arm32 insecure W+X mapping

Robin Murphy robin.murphy at arm.com
Fri Aug 20 10:48:07 PDT 2021


On 2021-08-20 17:06, Tim Harvey wrote:
> On Thu, Aug 19, 2021 at 5:16 PM Russell King (Oracle)
> <linux at armlinux.org.uk> wrote:
>>
>> On Thu, Aug 19, 2021 at 04:59:15PM -0700, Tim Harvey wrote:
>>> On Thu, Aug 19, 2021 at 2:28 PM Russell King (Oracle)
>>> <linux at armlinux.org.uk> wrote:
>>>>
>>>> On Thu, Aug 19, 2021 at 10:19:46AM -0700, Tim Harvey wrote:
>>>>> Greetings,
>>>>>
>>>>> Since commit a8e53c151fe7 "(ARM: 8737/1: mm: dump: add checking for
>>>>> writable and executable)" I've been seeing the following appear on my
>>>>> arm32 kernel:
>>>>>
>>>>> arm/mm: Found insecure W+X mapping at address 0xf087d000
>>>>> ...
>>>>> Checked W+X mappings: FAILED, 1 W+X pages found
>>>>>
>>>>> As I haven't seen others report this I assume it's something unique to
>>>>> my kernel configuration. How do I debug what is causing the insecure
>>>>> page?
>>>>
>>>> If you check /proc/vmallocinfo, it should tell you the physical
>>>> address that was mapped there, and the function that created the
>>>> mapping. That should give enough clues to track it down.
>>>>
>>>
>>> Russell,
>>>
>>> Thanks for the tip!
>>>
>>> # dmesg | grep insecure
>>> [   13.219582] arm/mm: Found insecure W+X mapping at address 0xf087d000
>>> # cat /proc/vmallocinfo | grep 0xf0
>>> 0x5f3045dd-0xf0020e05   20480 imx6_pm_get_base+0x64/0x98 phys=0x020e0000 ioremap
>>> 0xf0020e05-0x6e748217    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
>>> 0x127639d7-0x334ee291    4096 iotable_init+0x0/0xf0 phys=0x00a00000 ioremap
>>
>> Oh... the kernel's %p pointer munging (for security reasons) is
>> affecting your ability to debug your problem. Assuming this is a
>> recent kernel, you can disable this by passing "no_hash_pointers"
>> on the kernel command line. You should then see real addresses (and
>> a big fat message at boot time about it.
>>
> 
> I'm using 5.13 and when I pass in 'no_hash_pointers' I do indeed see
> the huge warning but I get similar results that I can't make sense of:

Pointer hashing always trips me up too, so I thought I'd chuck my 
curiosity into the ring...

Between the vmallocinfo and printk code, it looks like you need to set 
/proc/sys/kptr_restrict to 1 and be root (or have CAP_SYSLOG privilege) 
to get non-hashed addresses here. Because having only one way to confuse 
debugging would be far too easy, I guess :/

Robin.

