[bug report][stable] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)

[bug report][stable] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)

[Joseph Qi]

Hi,

I have encountered a kernel BUG when running ltp ftrace-stress-test
on 4.19.48.

[  209.704855] LTP: starting ftrace-stress-test (ftrace_stress_test.sh 90)
[  209.739412] Scheduler tracepoints stat_sleep, stat_iowait, stat_blocked and stat_runtime require the kernel parameter schedstats=enable or kernel.sched_schedstats=1
[  212.054506] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[  212.055595] BUG: unable to handle kernel paging request at ffffffffc0349000
[  212.056589] PGD d00c067 P4D d00c067 PUD d00e067 PMD 23673e067 PTE 800000023457f061
[  212.057759] Oops: 0011 [#1] SMP PTI
[  212.058303] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 4.19.48 #112

After some investigation I have found that it is introduced by commit
8715ce033eb3 ("x86/modules: Avoid breaking W^X while loading modules"),
and then revert this commit the issue is gone.

I have also tested the same case on 5.2-rc3 as well as right at
upstream commit f2c65fb3221a ("x86/modules: Avoid breaking W^X while
loading modules"), which has been merged in 5.2-rc1, it doesn't
happen.

So I don't know why only stable has this issue while upstream doesn't.

Thanks,
Joseph

Re: [bug report][stable] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)

[Joseph Qi]

Hi all,
Any idea on this regression? 

Thanks,
Joseph

On 19/6/5 18:23, Joseph Qi wrote:
> Hi,
> 
> I have encountered a kernel BUG when running ltp ftrace-stress-test
> on 4.19.48.
> 
> [  209.704855] LTP: starting ftrace-stress-test (ftrace_stress_test.sh 90)
> [  209.739412] Scheduler tracepoints stat_sleep, stat_iowait, stat_blocked and stat_runtime require the kernel parameter schedstats=enable or kernel.sched_schedstats=1
> [  212.054506] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> [  212.055595] BUG: unable to handle kernel paging request at ffffffffc0349000
> [  212.056589] PGD d00c067 P4D d00c067 PUD d00e067 PMD 23673e067 PTE 800000023457f061
> [  212.057759] Oops: 0011 [#1] SMP PTI
> [  212.058303] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 4.19.48 #112
> 
> After some investigation I have found that it is introduced by commit
> 8715ce033eb3 ("x86/modules: Avoid breaking W^X while loading modules"),
> and then revert this commit the issue is gone.
> 
> I have also tested the same case on 5.2-rc3 as well as right at
> upstream commit f2c65fb3221a ("x86/modules: Avoid breaking W^X while
> loading modules"), which has been merged in 5.2-rc1, it doesn't
> happen.
> 
> So I don't know why only stable has this issue while upstream doesn't.
> 
> Thanks,
> Joseph
> 

Re: [bug report][stable] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)

[Nadav Amit]

> On Jun 7, 2019, at 3:24 AM, Joseph Qi <joseph.qi@linux.alibaba.com> wrote:
> 
> Hi all,
> Any idea on this regression? 

Sorry for the late response (I assumed, for some reason, that you also follow 
the second thread about this issue).

Anyhow, it should be fixed by backporting some patches which were mistakenly
missed.

See https://lore.kernel.org/stable/20190606131558.GJ29739@sasha-vm/

Regards,
Nadav


> Thanks,
> Joseph
> 
> On 19/6/5 18:23, Joseph Qi wrote:
>> Hi,
>> 
>> I have encountered a kernel BUG when running ltp ftrace-stress-test
>> on 4.19.48.
>> 
>> [  209.704855] LTP: starting ftrace-stress-test (ftrace_stress_test.sh 90)
>> [  209.739412] Scheduler tracepoints stat_sleep, stat_iowait, stat_blocked and stat_runtime require the kernel parameter schedstats=enable or kernel.sched_schedstats=1
>> [  212.054506] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
>> [  212.055595] BUG: unable to handle kernel paging request at ffffffffc0349000
>> [  212.056589] PGD d00c067 P4D d00c067 PUD d00e067 PMD 23673e067 PTE 800000023457f061
>> [  212.057759] Oops: 0011 [#1] SMP PTI
>> [  212.058303] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 4.19.48 #112
>> 
>> After some investigation I have found that it is introduced by commit
>> 8715ce033eb3 ("x86/modules: Avoid breaking W^X while loading modules"),
>> and then revert this commit the issue is gone.
>> 
>> I have also tested the same case on 5.2-rc3 as well as right at
>> upstream commit f2c65fb3221a ("x86/modules: Avoid breaking W^X while
>> loading modules"), which has been merged in 5.2-rc1, it doesn't
>> happen.
>> 
>> So I don't know why only stable has this issue while upstream doesn't.
>> 
>> Thanks,
>> Joseph

