kexec cannot find text map area if kaslr is enabled

Eric W. Biederman ebiederm at xmission.com
Thu Oct 17 15:58:30 EDT 2013 

HATAYAMA Daisuke <d.hatayama at jp.fujitsu.com> writes:

> Hello,
>
> I tried to use x86/kaslr branch to check if how it works with kdump
> framework.

As far as I can tell x86/kaslr is a pretty silly idea.  There don't seem
to be enough bits to make it hard to brute force, much less hard to
guess.  And it is a lot of pain to get there... Sigh.

> I found kexec doesn't work. According to the message, it looks like kexec failing
> to find kernel text map area from kcore.

Well kexec -p doesn't work. 

> $ sudo /sbin/kexec  -p --command-line="ro root=UUID=cdd5e357-d223-47ee-9d6e-d1fa78b3f8a4 rd_NO_LUKS nodmraid rd_NO_MD KEYBOARDTYPE=pc KEYTABLE=jp106 LANG=ja_JP.UTF-8 rd_NO_LVM rd_NO_DM consol\
> e=ttyS0,19200n8r trace_event=block:*,irq:*,mce:*,sched:*,signal:*,workqueue:*,scsi:* trace_buf_size=25165824 irqpoll nr_cpus=2 reset_devices cgroup_disable=memory mce=off enable_lazy_purge " --initrd=/boot/initrd-3.12.0-rc4-k\
> aslrkdump.img /boot/vmlinuz-3.12.0-rc4-kaslr
> Can't find kernel text map area from kcore
> Cannot load /boot/vmlinuz-3.12.0-rc4-kaslr
>
> From source code, it looks like kexec trying to find text map area by hard-coded
> __START_KERNEL_map address. But this is being altered by kaslr.

Looking at the code you have found the hard coded address of -2G is
fine, and actually required by the compiler.   The actual problem
appears to be that the structure of the kernel mapping has changed.
There are now two mappings in the -2GB range.  one of 10MiB and one
of 1024MiB.  Where the code was looking for a mapping of 512MiB.

The entire bit of code is a just for pretty printing the core and I
suspect could be done more robustly, possibly by reporting all of the
kernel vaddrs of the mappings.

I expect you could increase X86_64_KERNEL_TEXT_SIZE 2GiB -1 aka
0x7fffffff and the code would work.  I don't know if you would have a
recognizable text segment in the core dump.

I believe ultimately what we want is to have an elf image with all of
the same PT_LOAD segments as /proc/kcore, and the current implementation
is not general enough to do that.  So this probably makes a good
opportunity to rewrite it.

It may also make sense to have some information from /proc/kallsyms.  We
aren't doing that on i386 and have something that works, so I suspect
the same logic will work on x86_64.  At least until it is decided that
the best way to load the kernel is to randomly reorder and relink all of
the .o's in the kernel at boot time.