> # uname -r
> 5.13.0-00009-g8beacec9a060
> # cat /proc/cmdline
> console=ttymxc1,115200 no_hash_pointers
> # dmesg | grep insecure
> [   13.309537] arm/mm: Found insecure W+X mapping at address 0xf087d000
> # cat /proc/vmallocinfo | grep 0xf0
> 0xf02c73a9-0xfa933595   20480 __devm_ioremap+0x94/0xa4 phys=0x0202c000 ioremap
> 0xc02cb795-0x054951d9    4096 iotable_init+0x0/0xf0 phys=0x00a00000 ioremap
> # cat /proc/vmallocinfo
> 0xbe008562-0x5576ab44   20480 of_iomap+0x44/0x68 phys=0x020d8000 ioremap
> 0x5576ab44-0xb255df29    8192 of_iomap+0x44/0x68 phys=0x00a01000 ioremap
> 0x46b8335b-0x447c6b02   20480 of_iomap+0x44/0x68 phys=0x020dc000 ioremap
> 0x447c6b02-0x7527802c    8192 l2x0_of_init+0x78/0x26c phys=0x00a02000 ioremap
> 0xee30b5de-0x9e0d6dbd   20480 of_iomap+0x44/0x68 phys=0x020c4000 ioremap
> 0x9e0d6dbd-0xf62147bb    8192 of_iomap+0x44/0x68 phys=0x020c8000 ioremap
> 0xfe3688a4-0xecfce701   20480 of_iomap+0x44/0x68 phys=0x020c4000 ioremap
> 0x0d7d7401-0xce35bdb8   20480 of_iomap+0x44/0x68 phys=0x02098000 ioremap
> 0xd0da9915-0xa147e0b3    8192 bpf_prog_alloc_no_stats+0x2c/0x118 pages=1 vmalloc
> 0xa147e0b3-0xb043f532  266240 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xb043f532-0x7f372e98    8192 gen_pool_add_owner+0x34/0x94 pages=1 vmalloc
> 0x7f372e98-0x22c0f7fa    8192 of_syscon_register+0xb8/0x2a0
> phys=0x020c8000 ioremap
> 0x22c0f7fa-0xbc80b65b    8192 __devm_ioremap+0x94/0xa4 phys=0x020c9000 ioremap
> 0xbc80b65b-0x5737939a    8192 __devm_ioremap+0x94/0xa4 phys=0x020ca000 ioremap
> 0x5737939a-0xfaac3f4b    8192 gen_pool_add_owner+0x34/0x94 pages=1 vmalloc
> 0xfaac3f4b-0x3400434f   20480 of_iomap+0x44/0x68 phys=0x021b0000 ioremap
> 0x3400434f-0x4b5b39be    8192 imx6_pm_common_init+0x118/0x36c
> phys=0x00900000 ioremap
> 0xfa6109c5-0x8220d86a  266240 __devm_ioremap+0x50/0xa4 phys=0x00900000 ioremap
> 0x8220d86a-0xbb32fa78    8192 imx6_pm_get_base+0x64/0x98 phys=0x00a02000 ioremap
> 0xe37ddad7-0x94023f64   20480 imx6_pm_get_base+0x64/0x98 phys=0x021b0000 ioremap
> 0x94023f64-0x032e50a3    8192 of_syscon_register+0xb8/0x2a0
> phys=0x020e0000 ioremap
> 0xd41722d0-0x69a3231e   20480 imx6_pm_get_base+0x64/0x98 phys=0x020d8000 ioremap
> 0x69a3231e-0x6dc29018    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x327a8342-0x78efb8e0   20480 imx6_pm_get_base+0x64/0x98 phys=0x020e0000 ioremap
> 0x78efb8e0-0xe6178284    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x76f38a9b-0x34af82ac   20480 imx6_pm_get_base+0x64/0x98 phys=0x020dc000 ioremap
> 0x34af82ac-0x81d03489    8192 __devm_ioremap+0x94/0xa4 phys=0x02600000 ioremap
> 0x63fe0abd-0x6b04db7d   20480 __devm_ioremap+0x94/0xa4 phys=0x020e0000 ioremap
> 0xb849bd1c-0xc46ae71e   20480 __devm_ioremap+0x94/0xa4 phys=0x0209c000 ioremap
> 0xc46ae71e-0x1eb811b8    8192 __devm_ioremap+0x94/0xa4 phys=0x02608000 ioremap
