All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
	Ingo Molnar <mingo@kernel.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Michal Hocko <mhocko@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Mateusz Guzik <mguzik@redhat.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: next-20170515: WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:236 note_page+0x630/0x7e0
Date: Wed, 17 May 2017 10:53:06 -0700	[thread overview]
Message-ID: <CAGXu5jL+5x2Ba_nLrbn-oeu43qPinTS=ZPeXre-s3e-s2--jEg@mail.gmail.com> (raw)
In-Reply-To: <20170517164017.GP17314@wotan.suse.de>

On Wed, May 17, 2017 at 9:40 AM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> Yes, but I had killed that boot session again, so upon my next boot
> I had a different layout, the ASLR gap was much larger:
>
> ---[ Modules ]---
> 0xffffffffc0000000-0xffffffffc01b0000        1728K                               pte
> 0xffffffffc01b0000-0xffffffffc01b1000           4K     RW                 GLB x  pte
> 0xffffffffc01b1000-0xffffffffc01b2000           4K                               pte
> 0xffffffffc01b2000-0xffffffffc01c6000          80K     ro                 GLB x  pte
> 0xffffffffc01c6000-0xffffffffc01cc000          24K     ro                 GLB NX pte
> 0xffffffffc01cc000-0xffffffffc01d5000          36K     RW                 GLB NX pte
>
> As you can guess if we follow similar pattern the RW hole is the one this boot
> warned about:
>
> [    1.450483] x86/mm: Found insecure W+X mapping at address ffffffffc01b0000/0xffffffffc01b0000
> [    1.451280] ------------[ cut here ]------------
> [    1.451721] WARNING: CPU: 1 PID: 1 at arch/x86/mm/dump_pagetables.c:236 note_page+0x630/0x7e0
> [    1.452499] Modules linked in:
> [    1.452791] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc1-next-20170515+ #145
>
> I checked and indeed 0xffffffffc01b2000 is part of a module, it was not the first one
> on the /proc/modules list but then again /proc/modules does not seem to have a specific
> order other than perhaps being pegged into a linked list of modules once they go live,
> and it seems its typically output backwards from when that happened, sorting that
> by address we get:

Right, sorry, I'd expect it at the bottom of the list in
/proc/modules, but that's fine, it's there.

>
> root@piggy:~# cat /proc/modules | sort -k 6 | head -3
> e1000 143360 0 - Live 0xffffffffc01b2000 (E)
> mbcache 16384 1 ext4, Live 0xffffffffc01d6000 (E)
> scsi_mod 217088 4 sg,sr_mod,sd_mod,libata, Live 0xffffffffc01df000 (E)
>
> And this then seems to be the first module loaded:
>
> e1000 143360 0 - Live 0xffffffffc01b2000 (E)
>
> The output of dmesg seems to confirm this as per the list of modules sorted
> as per above.
>
>> Something touched the module gap and left is RW+x...
>
> Lemme try booting with e1000 renamed to e1000.ko.ignore and see how that goes.

Is it possible a module got loaded before e1000 and then unloaded?
That seems odd, but maybe unload isn't cleaning up?

>> Are you able to bisect this?
>
> This issue has been present for a while so since I recall this I might be
> able to reduce the number of needed target kernels to bisect. Lemme tinker
> a bit and if no clear culprit comes up then will try bisect.

Okay, thanks!

-Kees


-- 
Kees Cook
Pixel Security

  reply	other threads:[~2017-05-17 17:53 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-15 22:06 next-20170515: WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:236 note_page+0x630/0x7e0 Luis R. Rodriguez
2017-05-15 22:15 ` Luis R. Rodriguez
2017-05-15 22:57   ` Kees Cook
2017-05-15 23:45     ` Luis R. Rodriguez
2017-05-16  0:12       ` Kees Cook
2017-05-17 16:40         ` Luis R. Rodriguez
2017-05-17 17:53           ` Kees Cook [this message]
2017-05-19  0:44             ` Luis R. Rodriguez
2017-05-19  3:08               ` Luis R. Rodriguez
2017-05-19 15:40                 ` Luis R. Rodriguez
2017-05-19 17:28                   ` Luis R. Rodriguez
2017-05-20  2:38                     ` Masami Hiramatsu
2017-05-23 14:48                       ` Luis R. Rodriguez
2017-05-24 17:55                         ` Luis R. Rodriguez
2017-05-19 17:35                   ` Catalin Marinas
2017-05-19 18:27                     ` Andy Lutomirski
2017-05-19 19:16                       ` Kees Cook
2017-05-19 19:18                         ` Andy Lutomirski
2017-05-19 19:29                           ` Kees Cook
2017-05-26 22:13                     ` Luis R. Rodriguez
2017-05-15 23:30   ` Luis R. Rodriguez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5jL+5x2Ba_nLrbn-oeu43qPinTS=ZPeXre-s3e-s2--jEg@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mcgrof@kernel.org \
    --cc=mguzik@redhat.com \
    --cc=mhocko@kernel.org \
    --cc=mingo@kernel.org \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.