Re: [PATCH v15 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
On Sat, Aug 14, 2021 at 8:59 AM Fabiano Rosas wrote: > > Laurent Vivier writes: > > > > > since this patch is merged my VM is experiencing a crash at boot (20% of > > the time): > > > > [8.496850] kernel tried to execute exec-protected page > > (c00804073278) - exploit > > attempt? (uid: 0) > > [8.496921] BUG: Unable to handle kernel instruction fetch > > [8.496954] Faulting instruction address: 0xc00804073278 > > [8.496994] Oops: Kernel access of bad area, sig: 11 [#1] > > [8.497028] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries > > [8.497071] Modules linked in: drm virtio_console fuse > > drm_panel_orientation_quirks xfs > > libcrc32c virtio_net net_failover virtio_blk vmx_crypto failover dm_mirror > > dm_region_hash > > dm_log dm_mod > > [8.497186] CPU: 3 PID: 44 Comm: kworker/3:1 Not tainted 5.14.0-rc4+ #12 > > [8.497228] Workqueue: events control_work_handler [virtio_console] > > [8.497272] NIP: c00804073278 LR: c00804073278 CTR: > > c01e9de0 > > [8.497320] REGS: c0002e4ef7e0 TRAP: 0400 Not tainted > > (5.14.0-rc4+) > > [8.497361] MSR: 80004280b033 > > CR: 24002822 > > XER: 200400cf > > [8.497426] CFAR: c01e9e44 IRQMASK: 1 > > [8.497426] GPR00: c00804073278 c0002e4efa80 c2a26b00 > > c00042c39520 > > [8.497426] GPR04: 0001 > > 00ff > > [8.497426] GPR08: 0001 c00042c39520 0001 > > c00804076008 > > [8.497426] GPR12: c01e9de0 c001fffccb00 c018ba88 > > c0002c91d400 > > [8.497426] GPR16: > > > > [8.497426] GPR20: > > c00804080340 > > [8.497426] GPR24: c008040a01e8 > > c0002e0975c0 > > [8.497426] GPR28: c0002ce72940 c00042c39520 0048 > > 0038 > > [8.497891] NIP [c00804073278] fill_queue+0xf0/0x210 [virtio_console] > > [8.497934] LR [c00804073278] fill_queue+0xf0/0x210 [virtio_console] > > [8.497976] Call Trace: > > [8.497993] [c0002e4efa80] [c0080407323c] fill_queue+0xb4/0x210 > > [virtio_console] (unreliable) > > [8.498052] [c0002e4efae0] [c00804073a90] add_port+0x1a8/0x470 > > [virtio_console] > > [8.498102] [c0002e4efbb0] [c008040750f4] > > control_work_handler+0xbc/0x1e8 > > [virtio_console] > > [8.498160] [c0002e4efc60] [c017f4f0] > > process_one_work+0x290/0x590 > > [8.498212] [c0002e4efd00] [c017f878] > > worker_thread+0x88/0x620 > > [8.498256] [c0002e4efda0] [c018bc14] kthread+0x194/0x1a0 > > [8.498299] [c0002e4efe10] [c000cf54] > > ret_from_kernel_thread+0x5c/0x64 > > [8.498349] Instruction dump: > > [8.498374] 7da96b78 a14d0c8a 419c00b0 2f8a 419eff88 b32d0c8a > > 7c0004ac 4b7c > > [8.498430] 6000 6000 7fa3eb78 48002d95 3860 > > 480025e1 e8410018 > > [8.498485] ---[ end trace 16ee10903290b647 ]--- > > [8.501433] > > [9.502601] Kernel panic - not syncing: Fatal exception > > > > add_port+0x1a8/0x470 : > > > > 1420 > > 1421/* We can safely ignore ENOSPC because it means > > 1422 * the queue already has buffers. Buffers are removed > > 1423 * only by virtcons_remove(), not by unplug_port() > > 1424 */ > > ->1425err = fill_queue(port->in_vq, >inbuf_lock); > > 1426if (err < 0 && err != -ENOSPC) { > > 1427dev_err(port->dev, "Error allocating > > inbufs\n"); > > 1428goto free_device; > > 1429} > > > > fill_queue+0x90/0x210 : > > > > 1326static int fill_queue(struct virtqueue *vq, spinlock_t *lock) > > 1327{ > > 1328struct port_buffer *buf; > > 1329int nr_added_bufs; > > 1330int ret; > > 1331 > > 1332nr_added_bufs = 0; > > 1333do { > > 1334buf = alloc_buf(vq->vdev, PAGE_SIZE, 0); > > 1335if (!buf) > > 1336return -ENOMEM; > > 1337 > > ->1338spin_lock_irq(lock); > > > > I'm using an upstream kernel (5.14-rc4, 251a1524293d) in the VM. > > > > My host is a RHEL 8.5/POWER9: qemu-kvm-6.0.0-21 and kernel-4.18.0-325 > > > > My qemu command line is: > > > > /usr/libexec/qemu-kvm \ > > -M pseries,accel=kvm \ > > -nographic -nodefaults \ > > -device virtio-serial-pci \ > > -device virtconsole \ > > -device virtio-net-pci,mac=9a:2b:2c:2d:2e:2f,netdev=hostnet0 \ > > -blockdev > > node-name=disk1,file.driver=file,driver=qcow2,file.driver=file,file.filename=disk.qcow2 > > \ > >