> 0x2c687987-0xbae166ed   20480 __devm_ioremap+0x94/0xa4 phys=0x020a0000 ioremap
> 0xbae166ed-0xb27fac72    8192 __devm_ioremap+0x94/0xa4 phys=0x02630000 ioremap
> 0x0868e824-0xa08b93b8   20480 __devm_ioremap+0x94/0xa4 phys=0x020a4000 ioremap
> 0xa08b93b8-0x73e79d37    8192 __devm_ioremap+0x94/0xa4 phys=0x02638000 ioremap
> 0x3ff71a53-0x1664550e   20480 __devm_ioremap+0x94/0xa4 phys=0x020a8000 ioremap
> 0x1664550e-0xdffb9edc    8192 __devm_ioremap+0x94/0xa4 phys=0x02620000 ioremap
> 0x1d0f2f08-0xb32e296b   20480 __devm_ioremap+0x94/0xa4 phys=0x020ac000 ioremap
> 0xb32e296b-0x7062006c    8192 __devm_ioremap+0x94/0xa4 phys=0x02668000 ioremap
> 0xff2f5a70-0xff7ff60a   20480 __devm_ioremap+0x94/0xa4 phys=0x020b0000 ioremap
> 0xff7ff60a-0x8779d9bc    8192 __devm_ioremap+0x94/0xa4 phys=0x02640000 ioremap
> 0xccc5d4a4-0xbbd8184e   20480 __devm_ioremap+0x94/0xa4 phys=0x020b4000 ioremap
> 0xf3211f15-0xdf4e4390   12288 __devm_ioremap+0x94/0xa4 phys=0x00110000 ioremap
> 0xdf4e4390-0x8b969f88    8192 __devm_ioremap+0x94/0xa4 phys=0x02648000 ioremap
> 0x67d4c705-0x2844e8ae   20480 __devm_ioremap+0x94/0xa4 phys=0x021a0000 ioremap
> 0x2844e8ae-0xe969daac    8192 __devm_ioremap+0x94/0xa4 phys=0x02658000 ioremap
> 0x6c51de7f-0x13285901   20480 __devm_ioremap+0x94/0xa4 phys=0x021a4000 ioremap
> 0x13285901-0xcf2d44dd    8192 __devm_ioremap+0x94/0xa4 phys=0x02780000 ioremap
> 0x632c016d-0x81fc4149   20480 __devm_ioremap+0x94/0xa4 phys=0x021a8000 ioremap
> 0x81fc4149-0xd005970a    8192 __devm_ioremap+0x94/0xa4 phys=0x02660000 ioremap
> 0xacd62b34-0x2369ad7d   20480 __devm_ioremap+0x94/0xa4 phys=0x021d8000 ioremap
> 0x2369ad7d-0x6c218545    8192 __devm_ioremap+0x94/0xa4 phys=0x02740000 ioremap
> 0xd8caee3b-0x8f7b3eae   20480 __devm_ioremap+0x94/0xa4 phys=0x01ffc000 ioremap
> 0x8f7b3eae-0x7754f3e6    8192 __devm_ioremap+0x94/0xa4 phys=0x02650000 ioremap
> 0xcf739a9c-0x86505b25   20480 __devm_ioremap+0x94/0xa4 phys=0x020ec000 ioremap
> 0x86505b25-0x4419339d    8192 __devm_ioremap+0x94/0xa4 phys=0x02a00000 ioremap
> 0x38550150-0xee5ad30c   20480 of_syscon_register+0xb8/0x2a0
> phys=0x021bc000 ioremap
> 0xee5ad30c-0x73467058    8192 __devm_ioremap+0x94/0xa4 phys=0x02a08000 ioremap
> 0x7659aedb-0xd37bf098   20480 __devm_ioremap+0x94/0xa4 phys=0x020dc000 ioremap
> 0xd37bf098-0x6b62199d    8192 __devm_ioremap+0x94/0xa4 phys=0x02a30000 ioremap
> 0xe2fcb2be-0x83ac2ff4   20480 __devm_ioremap+0x94/0xa4 phys=0x02020000 ioremap
> 0x83ac2ff4-0x498e66da    8192 __devm_ioremap+0x94/0xa4 phys=0x02a38000 ioremap
> 0xda200768-0x9519b5b7   20480 __devm_ioremap+0x94/0xa4 phys=0x021e8000 ioremap
> 0x9519b5b7-0xd8066315    8192 __devm_ioremap+0x94/0xa4 phys=0x02a20000 ioremap
> 0x327c6cd3-0xb09836e5   20480 __devm_ioremap+0x94/0xa4 phys=0x021f4000 ioremap
> 0xb09836e5-0x2ee61e13    8192 __devm_ioremap+0x94/0xa4 phys=0x02a68000 ioremap
