From: Pavel Machek <pavel@ucw.cz>
To: Arjan van de Ven <arjan@linux.intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Borislav Petkov <bp@alien8.de>,
kernel list <linux-kernel@vger.kernel.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
Brian Gerst <brgerst@gmail.com>,
Denys Vlasenko <dvlasenk@redhat.com>, Peter Anvin <hpa@zytor.com>,
Mike Galbraith <efault@gmx.de>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: 4.4-rc5: ugly warn on: 5 W+X pages found
Date: Tue, 15 Dec 2015 08:56:56 +0100 [thread overview]
Message-ID: <20151215075656.GA3734@amd> (raw)
In-Reply-To: <566F3378.8070009@linux.intel.com>
On Mon 2015-12-14 13:24:08, Arjan van de Ven wrote:
>
> >That's weird. The only API to do that seems to be manually setting
> >kmap_prot to _PAGE_KERNEL_EXEC, and nothing does that. (Why is
> >kmap_prot a variable on x86 at all? It has exactly one writer, and
> >that's the code that initializes it in the first place. Shouldn't we
> >#define kmap_prot _PAGE_KERNEL?
>
> iirc it changes based on runtime detection of NX capability
Huh. Is it possible that core duo is so old that it has no NX?
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 14
model name : Genuine Intel(R) CPU T2400 @ 1.83GHz
stepping : 8
microcode : 0x39
...
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr
pge mca cmov clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx
constant_tsc arch_perfmon bts aperfmperf pni monitor vmx est tm2 xtpr
pdcm dtherm
No, it lists nx in flags. Linus asked me about trying without
CONFIG_EFI. I should have no EFI here, but I'll try it.
I turned off CONFIG_EFI, but CONFIG_UEFI_CPER can't seem to be
disabled easily.
Still:
[ 3.269750] WARNING: CPU: 1 PID: 1 at
arch/x86/mm/dump_pagetables.c:225 note_page+0x5ec/0x790()
[ 3.271999] x86/mm: Found insecure W+X mapping at address
ffe69000/0xffe69000
pavel@duo:~$ zcat /proc/config.gz | grep EFI
# CONFIG_EFI_PARTITION is not set
# CONFIG_EFI is not set
CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
CONFIG_UEFI_CPER=y
pavel@duo:~$
Ok, I managed to turn off even CONFIG_UEFI_CPER after some fight, but
result is the same.
(Hmm... I'll probably regret it, but... I guess config.gz does contain
some information useful for the attacker. How long till some "hardened
distro" chmods it to 600?)
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
next prev parent reply other threads:[~2015-12-15 7:57 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-15 7:00 4.4-rc0: 5 W+X pages found Pavel Machek
2015-11-23 14:37 ` Mihai Donțu
2015-12-08 21:19 ` Kees Cook
2015-12-09 0:10 ` Dave Jones
2015-12-09 19:33 ` Mihai Donțu
2015-12-14 8:04 ` 4.4-rc5: ugly warn on: " Pavel Machek
2015-12-14 8:58 ` Borislav Petkov
2015-12-14 9:07 ` Pavel Machek
2015-12-14 9:15 ` Borislav Petkov
2015-12-14 19:18 ` Linus Torvalds
2015-12-14 20:26 ` Pavel Machek
2015-12-14 21:02 ` Andy Lutomirski
2015-12-14 21:24 ` Arjan van de Ven
2015-12-14 22:25 ` Andy Lutomirski
2015-12-15 9:40 ` Pavel Machek
2015-12-15 17:45 ` Linus Torvalds
2015-12-15 18:30 ` Borislav Petkov
2015-12-15 19:06 ` Linus Torvalds
2015-12-15 19:15 ` Borislav Petkov
2015-12-15 18:40 ` Andy Lutomirski
2015-12-15 19:08 ` Linus Torvalds
2015-12-15 20:58 ` Pavel Machek
2015-12-15 21:12 ` 4.4.-rc5: lguest causes " Pavel Machek
2015-12-16 2:24 ` Rusty Russell
2015-12-16 8:10 ` Pavel Machek
2015-12-15 21:33 ` 4.4-rc5: " Borislav Petkov
2015-12-15 22:07 ` Pavel Machek
2015-12-15 22:15 ` Borislav Petkov
2015-12-15 7:56 ` Pavel Machek [this message]
2015-12-15 8:09 ` [PATCH 0/2] x86/mm: A _PAGE_NX fixlet and a kmap cleanup Andy Lutomirski
2015-12-15 8:09 ` [PATCH 1/2] x86_32/mm: Set NX in __supported_pte_mask before enabling paging Andy Lutomirski
2015-12-15 8:09 ` [PATCH 2/2] x86/mm: Make kmap_prot into a #define Andy Lutomirski
2016-01-19 9:26 ` [PATCH 0/2] x86/mm: A _PAGE_NX fixlet and a kmap cleanup Ingo Molnar
2016-01-19 19:44 ` Andy Lutomirski
2015-12-15 13:26 ` 4.4-rc5: ugly warn on: 5 W+X pages found Arjan van de Ven
2015-12-15 14:08 ` Pavel Machek
2015-12-15 16:28 ` H. Peter Anvin
2015-12-15 17:45 ` Pavel Machek
2015-12-14 12:29 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151215075656.GA3734@amd \
--to=pavel@ucw.cz \
--cc=arjan@linux.intel.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dvlasenk@redhat.com \
--cc=efault@gmx.de \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peterz@infradead.org \
--cc=sds@tycho.nsa.gov \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.