * the queue already has buffers. Buffers are removed
> 1423 * only by virtcons_remove(), not by unplug_port()
> 1424 */
> ->1425err = fill_queue(port->in_vq, >inbuf_lock);
> 1426if (err < 0 && err != -ENOSPC) {
> 1427dev_err(port->dev, "Error allocating inbufs\n");
> 1428goto free_device;
> 1429}
>
> fill_queue+0x90/0x210 :
>
> 1326static int fill_queue(struct virtqueue *vq, spinlock_t *lock)
> 1327{
> 1328struct port_buffer *buf;
> 1329int nr_added_bufs;
> 1330int ret;
> 1331
> 1332nr_added_bufs = 0;
> 1333do {
> 1334buf = alloc_buf(vq->vdev, PAGE_SIZE, 0);
> 1335if (!buf)
> 1336return -ENOMEM;
> 1337
> ->1338spin_lock_irq(lock);
>
> I'm using an upstream kernel (5.14-rc4, 251a1524293d) in the VM.
>
> My host is a RHEL 8.5/POWER9: qemu-kvm-6.0.0-21 and kernel-4.18.0-325
>
> My qemu command line is:
>
> /usr/libexec/qemu-kvm \
> -M pseries,accel=kvm \
> -nographic -nodefaults \
> -device virtio-serial-pci \
> -device virtconsole \
> -device virtio-net-pci,mac=9a:2b:2c:2d:2e:2f,netdev=hostnet0 \
> -blockdev
> node-name=disk1,file.driver=file,driver=qcow2,file.driver=file,file.filename=disk.qcow2
> \
> -netdev bridge,id=hostnet0,br=virbr0,helper=/usr/libexec/qemu-bridge-helper \
> -device virtio-blk-pci,id=image1,drive=disk1 \
> -m 8192 \
> -smp 4 \
> -serial mon:stdio
>
>
> Do we need something in qemu/kvm to support STRICT_MODULE_RWX ?
>
> Thanks,
> Laurent
This
Re: [PATCH v15 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
Hi, On 09/06/2021 03:34, Jordan Niethe wrote: > From: Russell Currey > > To enable strict module RWX on powerpc, set: > > CONFIG_STRICT_MODULE_RWX=y > > You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real > security benefit. > > ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX. > This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that > makes STRICT_MODULE_RWX *on by default* in configurations where > STRICT_KERNEL_RWX is *unavailable*. > > Since this doesn't make much sense, and module RWX without kernel RWX > doesn't make much sense, having the same dependencies as kernel RWX > works around this problem. > > Book3s/32 603 and 604 core processors are not able to write protect > kernel pages so do not set ARCH_HAS_STRICT_MODULE_RWX for Book3s/32. > > Reviewed-by: Christophe Leroy > Signed-off-by: Russell Currey > [jpn: - predicate on !PPC_BOOK3S_604 > - make module_alloc() use PAGE_KERNEL protection] > Signed-off-by: Jordan Niethe > --- > v10: - Predicate on !PPC_BOOK3S_604 > - Make module_alloc() use PAGE_KERNEL protection > v11: - Neaten up > v13: Use strict_kernel_rwx_enabled() > v14: Make changes to module_alloc() its own commit > v15: - Force STRICT_KERNEL_RWX if STRICT_MODULE_RWX is selected > - Predicate on !PPC_BOOK3S_32 instead > --- > arch/powerpc/Kconfig | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index abfe2e9225fa..72f307f1796b 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -142,6 +142,7 @@ config PPC > select ARCH_HAS_SCALED_CPUTIME if VIRT_CPU_ACCOUNTING_NATIVE > && PPC_BOOK3S_64 > select ARCH_HAS_SET_MEMORY > select ARCH_HAS_STRICT_KERNEL_RWX if ((PPC_BOOK3S_64 || PPC32) && > !HIBERNATION) > + select ARCH_HAS_STRICT_MODULE_RWX if ARCH_HAS_STRICT_KERNEL_RWX > && !PPC_BOOK3S_32 > select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST > select ARCH_HAS_UACCESS_FLUSHCACHE > select ARCH_HAS_UBSAN_SANITIZE_ALL > @@ -267,6 +268,7 @@ config PPC > select PPC_DAWR if PPC64 > select RTC_LIB > select SPARSE_IRQ > + select STRICT_KERNEL_RWX if STRICT_MODULE_RWX > select SYSCTL_EXCEPTION_TRACE > select THREAD_INFO_IN_TASK > select VIRT_TO_BUS if !PPC64 > since this patch is merged my VM is experiencing a crash at boot (20% of the time): [8.496850] kernel tried to execute exec-protected page (c00804073278) - exploit attempt? (uid: 0) [8.496921] BUG: Unable to handle kernel