> 0x28a28e71-0xfb74b75d   40960 __devm_ioremap+0x94/0xa4 phys=0x00120000 ioremap
> 0xfb74b75d-0x94731aa5    8192 __devm_ioremap+0x94/0xa4 phys=0x02a40000 ioremap
> 0x94731aa5-0x9ed95f4b   20480 __devm_ioremap+0x94/0xa4 phys=0x00130000 ioremap
> 0x9ed95f4b-0xb6679e93    8192 __devm_ioremap+0x94/0xa4 phys=0x02a48000 ioremap
> 0xd2083a49-0xd15b1ee5   20480 __devm_ioremap+0x94/0xa4 phys=0x00134000 ioremap
> 0xd15b1ee5-0xb873e80d    8192 __devm_ioremap+0x94/0xa4 phys=0x02a58000 ioremap
> 0xb873e80d-0xad853c5f    8192 __devm_ioremap+0x94/0xa4 phys=0x02b80000 ioremap
> 0xad853c5f-0x727a169b    8192 __devm_ioremap+0x94/0xa4 phys=0x02a60000 ioremap
> 0x79bcf223-0xd8778c7f  528384 devm_pci_remap_cfgspace+0x3c/0x74
> phys=0x01f00000 ioremap
> 0xd8778c7f-0xcd8f995b  135168 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xcd8f995b-0x0e93c50d    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x0e93c50d-0x35d018fd   20480 __devm_ioremap+0x94/0xa4 phys=0x02204000 ioremap
> 0x35d018fd-0x30dd9119  528384 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x30dd9119-0x1d49a1b3    8192 __devm_ioremap+0x94/0xa4 phys=0x02b40000 ioremap
> 0x1d49a1b3-0xe202a461    8192 __devm_ioremap+0x94/0xa4 phys=0x02a50000 ioremap
> 0x3c5f9898-0x7c998da8  135168 __devm_ioremap+0x94/0xa4 phys=0x02700000 ioremap
> 0x0be6bff2-0xe617431b   12288 __devm_ioremap+0x94/0xa4 phys=0x00112000 ioremap
> 0xe617431b-0x1894871f    8192 __pci_enable_msix_range+0x1b4/0x50c
> phys=0x01420000 ioremap
> 0xcc3e24ea-0x24fc33d0   69632 __devm_ioremap+0x94/0xa4 phys=0x02760000 ioremap
> 0x24fc33d0-0x2ad2fe2c   81920 pcpu_create_chunk+0x14c/0x290 pages=19 vmalloc
> 0x064e8962-0x041a1631    8192 __devm_ioremap+0x94/0xa4 phys=0x02184000 ioremap
> 0x041a1631-0xa78f78b0  135168 __devm_ioremap+0x94/0xa4 phys=0x02b00000 ioremap
> 0x482eea6f-0xa04223bd   12288 __devm_ioremap+0x94/0xa4 phys=0x00114000 ioremap
> 0xa04223bd-0x47cd64d8    8192 __devm_ioremap+0x94/0xa4 phys=0x02184000 ioremap
> 0x496ff4b8-0x1b8cd27f   69632 __devm_ioremap+0x94/0xa4 phys=0x02b60000 ioremap
> 0x1b8cd27f-0x9a03a792 1576960 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x9e844161-0x46bbc5c3    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x46bbc5c3-0x061f37bb   20480 __devm_ioremap+0x94/0xa4 phys=0x02200000 ioremap
> 0x061f37bb-0x099e44f8   98304 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x099e44f8-0x5a73428f   36864 iscsi_target_init_module+0xb4/0x234
> pages=8 vmalloc
> 0x5a73428f-0x6b24094e   20480 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x8763af88-0xc279660f   20480 __devm_ioremap+0x94/0xa4 phys=0x0200c000 ioremap
> 0xc279660f-0x0746510e    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xc42e58a5-0x9bb92a15   20480 __devm_ioremap+0x94/0xa4 phys=0x02188000 ioremap
