[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Bug#852324: x86/mm: Found insecure W+X mapping



On Thu, 2017-03-16 at 00:50 +0000, Ben Hutchings wrote:
> On Wed, 2017-03-15 at 22:24 +0000, Ben Hutchings wrote:
> > Control: retitle -1 [xen] x86/mm: Found insecure W+X mapping
> > Control: tag -1 upstream confirmed
> > Control: found -1 4.9.13-1
> > 
> > I can reproduce this with a current Debian kernel on top of Xen 4.4. 
> > It doesn't happen with the same hardware booting the kernel directly.
> 
> With CONFIG_X86_PTDUMP enabled, I can see that the first 16 MiB of the
> low kernel mapping is mapped with W+X permissions, with a few
> exceptions:
> 
> 0xffff880000000000-0xffff880000099000         612K USR RW                     
> x  pte
> 0xffff880000099000-0xffff88000009a000           4K USR ro                     
> NX pte
> 0xffff88000009a000-0xffff88000009b000           4K USR ro                     
> x  pte
> 0xffff88000009b000-0xffff88000009f000          16K USR RW                     
> NX pte
> 0xffff88000009f000-0xffff880000100000         388K USR RW PWT PCD             
> x  pte
> 0xffff880000100000-0xffff880000102000           8K USR RW                     
> x  pte
> 0xffff880000102000-0xffff880001000000       15352K USR RW                     
> x  pte
> 
> This accounts for all the 4090 pages reported at boot.

I see this same mapping when running Linux 4.9 under either Xen 4.4 or
4.8 (from Debian stable or unstable).

I don't really understand how the PV MMU page tables are set up.  I did
try setting the NX flag in make_lowmem_page_readwrite() and that didn't
make any difference to the number of W+X pages.

Ben.

> When booting without Xen, the first 512 MiB is mapped like this:
> 
> 0xffff9c2e40000000-0xffff9c2e40097000         604K     RW                 GLB 
> NX pte
> 0xffff9c2e40097000-0xffff9c2e40098000           4K     ro                 GLB 
> NX pte
> 0xffff9c2e40098000-0xffff9c2e40099000           4K     ro                 GLB 
> x  pte
> 0xffff9c2e40099000-0xffff9c2e40200000        1436K     RW                 GLB 
> NX pte
> 0xffff9c2e40200000-0xffff9c2e60000000         510M     RW         PSE     GLB 
> NX pmd
> 
> (looks like Xen inhibited kASLR too...).
> 
> Ben.
> 
-- 
Ben Hutchings
The two most common things in the universe are hydrogen and stupidity.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.