Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jJZMMxA95t9mS9YdKmMaH2VkF40FAqzL6cyrTfh+jNXvQ@mail.gmail.com>
Date: Mon, 19 Sep 2016 16:19:27 -0700
From: Kees Cook <keescook@...omium.org>
To: James Hogan <james.hogan@...tec.com>
Cc: Guenter Roeck <linux@...ck-us.net>, Petr Mladek <pmladek@...e.com>, 
	LKML <linux-kernel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org>, 
	Tejun Heo <tj@...nel.org>, linux-metag@...r.kernel.org, Ingo Molnar <mingo@...nel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: qemu:metag image runtime failure in -next due to 'kthread: allow
 to cancel kthread work'

On Mon, Sep 19, 2016 at 3:57 PM, James Hogan <james.hogan@...tec.com> wrote:
> On Mon, Sep 19, 2016 at 02:51:54PM -0700, Kees Cook wrote:
>> On Mon, Sep 19, 2016 at 2:37 PM, James Hogan <james.hogan@...tec.com> wrote:
>> > Okay, I just built x86_64 default defconfig (on ef98de028afd, half way
>> > through the mm patches on linux-next from the other day where metag
>> > stopped booting). Perhaps I'm missing some important config option to
>> > enable the memory protection (if so I appologise).
>> >
>> > For metag:
>> >
>> > $ readelf -S drivers/tty/pty.o
>> >   [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
>> >   [51] .data..ro_after_i PROGBITS        00000000 00f0c0 00007c 00  WA  0   0  4
>> >
>> > $ readelf -S vmlinux.bust:
>> >   [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
>> >   [ 4] .rodata           PROGBITS        40190000 194000 04c9c8 00  WA  0   0 64
>> >
>> > And x86_64:
>> >
>> > $ readelf -S drivers/tty/pty.o
>> >   [Nr] Name              Type             Address           Offset
>> >        Size              EntSize          Flags  Link  Info  Align
>> >   [18] .data..ro_after_i PROGBITS         0000000000000000  00001140
>> >        00000000000000f8  0000000000000000  WA       0     0     64
>> >
>> > $ readelf -S vmlinux
>> >   [Nr] Name              Type             Address           Offset
>> >        Size              EntSize          Flags  Link  Info  Align
>> >   [ 4] .rodata           PROGBITS         ffffffff81a00000  00c00000
>> >        00000000002663d0  0000000000000000  WA       0     0     4096
>> >
>> > Both have WA on that section in the object file and the final vmlinux
>> > ELF too.
>>
>> Hm, very true, I never noticed that. Oddly, the LOAD flags don't pay
>> any attention on x86:
>>
>> $ readelf -l vmlinux
>>
>> Elf file type is EXEC (Executable file)
>> Entry point 0x1000000
>> There are 5 program headers, starting at offset 64
>>
>> Program Headers:
>>   Type           Offset             VirtAddr           PhysAddr
>>                  FileSiz            MemSiz              Flags  Align
>>   LOAD           0x0000000000200000 0xffffffff81000000 0x0000000001000000
>>                  0x0000000000fdc000 0x0000000000fdc000  R E    200000
>>   LOAD           0x0000000001200000 0xffffffff82000000 0x0000000002000000
>>                  0x0000000000155000 0x0000000000155000  RW     200000
>>   LOAD           0x0000000001400000 0x0000000000000000 0x0000000002155000
>>                  0x0000000000019488 0x0000000000019488  RW     200000
>>   LOAD           0x000000000156f000 0xffffffff8216f000 0x000000000216f000
>>                  0x0000000000122000 0x0000000000eb4000  RWE    200000
>>   NOTE           0x0000000000ca0248 0xffffffff81aa0248 0x0000000001aa0248
>>                  0x0000000000000024 0x0000000000000024         4
>>
>>  Section to Segment mapping:
>>   Segment Sections...
>>    00     .text .notes __ex_table .rodata __bug_table .pci_fixup
>> .builtin_fw .tracedata __ksymtab __ksymtab_gpl __ksymtab_strings
>> __param __modver
>>    01     .data .vvar
>>    02     .data..percpu
>>    03     .init.text .altinstr_aux .init.data .x86_cpu_dev.init
>> .altinstructions .altinstr_replacement .iommu_table .apicdrivers
>> .exit.text .smp_locks .bss .brk
>>    04     .notes
>>
>> The first load (containing .rodata) is "R E".
>
> Aah, right, I think thats because the program headers are specified
> explicitly in arch/x86/kernel/vmlinux.lds.S:
>
> PHDRS {
>         text PT_LOAD FLAGS(5);          /* R_E */
>         data PT_LOAD FLAGS(6);          /* RW_ */
> #ifdef CONFIG_X86_64
> #ifdef CONFIG_SMP
>         percpu PT_LOAD FLAGS(6);        /* RW_ */
> #endif
>         init PT_LOAD FLAGS(7);          /* RWE */
> #endif
>         note PT_NOTE FLAGS(0);          /* ___ */
> }

Ah-ha! That solves that mystery for me. :)

> The bit I was missing is that RO_DATA() is after .text, but before
> .data, so counts as part of the PT_LOAD program header for text.

Right, originally, it was so that there could be a single read-only
mapping covering both, but ultimately it doesn't matter now since they
can't share a mapping anyway: text needs to be read-only and
executable and rodata needs to be read-only and non-executable.

>> But, the point is: the kernel is what sets up the permissions, so the
>> flags are ignored anyway.
>
> Indeed.
>
> Thanks for your patience working through this stuff with me :)

No problem; I learned some stuff too. :)

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.