Re: [PATCH v15 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
Laurent Vivier writes: > > since this patch is merged my VM is experiencing a crash at boot (20% of the > time): > > [8.496850] kernel tried to execute exec-protected page (c00804073278) > - exploit > attempt? (uid: 0) > [8.496921] BUG: Unable to handle kernel instruction fetch > [8.496954] Faulting instruction address: 0xc00804073278 > [8.496994] Oops: Kernel access of bad area, sig: 11 [#1] > [8.497028] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries > [8.497071] Modules linked in: drm virtio_console fuse > drm_panel_orientation_quirks xfs > libcrc32c virtio_net net_failover virtio_blk vmx_crypto failover dm_mirror > dm_region_hash > dm_log dm_mod > [8.497186] CPU: 3 PID: 44 Comm: kworker/3:1 Not tainted 5.14.0-rc4+ #12 > [8.497228] Workqueue: events control_work_handler [virtio_console] > [8.497272] NIP: c00804073278 LR: c00804073278 CTR: > c01e9de0 > [8.497320] REGS: c0002e4ef7e0 TRAP: 0400 Not tainted (5.14.0-rc4+) > [8.497361] MSR: 80004280b033 CR: > 24002822 > XER: 200400cf > [8.497426] CFAR: c01e9e44 IRQMASK: 1 > [8.497426] GPR00: c00804073278 c0002e4efa80 c2a26b00 > c00042c39520 > [8.497426] GPR04: 0001 > 00ff > [8.497426] GPR08: 0001 c00042c39520 0001 > c00804076008 > [8.497426] GPR12: c01e9de0 c001fffccb00 c018ba88 > c0002c91d400 > [8.497426] GPR16: > > [8.497426] GPR20: > c00804080340 > [8.497426] GPR24: c008040a01e8 > c0002e0975c0 > [8.497426] GPR28: c0002ce72940 c00042c39520 0048 > 0038 > [8.497891] NIP [c00804073278] fill_queue+0xf0/0x210 [virtio_console] > [8.497934] LR [c00804073278] fill_queue+0xf0/0x210 [virtio_console] > [8.497976] Call Trace: > [8.497993] [c0002e4efa80] [c0080407323c] fill_queue+0xb4/0x210 > [virtio_console] (unreliable) > [8.498052] [c0002e4efae0] [c00804073a90] add_port+0x1a8/0x470 > [virtio_console] > [8.498102] [c0002e4efbb0] [c008040750f4] > control_work_handler+0xbc/0x1e8 > [virtio_console] > [8.498160] [c0002e4efc60] [c017f4f0] > process_one_work+0x290/0x590 > [8.498212] [c0002e4efd00] [c017f878] worker_thread+0x88/0x620 > [8.498256] [c0002e4efda0] [c018bc14] kthread+0x194/0x1a0 > [8.498299] [c0002e4efe10] [c000cf54] > ret_from_kernel_thread+0x5c/0x64 > [8.498349] Instruction dump: > [8.498374] 7da96b78 a14d0c8a 419c00b0 2f8a 419eff88 b32d0c8a 7c0004ac > 4b7c > [8.498430] 6000 6000 7fa3eb78 48002d95 3860 > 480025e1 e8410018 > [8.498485] ---[ end trace 16ee10903290b647 ]--- > [8.501433] > [9.502601] Kernel panic - not syncing: Fatal exception > > add_port+0x1a8/0x470 : > > 1420 > 1421/* We can safely ignore ENOSPC because it means > 1422 * the queue already has buffers. Buffers are removed > 1423 * only by virtcons_remove(), not by unplug_port() > 1424 */ > ->1425err = fill_queue(port->in_vq, >inbuf_lock); > 1426if (err < 0 && err != -ENOSPC) { > 1427dev_err(port->dev, "Error allocating inbufs\n"); > 1428goto free_device; > 1429} > > fill_queue+0x90/0x210 : > > 1326static int fill_queue(struct virtqueue *vq, spinlock_t *lock) > 1327{ > 1328struct port_buffer *buf; > 1329int nr_added_bufs; > 1330int ret; > 1331 > 1332nr_added_bufs = 0; > 1333do { > 1334buf = alloc_buf(vq->vdev, PAGE_SIZE, 0); > 1335if (!buf) > 1336return -ENOMEM; > 1337 > ->1338spin_lock_irq(lock); > > I'm using an upstream kernel (5.14-rc4, 251a1524293d) in the VM. > > My host is a RHEL 8.5/POWER9: qemu-kvm-6.0.0-21 and kernel-4.18.0-325 > > My qemu command line is: > > /usr/libexec/qemu-kvm \ > -M pseries,accel=kvm \ > -nographic -nodefaults \ > -device virtio-serial-pci \ > -device virtconsole \ > -device virtio-net-pci,mac=9a:2b:2c:2d:2e:2f,netdev=hostnet0 \ > -blockdev > node-name=disk1,file.driver=file,driver=qcow2,file.driver=file,file.filename=disk.qcow2 > \ > -netdev bridge,id=hostnet0,br=virbr0,helper=/usr/libexec/qemu-bridge-helper \ > -device virtio-blk-pci,id=image1,drive=disk1 \ > -m 8192 \ > -smp 4 \ > -serial mon:stdio > > > Do we need something in qemu/kvm to support STRICT_MODULE_RWX ? > > Thanks, > Laurent This
Re: [PATCH v15 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
Hi, On 09/06/2021 03:34, Jordan Niethe wrote: > From: Russell Currey > > To enable strict module RWX on powerpc, set: > > CONFIG_STRICT_MODULE_RWX=y > > You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real > security benefit. > > ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX. > This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that > makes STRICT_MODULE_RWX *on by default* in configurations where > STRICT_KERNEL_RWX is *unavailable*. > > Since this doesn't make much sense, and module RWX without kernel RWX > doesn't make much sense, having the same dependencies as kernel RWX > works around this problem. > > Book3s/32 603 and 604 core processors are not able to write protect > kernel pages so do not set ARCH_HAS_STRICT_MODULE_RWX for Book3s/32. > > Reviewed-by: Christophe Leroy > Signed-off-by: Russell Currey > [jpn: - predicate on !PPC_BOOK3S_604 > - make module_alloc() use PAGE_KERNEL protection] > Signed-off-by: Jordan Niethe > --- > v10: - Predicate on !PPC_BOOK3S_604 > - Make module_alloc() use PAGE_KERNEL protection > v11: - Neaten up > v13: Use strict_kernel_rwx_enabled() > v14: Make changes to module_alloc() its own commit > v15: - Force STRICT_KERNEL_RWX if STRICT_MODULE_RWX is selected > - Predicate on !PPC_BOOK3S_32 instead > --- > arch/powerpc/Kconfig | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig > index abfe2e9225fa..72f307f1796b 100644 > --- a/arch/powerpc/Kconfig > +++ b/arch/powerpc/Kconfig > @@ -142,6 +142,7 @@ config PPC > select ARCH_HAS_SCALED_CPUTIME if VIRT_CPU_ACCOUNTING_NATIVE > && PPC_BOOK3S_64 > select ARCH_HAS_SET_MEMORY > select ARCH_HAS_STRICT_KERNEL_RWX if ((PPC_BOOK3S_64 || PPC32) && > !HIBERNATION) > + select ARCH_HAS_STRICT_MODULE_RWX if ARCH_HAS_STRICT_KERNEL_RWX > && !PPC_BOOK3S_32 > select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST > select ARCH_HAS_UACCESS_FLUSHCACHE > select ARCH_HAS_UBSAN_SANITIZE_ALL > @@ -267,6 +268,7 @@ config PPC > select PPC_DAWR if PPC64 > select RTC_LIB > select SPARSE_IRQ > + select STRICT_KERNEL_RWX if STRICT_MODULE_RWX > select SYSCTL_EXCEPTION_TRACE > select THREAD_INFO_IN_TASK > select VIRT_TO_BUS if !PPC64 > since this patch is merged my VM is experiencing a crash at boot (20% of the time): [8.496850] kernel tried to execute exec-protected page (c00804073278) - exploit attempt? (uid: 0) [8.496921] BUG: Unable to handle kernel instruction fetch [8.496954] Faulting instruction address: 0xc00804073278 [8.496994] Oops: Kernel access of bad area, sig: 11 [#1] [8.497028] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries [8.497071] Modules linked in: drm virtio_console