instruction fetch [8.496954] Faulting instruction address: 0xc00804073278 [8.496994] Oops: Kernel access of bad area, sig: 11 [#1] [8.497028] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries [8.497071] Modules linked in: drm virtio_console fuse drm_panel_orientation_quirks xfs libcrc32c virtio_net net_failover virtio_blk vmx_crypto failover dm_mirror dm_region_hash dm_log dm_mod [8.497186] CPU: 3 PID: 44 Comm: kworker/3:1 Not tainted 5.14.0-rc4+ #12 [8.497228] Workqueue: events control_work_handler [virtio_console] [8.497272] NIP: c00804073278 LR: c00804073278 CTR: c01e9de0 [8.497320] REGS: c0002e4ef7e0 TRAP: 0400 Not tainted (5.14.0-rc4+) [8.497361] MSR: 80004280b033 CR: 24002822 XER: 200400cf [8.497426] CFAR: c01e9e44 IRQMASK: 1 [8.497426] GPR00: c00804073278 c0002e4efa80 c2a26b00 c00042c39520 [8.497426] GPR04: 0001 00ff [8.497426] GPR08: 0001 c00042c39520 0001 c00804076008 [8.497426] GPR12: c01e9de0 c001fffccb00 c018ba88 c0002c91d400 [8.497426] GPR16: [8.497426] GPR20: c00804080340 [8.497426] GPR24: c008040a01e8 c0002e0975c0 [8.497426] GPR28: c0002ce72940 c00042c39520 0048 0038 [8.497891] NIP [c00804073278] fill_queue+0xf0/0x210 [virtio_console] [8.497934] LR [c00804073278] fill_queue+0xf0/0x210 [virtio_console] [8.497976] Call Trace: [8.497993] [c0002e4efa80] [c0080407323c] fill_queue+0xb4/0x210 [virtio_console] (unreliable) [8.498052] [c0002e4efae0] [c00804073a90] add_port+0x1a8/0x470 [virtio_console] [8.498102] [c0002e4efbb0] [c008040750f4] control_work_handler+0xbc/0x1e8 [virtio_console] [8.498160] [c0002e4efc60] [c017f4f0] process_one_work+0x290/0x590 [8.498212] [c0002e4efd00] [c017f878] worker_thread+0x88/0x620 [8.498256] [c0002e4efda0] [c018bc14] kthread+0x194/0x1a0 [8.498299] [c0002e4efe10]
[PATCH v15 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
From: Russell Currey To enable strict module RWX on powerpc, set: CONFIG_STRICT_MODULE_RWX=y You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real security benefit. ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX. This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that makes STRICT_MODULE_RWX *on by default* in configurations where STRICT_KERNEL_RWX is *unavailable*. Since this doesn't make much sense, and module RWX without kernel RWX doesn't make much sense, having the same dependencies as kernel RWX works around this problem. Book3s/32 603 and 604 core processors are not able to write protect kernel pages so do not set ARCH_HAS_STRICT_MODULE_RWX for Book3s/32. Reviewed-by: Christophe Leroy Signed-off-by: Russell Currey [jpn: - predicate on !PPC_BOOK3S_604 - make module_alloc() use PAGE_KERNEL protection] Signed-off-by: Jordan Niethe --- v10: - Predicate on !PPC_BOOK3S_604 - Make module_alloc() use PAGE_KERNEL protection v11: - Neaten up v13: Use strict_kernel_rwx_enabled() v14: Make changes to module_alloc() its own commit v15: - Force STRICT_KERNEL_RWX if STRICT_MODULE_RWX is selected - Predicate on !PPC_BOOK3S_32 instead --- arch/powerpc/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index abfe2e9225fa..72f307f1796b 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -142,6 +142,7 @@ config PPC select ARCH_HAS_SCALED_CPUTIME if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64 select ARCH_HAS_SET_MEMORY select ARCH_HAS_STRICT_KERNEL_RWX if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION) + select ARCH_HAS_STRICT_MODULE_RWX if ARCH_HAS_STRICT_KERNEL_RWX && !PPC_BOOK3S_32 select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST select ARCH_HAS_UACCESS_FLUSHCACHE select ARCH_HAS_UBSAN_SANITIZE_ALL @@ -267,6 +268,7 @@ config PPC select PPC_DAWR if PPC64 select RTC_LIB select SPARSE_IRQ + select STRICT_KERNEL_RWX if STRICT_MODULE_RWX select SYSCTL_EXCEPTION_TRACE select THREAD_INFO_IN_TASK select VIRT_TO_BUS if !PPC64 -- 2.25.1