Re: [bug report][stable] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)

[Joseph Qi]

Hi Nadav,
Thanks for the comments.
I'll test the 3 patches in the mentioned thread.

Thanks,
Joseph

On 19/6/8 00:38, Nadav Amit wrote:
>> On Jun 7, 2019, at 3:24 AM, Joseph Qi <joseph.qi@linux.alibaba.com> wrote:
>>
>> Hi all,
>> Any idea on this regression? 
> 
> Sorry for the late response (I assumed, for some reason, that you also follow 
> the second thread about this issue).
> 
> Anyhow, it should be fixed by backporting some patches which were mistakenly
> missed.
> 
> See https://lore.kernel.org/stable/20190606131558.GJ29739@sasha-vm/
> 
> Regards,
> Nadav
> 
> 
>> Thanks,
>> Joseph
>>
>> On 19/6/5 18:23, Joseph Qi wrote:
>>> Hi,
>>>
>>> I have encountered a kernel BUG when running ltp ftrace-stress-test
>>> on 4.19.48.
>>>
>>> [  209.704855] LTP: starting ftrace-stress-test (ftrace_stress_test.sh 90)
>>> [  209.739412] Scheduler tracepoints stat_sleep, stat_iowait, stat_blocked and stat_runtime require the kernel parameter schedstats=enable or kernel.sched_schedstats=1
>>> [  212.054506] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
>>> [  212.055595] BUG: unable to handle kernel paging request at ffffffffc0349000
>>> [  212.056589] PGD d00c067 P4D d00c067 PUD d00e067 PMD 23673e067 PTE 800000023457f061
>>> [  212.057759] Oops: 0011 [#1] SMP PTI
>>> [  212.058303] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 4.19.48 #112
>>>
>>> After some investigation I have found that it is introduced by commit
>>> 8715ce033eb3 ("x86/modules: Avoid breaking W^X while loading modules"),
>>> and then revert this commit the issue is gone.
>>>
>>> I have also tested the same case on 5.2-rc3 as well as right at
>>> upstream commit f2c65fb3221a ("x86/modules: Avoid breaking W^X while
>>> loading modules"), which has been merged in 5.2-rc1, it doesn't
>>> happen.
>>>
>>> So I don't know why only stable has this issue while upstream doesn't.
>>>
>>> Thanks,
>>> Joseph
> 

Re: [bug report][stable] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)

[Greg KH]

On Sun, Jun 09, 2019 at 09:10:45PM +0800, Joseph Qi wrote:
> Hi Nadav,
> Thanks for the comments.
> I'll test the 3 patches in the mentioned thread.

This should all be fixed in the latest release that happened today.  If
not, please let us know.

thanks,

greg k-h

Re: [bug report][stable] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)

[Joseph Qi]

Confirmed the following 3 upstream commits can resolve this issue:
d2a68c4effd8 x86/ftrace: Do not call function graph from dynamic trampolines
3c0dab44e227 x86/ftrace: Set trampoline pages as executable
7298e24f9042 x86/kprobes: Set instruction page as executable

And they are all included in stable 4.19.49.

Thanks,
Joseph

On 19/6/9 22:50, Greg KH wrote:
> On Sun, Jun 09, 2019 at 09:10:45PM +0800, Joseph Qi wrote:
>> Hi Nadav,
>> Thanks for the comments.
>> I'll test the 3 patches in the mentioned thread.
> 
> This should all be fixed in the latest release that happened today.  If
> not, please let us know.
> 
> thanks,
> 
> greg k-h
>