Re: x86/mm: Found insecure W+X mapping at address (ptrval)/0xc00a0000

From: Paul Menzel <pmenzel@molgen.mpg.de>
To: "Thomas Gleixner" <tglx@linutronix.de>, "Jörg Rödel" <joro@8bytes.org>
Cc: Borislav Petkov <bp@alien8.de>,
	linux-mm@kvack.org, x86@kernel.org,
	lkml <linux-kernel@vger.kernel.org>
Subject: Re: x86/mm: Found insecure W+X mapping at address (ptrval)/0xc00a0000
Date: Fri, 5 Oct 2018 11:39:13 +0200	[thread overview]
Message-ID: <74dededa-3754-058b-2291-a349b9f3673e@molgen.mpg.de> (raw)
In-Reply-To: <alpine.DEB.2.21.1810051124320.3960@nanos.tec.linutronix.de>

[-- Attachment #1: Type: text/plain, Size: 2595 bytes --]

Dear Thomas,

On 10/05/18 11:27, Thomas Gleixner wrote:
> On Thu, 4 Oct 2018, Joerg Roedel wrote:
> 
>> On Wed, Oct 03, 2018 at 11:22:55PM +0200, Borislav Petkov wrote:
>>> On Fri, Sep 28, 2018 at 04:55:19PM +0200, Thomas Gleixner wrote:
>>>> Sorry for the delay and thanks for the data. A quick diff did not reveal
>>>> anything obvious. I'll have a closer look and we probably need more (other)
>>>> information to nail that down.
>>
>> I also triggered this when working in the PTI-x32 code. It always
>> happens on a 32-bit PAE kernel for me.
>>
>> Tracking it down I ended up in (iirc) arch/x86/mm/pageattr.c
>> 	function static_protections():
>>
>> 		/*
>> 		 * The BIOS area between 640k and 1Mb needs to be executable for
>> 		 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
>> 		 */
>> 	#ifdef CONFIG_PCI_BIOS
>> 		if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
>> 			pgprot_val(forbidden) |= _PAGE_NX;
>> 	#endif
>>
>> I think that is the reason we are seeing this in that configuration.
> 
> Uurgh. Yes.
> 
> If pcibios is enabled and used, need to look at the gory details of that
> first, then the W+X check has to exclude that region. We can't do much
> about that.

That would also explain, why it only happens with the SeaBIOS payload,
which sets up legacy BIOS calls. Using GRUB directly as payload, no BIOS
calls are set up.

Reading the Kconfig description of the PCI access mode, the BIOS should
only be used last.

> choice  
>         prompt "PCI access mode"
>         depends on X86_32 && PCI
>         default PCI_GOANY
>         ---help---
>           On PCI systems, the BIOS can be used to detect the PCI devices and
>           determine their configuration. However, some old PCI motherboards
>           have BIOS bugs and may crash if this is done. Also, some embedded
>           PCI-based systems don't have any BIOS at all. Linux can also try to
>           detect the PCI hardware directly without using the BIOS.
> 
>           With this option, you can specify how Linux should detect the
>           PCI devices. If you choose "BIOS", the BIOS will be used,
>           if you choose "Direct", the BIOS won't be used, and if you
>           choose "MMConfig", then PCI Express MMCONFIG will be used.
>           If you choose "Any", the kernel will try MMCONFIG, then the
>           direct access method and falls back to the BIOS if that doesn't
>           work. If unsure, go with the default, which is "Any".

Kind regards,

Paul

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5174 bytes --]