> 0x9bb92a15-0xbffbc968  135168 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xbffbc968-0xc3135661   36864 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x7f8906cc-0x57602490   20480 __devm_ioremap+0x94/0xa4 phys=0x021e4000 ioremap
> 0x57602490-0x32a0cd25    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x32a0cd25-0xccf592e4    8192 __devm_ioremap+0x94/0xa4 phys=0x02184000 ioremap
> 0xccf592e4-0xc3d5117e    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xd80eccd6-0x1eccdd8b  135168 igb_probe+0x150/0x10a4 phys=0x01400000 ioremap
> 0x1eccdd8b-0x360f1603    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x32fecfc9-0x71e47aa2   20480 __devm_ioremap+0x94/0xa4 phys=0x020c0000 ioremap
> 0x71e47aa2-0x5098c2fb    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xaf379216-0x24330e7c   20480 __devm_ioremap+0x94/0xa4 phys=0x02198000 ioremap
> 0x3dd54ba7-0x2392a17a   20480 __devm_ioremap+0x94/0xa4 phys=0x02034000 ioremap
> 0x2392a17a-0x1e11712d   16384 n_tty_open+0x10/0x9c pages=3 vmalloc
> 0x300b1fb4-0x33dba900   20480 __devm_ioremap+0x94/0xa4 phys=0x02028000 ioremap
> 0xf02c73a9-0xfa933595   20480 __devm_ioremap+0x94/0xa4 phys=0x0202c000 ioremap
> 0xbe5c4daa-0x6af5bd9c  528384 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x6af5bd9c-0x9ea7250e  528384 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x9ea7250e-0x74bbeefe 1294336 zstd_comp_init+0x58/0xb0 pages=315 vmalloc
> 0x74bbeefe-0x591c7299  163840 zstd_decomp_init+0x14/0x54 pages=39 vmalloc
> 0x591c7299-0x27154f89  274432 deflate_comp_init+0x20/0x90 pages=66 vmalloc
> 0x27154f89-0x3978b460   49152 deflate_decomp_init+0x14/0x58 pages=11 vmalloc
> 0x3978b460-0x99da8daa  212992 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xe9a5ec5f-0xb0e53888  249856 __devm_ioremap+0x94/0xa4 phys=0x02040000 ioremap
> 0xb0e53888-0xc24dd16d  528384 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xc02cb795-0x054951d9    4096 iotable_init+0x0/0xf0 phys=0x00a00000 ioremap
> 0x32815c21-0x48bd192d 2097152 pci_reserve_io+0x0/0x30 ioremap
> 0xba73986b-0x4f91845f  311296 pcpu_get_vm_areas+0x0/0x10c0 vmalloc
> 0x4f91845f-0x86cbfbfa  311296 pcpu_get_vm_areas+0x0/0x10c0 vmalloc
> 0x17d9341e-0xbe008562   16384 unpurged vm_area
> 0xecfce701-0xd35ab9b8    8192 unpurged vm_area
> 0xce35bdb8-0xd0da9915    8192 unpurged vm_area
> 0x6b04db7d-0xb849bd1c 15609856 unpurged vm_area
> 0xe202a461-0x3c5f9898   73728 unpurged vm_area
> 0x7c998da8-0x0be6bff2   36864 unpurged vm_area
> 0x2ad2fe2c-0x064e8962   36864 unpurged vm_area
> 0xa78f78b0-0x482eea6f   36864 unpurged vm_area
> 0x9a03a792-0x9e844161  442368 unpurged vm_area
> 0x92d57223-0xd09758da  249856 unpurged vm_area
> 0xfa933595-0xbe5c4daa   36864 unpurged vm_area
> 
> Thanks for your help!
> 
> Tim
> 
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
> 



More information about the linux-arm-kernel mailing list