makedumpfile issues many readpage_elf: Attempt to read non-existent page

Atsushi Kumagai ats-kumagai at wm.jp.nec.com
Tue Oct 25 02:19:40 PDT 2016 

Hello,

>> I have now completed the kernel bisection between 4.7.8 and 4.8-rc1 and
>> identified the kernel modification that triggers the errors cited above :
>>
>>> commit 021182e52fe01c1f7b126f97fd6ba048dc4234fd
>>> Author: Thomas Garnier <thgarnie at google.com>
>>> Date:   Tue Jun 21 17:47:03 2016 -0700
>>>
>>>     x86/mm: Enable KASLR for physical mapping memory regions
>>>
>>>     Add the physical mapping in the list of randomized memory regions.
>>>
>>>     The physical memory mapping holds most allocations from boot and heap
>>>     allocators. Knowing the base address and physical memory size, an attacker
>>>     can deduce the PDE virtual address for the vDSO memory page. This attack
>>>     was demonstrated at CanSecWest 2016, in the following presentation:
>>>
>>>       "Getting Physical: Extreme Abuse of Intel Based Paged Systems":
>>>
>https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems/blob/master/Prese
>ntation/CanSec2016_Presentation.pdf
>>>
>>>     (See second part of the presentation).
>>>
>>>     The exploits used against Linux worked successfully against 4.6+ but
>>>     fail with KASLR memory enabled:
>>>
>>>
>https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems/tree/master/Demos
>/Linux/exploits
>>>
>>>     Similar research was done at Google leading to this patch proposal.
>>>
>>>     Variants exists to overwrite /proc or /sys objects ACLs leading to
>>>     elevation of privileges. These variants were tested against 4.6+.
>>>
>>>     The page offset used by the compressed kernel retains the static value
>>>     since it is not yet randomized during this boot stage.
>>>
>>>     Signed-off-by: Thomas Garnier <thgarnie at google.com>
>>>     Signed-off-by: Kees Cook <keescook at chromium.org>
>>>     Cc: Alexander Kuleshov <kuleshovmail at gmail.com>
>> <truncated>
>>
>> The interesting change seems to be :
>>
>>> -#define __PAGE_OFFSET           _AC(0xffff880000000000, UL)
>>> +#define __PAGE_OFFSET_BASE      _AC(0xffff880000000000, UL)
>>> +#ifdef CONFIG_RANDOMIZE_MEMORY
>>> +#define __PAGE_OFFSET           page_offset_base
>>> +#else
>>> +#define __PAGE_OFFSET           __PAGE_OFFSET_BASE
>>> +#endif /* CONFIG_RANDOMIZE_MEMORY */
>>
>> I'll try to see if I can fix that.
>>
>> Kind regards,
>>
>> ...Louis
>>
>>
>>
>>
>
>Some more *important* information in this mostly monologue thread : Pratyush
>Anand has pushed a patch to the list earlier today that apparently fixes this
>issue :
>
>[PATCH Makedumpfile 1/4] x86_64: Calculate page_offset from pt_load[1]
>
>HTH,
>
>Kind regards,

Yeah, It appears so. I'm reviewing the patches,
please wait for that.
I appreciate your investigation for this issue.


Thanks,
Atsushi Kumagai

>...Louis
>
>[1] https://www.mail-archive.com/kexec@lists.infradead.org/msg16628.html
>--
>Louis Bouchard
>Software engineer, Cloud & Sustaining eng.
>Canonical Ltd
>Ubuntu developer                       Debian Maintainer
>GPG : 429D 7A3B DD05 B6F8 AF63  B9C4 8B3D 867C 823E 7A61

More information about the kexec mailing list