Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160919225717.GO18931@jhogan-linux.le.imgtec.org>
Date: Mon, 19 Sep 2016 23:57:17 +0100
From: James Hogan <james.hogan@...tec.com>
To: Kees Cook <keescook@...omium.org>
CC: Guenter Roeck <linux@...ck-us.net>, Petr Mladek <pmladek@...e.com>, LKML
	<linux-kernel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org>,
	Tejun Heo <tj@...nel.org>, <linux-metag@...r.kernel.org>, Ingo Molnar
	<mingo@...nel.org>, "kernel-hardening@...ts.openwall.com"
	<kernel-hardening@...ts.openwall.com>
Subject: Re: qemu:metag image runtime failure in -next due to 'kthread: allow
 to cancel kthread work'

On Mon, Sep 19, 2016 at 02:51:54PM -0700, Kees Cook wrote:
> On Mon, Sep 19, 2016 at 2:37 PM, James Hogan <james.hogan@...tec.com> wrote:
> > Okay, I just built x86_64 default defconfig (on ef98de028afd, half way
> > through the mm patches on linux-next from the other day where metag
> > stopped booting). Perhaps I'm missing some important config option to
> > enable the memory protection (if so I appologise).
> >
> > For metag:
> >
> > $ readelf -S drivers/tty/pty.o
> >   [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
> >   [51] .data..ro_after_i PROGBITS        00000000 00f0c0 00007c 00  WA  0   0  4
> >
> > $ readelf -S vmlinux.bust:
> >   [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
> >   [ 4] .rodata           PROGBITS        40190000 194000 04c9c8 00  WA  0   0 64
> >
> > And x86_64:
> >
> > $ readelf -S drivers/tty/pty.o
> >   [Nr] Name              Type             Address           Offset
> >        Size              EntSize          Flags  Link  Info  Align
> >   [18] .data..ro_after_i PROGBITS         0000000000000000  00001140
> >        00000000000000f8  0000000000000000  WA       0     0     64
> >
> > $ readelf -S vmlinux
> >   [Nr] Name              Type             Address           Offset
> >        Size              EntSize          Flags  Link  Info  Align
> >   [ 4] .rodata           PROGBITS         ffffffff81a00000  00c00000
> >        00000000002663d0  0000000000000000  WA       0     0     4096
> >
> > Both have WA on that section in the object file and the final vmlinux
> > ELF too.
> 
> Hm, very true, I never noticed that. Oddly, the LOAD flags don't pay
> any attention on x86:
> 
> $ readelf -l vmlinux
> 
> Elf file type is EXEC (Executable file)
> Entry point 0x1000000
> There are 5 program headers, starting at offset 64
> 
> Program Headers:
>   Type           Offset             VirtAddr           PhysAddr
>                  FileSiz            MemSiz              Flags  Align
>   LOAD           0x0000000000200000 0xffffffff81000000 0x0000000001000000
>                  0x0000000000fdc000 0x0000000000fdc000  R E    200000
>   LOAD           0x0000000001200000 0xffffffff82000000 0x0000000002000000
>                  0x0000000000155000 0x0000000000155000  RW     200000
>   LOAD           0x0000000001400000 0x0000000000000000 0x0000000002155000
>                  0x0000000000019488 0x0000000000019488  RW     200000
>   LOAD           0x000000000156f000 0xffffffff8216f000 0x000000000216f000
>                  0x0000000000122000 0x0000000000eb4000  RWE    200000
>   NOTE           0x0000000000ca0248 0xffffffff81aa0248 0x0000000001aa0248
>                  0x0000000000000024 0x0000000000000024         4
> 
>  Section to Segment mapping:
>   Segment Sections...
>    00     .text .notes __ex_table .rodata __bug_table .pci_fixup
> .builtin_fw .tracedata __ksymtab __ksymtab_gpl __ksymtab_strings
> __param __modver
>    01     .data .vvar
>    02     .data..percpu
>    03     .init.text .altinstr_aux .init.data .x86_cpu_dev.init
> .altinstructions .altinstr_replacement .iommu_table .apicdrivers
> .exit.text .smp_locks .bss .brk
>    04     .notes
> 
> The first load (containing .rodata) is "R E".

Aah, right, I think thats because the program headers are specified
explicitly in arch/x86/kernel/vmlinux.lds.S:

PHDRS {
	text PT_LOAD FLAGS(5);          /* R_E */
	data PT_LOAD FLAGS(6);          /* RW_ */
#ifdef CONFIG_X86_64
#ifdef CONFIG_SMP
	percpu PT_LOAD FLAGS(6);        /* RW_ */
#endif
	init PT_LOAD FLAGS(7);          /* RWE */
#endif
	note PT_NOTE FLAGS(0);          /* ___ */
}

The bit I was missing is that RO_DATA() is after .text, but before
.data, so counts as part of the PT_LOAD program header for text.

> 
> But, the point is: the kernel is what sets up the permissions, so the
> flags are ignored anyway.

Indeed.

Thanks for your patience working through this stuff with me :)

Cheers
James

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.