From: Sachin Sant <sachinp@linux.ibm.com>
To: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev <linuxppc-dev@lists.ozlabs.org>
Subject: Re: [PATCH 2/2] powerpc/64s/radix: Fix RWX mapping with relocated kernel
Date: Wed, 11 Jan 2023 10:31:44 +0530 [thread overview]
Message-ID: <82AE3E29-7DE5-4DC1-AC8C-B08D3C322DCD@linux.ibm.com> (raw)
In-Reply-To: <20230110124753.1325426-2-mpe@ellerman.id.au>
[-- Attachment #1: Type: text/plain, Size: 2264 bytes --]
> On 10-Jan-2023, at 6:17 PM, Michael Ellerman <mpe@ellerman.id.au> wrote:
>
> If a relocatable kernel is loaded at a non-zero address and told not to
> relocate to zero (kdump or RELOCATABLE_TEST), the mapping of the
> interrupt code at zero is left with RWX permissions.
>
> That is a security weakness, and leads to a warning at boot if
> CONFIG_DEBUG_WX is enabled:
>
> powerpc/mm: Found insecure W+X mapping at address 00000000056435bc/0xc000000000000000
> WARNING: CPU: 1 PID: 1 at arch/powerpc/mm/ptdump/ptdump.c:193 note_page+0x484/0x4c0
> CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc1-00001-g8ae8e98aea82-dirty #175
> Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,git-dd0dca hv:linux,kvm pSeries
> NIP: c0000000004a1c34 LR: c0000000004a1c30 CTR: 0000000000000000
> REGS: c000000003503770 TRAP: 0700 Not tainted (6.2.0-rc1-00001-g8ae8e98aea82-dirty)
> MSR: 8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 24000220 XER: 00000000
> CFAR: c000000000545a58 IRQMASK: 0
> ...
> NIP note_page+0x484/0x4c0
> LR note_page+0x480/0x4c0
> Call Trace:
> note_page+0x480/0x4c0 (unreliable)
> ptdump_pmd_entry+0xc8/0x100
> walk_pgd_range+0x618/0xab0
> walk_page_range_novma+0x74/0xc0
> ptdump_walk_pgd+0x98/0x170
> ptdump_check_wx+0x94/0x100
> mark_rodata_ro+0x30/0x70
> kernel_init+0x78/0x1a0
> ret_from_kernel_thread+0x5c/0x64
>
> The fix has two parts. Firstly the pages from zero up to the end of
> interrupts need to be marked read-only, so that they are left with R-X
> permissions. Secondly the mapping logic needs to be taught to ensure
> there is a page boundary at the end of the interrupt region, so that the
> permission change only applies to the interrupt text, and not the region
> following it.
>
> Fixes: c55d7b5e6426 ("powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE")
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
> ---
Thanks Michael. This fixes the problem reported earlier
https://lore.kernel.org/linuxppc-dev/48206911-FD3D-401A-A69D-1A79403E79E2@linux.ibm.com/
Reported-by: Sachin Sant <sachinp@linux.ibm.com>
Tested-by: Sachin Sant <sachinp@linux.ibm.com>
- Sachin
[-- Attachment #2: Type: text/html, Size: 3174 bytes --]
next prev parent reply other threads:[~2023-01-11 12:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-10 12:47 [PATCH 1/2] powerpc/64s/radix: Fix crash with unaligned relocated kernel Michael Ellerman
2023-01-10 12:47 ` [PATCH 2/2] powerpc/64s/radix: Fix RWX mapping with " Michael Ellerman
2023-01-11 5:01 ` Sachin Sant [this message]
2023-01-11 5:06 ` [PATCH 1/2] powerpc/64s/radix: Fix crash with unaligned " Sachin Sant
2023-02-05 9:41 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=82AE3E29-7DE5-4DC1-AC8C-B08D3C322DCD@linux.ibm.com \
--to=sachinp@linux.ibm.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).