fuse drm_panel_orientation_quirks xfs libcrc32c virtio_net net_failover virtio_blk vmx_crypto failover dm_mirror dm_region_hash dm_log dm_mod [8.497186] CPU: 3 PID: 44 Comm: kworker/3:1 Not tainted 5.14.0-rc4+ #12 [8.497228] Workqueue: events control_work_handler [virtio_console] [8.497272] NIP: c00804073278 LR: c00804073278 CTR: c01e9de0 [8.497320] REGS: c0002e4ef7e0 TRAP: 0400 Not tainted (5.14.0-rc4+) [8.497361] MSR: 80004280b033 CR: 24002822 XER: 200400cf [8.497426] CFAR: c01e9e44 IRQMASK: 1 [8.497426] GPR00: c00804073278 c0002e4efa80 c2a26b00 c00042c39520 [8.497426] GPR04: 0001 00ff [8.497426] GPR08: 0001 c00042c39520 0001 c00804076008 [8.497426] GPR12: c01e9de0 c001fffccb00 c018ba88 c0002c91d400 [8.497426] GPR16: [8.497426] GPR20: c00804080340 [8.497426] GPR24: c008040a01e8 c0002e0975c0 [8.497426] GPR28: c0002ce72940 c00042c39520 0048 0038 [8.497891] NIP [c00804073278] fill_queue+0xf0/0x210 [virtio_console] [8.497934] LR [c00804073278] fill_queue+0xf0/0x210 [virtio_console] [8.497976] Call Trace: [8.497993] [c0002e4efa80] [c0080407323c] fill_queue+0xb4/0x210 [virtio_console] (unreliable) [8.498052] [c0002e4efae0] [c00804073a90] add_port+0x1a8/0x470 [virtio_console] [8.498102] [c0002e4efbb0] [c008040750f4] control_work_handler+0xbc/0x1e8 [virtio_console] [8.498160] [c0002e4efc60] [c017f4f0] process_one_work+0x290/0x590 [8.498212] [c0002e4efd00] [c017f878] worker_thread+0x88/0x620 [8.498256] [c0002e4efda0] [c018bc14] kthread+0x194/0x1a0 [8.498299] [c0002e4efe10]
[PATCH v15 7/9] powerpc: Set ARCH_HAS_STRICT_MODULE_RWX
From: Russell Currey To enable strict module RWX on powerpc, set: CONFIG_STRICT_MODULE_RWX=y You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real security benefit. ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX. This is due to a quirk in arch/Kconfig and arch/powerpc/Kconfig that makes STRICT_MODULE_RWX *on by default* in configurations where STRICT_KERNEL_RWX is *unavailable*. Since this doesn't make much sense, and module RWX without kernel RWX doesn't make much sense, having the same dependencies as kernel RWX works around this problem. Book3s/32 603 and 604 core processors are not able to write protect kernel pages so do not set ARCH_HAS_STRICT_MODULE_RWX for Book3s/32. Reviewed-by: Christophe Leroy Signed-off-by: Russell Currey [jpn: - predicate on !PPC_BOOK3S_604 - make module_alloc() use PAGE_KERNEL protection] Signed-off-by: Jordan Niethe --- v10: - Predicate on !PPC_BOOK3S_604 - Make module_alloc() use PAGE_KERNEL protection v11: - Neaten up v13: Use strict_kernel_rwx_enabled() v14: Make changes to module_alloc() its own commit v15: - Force STRICT_KERNEL_RWX if STRICT_MODULE_RWX is selected - Predicate on !PPC_BOOK3S_32 instead --- arch/powerpc/Kconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index abfe2e9225fa..72f307f1796b 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -142,6 +142,7 @@ config PPC select ARCH_HAS_SCALED_CPUTIME if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64 select ARCH_HAS_SET_MEMORY select ARCH_HAS_STRICT_KERNEL_RWX if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION) + select ARCH_HAS_STRICT_MODULE_RWX if ARCH_HAS_STRICT_KERNEL_RWX && !PPC_BOOK3S_32 select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST select ARCH_HAS_UACCESS_FLUSHCACHE select ARCH_HAS_UBSAN_SANITIZE_ALL @@ -267,6 +268,7 @@ config PPC select PPC_DAWR if PPC64 select RTC_LIB select SPARSE_IRQ + select STRICT_KERNEL_RWX if STRICT_MODULE_RWX select SYSCTL_EXCEPTION_TRACE select THREAD_INFO_IN_TASK select VIRT_TO_BUS if !PPC64 -- 2.25.1