Eric

> static int get_kernel_vaddr_and_size(struct kexec_info *UNUSED(info),
>                                      struct crash_elf_info *elf_info)
> <cut>
>         /* Traverse through the Elf headers and find the region where
>          * kernel is mapped. */
>         end_phdr = &ehdr.e_phdr[ehdr.e_phnum];
>         for(phdr = ehdr.e_phdr; phdr != end_phdr; phdr++) {
>                 if (phdr->p_type == PT_LOAD) {
>                         unsigned long long saddr = phdr->p_vaddr;
>                         unsigned long long eaddr = phdr->p_vaddr + phdr->p_memsz;
>                         unsigned long long size;
>
>                         /* Look for kernel text mapping header. */
>                         if ((saddr >= X86_64__START_KERNEL_map) &&
>                             (eaddr <= X86_64__START_KERNEL_map + X86_64_KERNEL_TEXT_SIZE)) {
>                                 saddr = _ALIGN_DOWN(saddr, X86_64_KERN_VADDR_ALIGN);
>                                 elf_info->kern_vaddr_start = saddr;
>                                 size = eaddr - saddr;
>                                 /* Align size to page size boundary. */
>                                 size = _ALIGN(size, align);
>                                 elf_info->kern_size = size;
>                                 dbgprintf("kernel vaddr = 0x%llx size = 0x%llx\n",
>                                         saddr, size);
>                                 return 0;
>                         }
>                 }
>         }
>         fprintf(stderr, "Can't find kernel text map area from kcore\n");
>         return -1;
>
> It seems to me that kexec needs to get runtime relocation information for example
> from /proc/kallsyms.
>
> I think there would be other part that doesn't work well due to this kind of hard coded address.
>
> FYI, here are also part of /proc/iomem and /proc/kcore information on my environment:
>
> $ readelf -l /proc/kcore
> Elf file type is CORE (Core file)
> Entry point 0x0
> There are 11 program headers, starting at offset 64
>
> Program Headers:
>   Type           Offset             VirtAddr           PhysAddr
>                  FileSiz            MemSiz              Flags  Align
>   NOTE           0x00000000000002a8 0x0000000000000000 0x0000000000000000
>                  0x0000000000000c74 0x0000000000000000         0
>   LOAD           0x00007fffff601000 0xffffffffff600000 0x0000000000000000
>                  0x0000000000800000 0x0000000000800000  RWE    1000
>   LOAD           0x00007fffa3001000 0xffffffffa3000000 0x0000000000000000
>                  0x0000000000ed4000 0x0000000000ed4000  RWE    1000
>   LOAD           0x0000490000001000 0xffffc90000000000 0x0000000000000000
>                  0x00001fffffffffff 0x00001fffffffffff  RWE    1000
>   LOAD           0x00007fffc0001000 0xffffffffc0000000 0x0000000000000000
>                  0x000000003f000000 0x000000003f000000  RWE    1000
>   LOAD           0x0000080000002000 0xffff880000001000 0x0000000000000000
>                  0x000000000009a000 0x000000000009a000  RWE    1000
>   LOAD           0x00006a0000001000 0xffffea0000000000 0x0000000000000000
>                  0x0000000000003000 0x0000000000003000  RWE    1000
>   LOAD           0x0000080000101000 0xffff880000100000 0x0000000000000000
>                  0x000000007af0d000 0x000000007af0d000  RWE    1000
>   LOAD           0x00006a0000004000 0xffffea0000003000 0x0000000000000000
>                  0x0000000001ae6000 0x0000000001ae6000  RWE    1000
>   LOAD           0x0000080100001000 0xffff880100000000 0x0000000000000000
>                  0x0000000780000000 0x0000000780000000  RWE    1000
>   LOAD           0x00006a0003801000 0xffffea0003800000 0x0000000000000000
>                  0x000000001a400000 0x000000001a400000  RWE    1000
>
> 00000000-00000fff : reserved
> 00001000-0009afff : System RAM
> 0009b000-0009ffff : reserved
> 000a0000-000bffff : PCI Bus 0000:00
> 000c0000-000c7fff : Video ROM
> 000c8000-000c8fff : Adapter ROM
> 000c9000-000cefff : Adapter ROM
> 000e0000-000fffff : reserved
>   000f0000-000fffff : System ROM
> 00100000-7b00cfff : System RAM
>   03000000-22ffffff : Crash kernel
>   23000000-2355118e : Kernel code
>   2355118f-23af95ff : Kernel data
>   23cb2000-23eadfff : Kernel bss
> 7b00d000-7b00ffff : reserved
> 7b010000-7b65efff : ACPI Non-volatile Storage
> 7b65f000-7b681fff : ACPI Tables
> 7b682000-7b7bffff : reserved
> 7b7c0000-7ba3ffff : ACPI Non-volatile Storage
> 7ba40000-7baaafff : reserved
> 7baab000-7bcfffff : ACPI Tables
> 7bd00000-7bd12fff : reserved
> 7bd13000-7bd15fff : ACPI Tables
> 7bd16000-7bd45fff : reserved
> 7bd46000-7bd5efff : ACPI Tables
> 7bd5f000-7bdfefff : reserved
> 7bdff000-7bdfffff : ACPI Tables
> 7be00000-7be4efff : reserved
>   7be1b018-7be1b067 : APEI ERST
>   7be1b070-7be1b077 : APEI ERST
>   7be1b078-7be1d017 : APEI ERST
> 7be4f000-7bf83fff : ACPI Tables
> 7bf84000-7bfcefff : ACPI Non-volatile Storage
> 7bfcf000-7bffefff : ACPI Tables
> 7bfff000-8fffffff : reserved
>   80000000-8fffffff : PCI MMCONFIG 0000 [bus 00-ff]
> 90000000-afffffff : PCI Bus 0000:00
> <cut>

More information about the kexec mailing list