arm32 insecure W+X mapping
Robin Murphy
robin.murphy at arm.com
Fri Aug 20 10:48:07 PDT 2021
On 2021-08-20 17:06, Tim Harvey wrote:
> On Thu, Aug 19, 2021 at 5:16 PM Russell King (Oracle)
> <linux at armlinux.org.uk> wrote:
>>
>> On Thu, Aug 19, 2021 at 04:59:15PM -0700, Tim Harvey wrote:
>>> On Thu, Aug 19, 2021 at 2:28 PM Russell King (Oracle)
>>> <linux at armlinux.org.uk> wrote:
>>>>
>>>> On Thu, Aug 19, 2021 at 10:19:46AM -0700, Tim Harvey wrote:
>>>>> Greetings,
>>>>>
>>>>> Since commit a8e53c151fe7 "(ARM: 8737/1: mm: dump: add checking for
>>>>> writable and executable)" I've been seeing the following appear on my
>>>>> arm32 kernel:
>>>>>
>>>>> arm/mm: Found insecure W+X mapping at address 0xf087d000
>>>>> ...
>>>>> Checked W+X mappings: FAILED, 1 W+X pages found
>>>>>
>>>>> As I haven't seen others report this I assume it's something unique to
>>>>> my kernel configuration. How do I debug what is causing the insecure
>>>>> page?
>>>>
>>>> If you check /proc/vmallocinfo, it should tell you the physical
>>>> address that was mapped there, and the function that created the
>>>> mapping. That should give enough clues to track it down.
>>>>
>>>
>>> Russell,
>>>
>>> Thanks for the tip!
>>>
>>> # dmesg | grep insecure
>>> [ 13.219582] arm/mm: Found insecure W+X mapping at address 0xf087d000
>>> # cat /proc/vmallocinfo | grep 0xf0
>>> 0x5f3045dd-0xf0020e05 20480 imx6_pm_get_base+0x64/0x98 phys=0x020e0000 ioremap
>>> 0xf0020e05-0x6e748217 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
>>> 0x127639d7-0x334ee291 4096 iotable_init+0x0/0xf0 phys=0x00a00000 ioremap
>>
>> Oh... the kernel's %p pointer munging (for security reasons) is
>> affecting your ability to debug your problem. Assuming this is a
>> recent kernel, you can disable this by passing "no_hash_pointers"
>> on the kernel command line. You should then see real addresses (and
>> a big fat message at boot time about it.
>>
>
> I'm using 5.13 and when I pass in 'no_hash_pointers' I do indeed see
> the huge warning but I get similar results that I can't make sense of:
Pointer hashing always trips me up too, so I thought I'd chuck my
curiosity into the ring...
Between the vmallocinfo and printk code, it looks like you need to set
/proc/sys/kptr_restrict to 1 and be root (or have CAP_SYSLOG privilege)
to get non-hashed addresses here. Because having only one way to confuse
debugging would be far too easy, I guess :/
Robin.
> # uname -r
> 5.13.0-00009-g8beacec9a060
> # cat /proc/cmdline
> console=ttymxc1,115200 no_hash_pointers
> # dmesg | grep insecure
> [ 13.309537] arm/mm: Found insecure W+X mapping at address 0xf087d000
> # cat /proc/vmallocinfo | grep 0xf0
> 0xf02c73a9-0xfa933595 20480 __devm_ioremap+0x94/0xa4 phys=0x0202c000 ioremap
> 0xc02cb795-0x054951d9 4096 iotable_init+0x0/0xf0 phys=0x00a00000 ioremap
> # cat /proc/vmallocinfo
> 0xbe008562-0x5576ab44 20480 of_iomap+0x44/0x68 phys=0x020d8000 ioremap
> 0x5576ab44-0xb255df29 8192 of_iomap+0x44/0x68 phys=0x00a01000 ioremap
> 0x46b8335b-0x447c6b02 20480 of_iomap+0x44/0x68 phys=0x020dc000 ioremap
> 0x447c6b02-0x7527802c 8192 l2x0_of_init+0x78/0x26c phys=0x00a02000 ioremap
> 0xee30b5de-0x9e0d6dbd 20480 of_iomap+0x44/0x68 phys=0x020c4000 ioremap
> 0x9e0d6dbd-0xf62147bb 8192 of_iomap+0x44/0x68 phys=0x020c8000 ioremap
> 0xfe3688a4-0xecfce701 20480 of_iomap+0x44/0x68 phys=0x020c4000 ioremap
> 0x0d7d7401-0xce35bdb8 20480 of_iomap+0x44/0x68 phys=0x02098000 ioremap
> 0xd0da9915-0xa147e0b3 8192 bpf_prog_alloc_no_stats+0x2c/0x118 pages=1 vmalloc
> 0xa147e0b3-0xb043f532 266240 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xb043f532-0x7f372e98 8192 gen_pool_add_owner+0x34/0x94 pages=1 vmalloc
> 0x7f372e98-0x22c0f7fa 8192 of_syscon_register+0xb8/0x2a0
> phys=0x020c8000 ioremap
> 0x22c0f7fa-0xbc80b65b 8192 __devm_ioremap+0x94/0xa4 phys=0x020c9000 ioremap
> 0xbc80b65b-0x5737939a 8192 __devm_ioremap+0x94/0xa4 phys=0x020ca000 ioremap
> 0x5737939a-0xfaac3f4b 8192 gen_pool_add_owner+0x34/0x94 pages=1 vmalloc
> 0xfaac3f4b-0x3400434f 20480 of_iomap+0x44/0x68 phys=0x021b0000 ioremap
> 0x3400434f-0x4b5b39be 8192 imx6_pm_common_init+0x118/0x36c
> phys=0x00900000 ioremap
> 0xfa6109c5-0x8220d86a 266240 __devm_ioremap+0x50/0xa4 phys=0x00900000 ioremap
> 0x8220d86a-0xbb32fa78 8192 imx6_pm_get_base+0x64/0x98 phys=0x00a02000 ioremap
> 0xe37ddad7-0x94023f64 20480 imx6_pm_get_base+0x64/0x98 phys=0x021b0000 ioremap
> 0x94023f64-0x032e50a3 8192 of_syscon_register+0xb8/0x2a0
> phys=0x020e0000 ioremap
> 0xd41722d0-0x69a3231e 20480 imx6_pm_get_base+0x64/0x98 phys=0x020d8000 ioremap
> 0x69a3231e-0x6dc29018 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x327a8342-0x78efb8e0 20480 imx6_pm_get_base+0x64/0x98 phys=0x020e0000 ioremap
> 0x78efb8e0-0xe6178284 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x76f38a9b-0x34af82ac 20480 imx6_pm_get_base+0x64/0x98 phys=0x020dc000 ioremap
> 0x34af82ac-0x81d03489 8192 __devm_ioremap+0x94/0xa4 phys=0x02600000 ioremap
> 0x63fe0abd-0x6b04db7d 20480 __devm_ioremap+0x94/0xa4 phys=0x020e0000 ioremap
> 0xb849bd1c-0xc46ae71e 20480 __devm_ioremap+0x94/0xa4 phys=0x0209c000 ioremap
> 0xc46ae71e-0x1eb811b8 8192 __devm_ioremap+0x94/0xa4 phys=0x02608000 ioremap
> 0x2c687987-0xbae166ed 20480 __devm_ioremap+0x94/0xa4 phys=0x020a0000 ioremap
> 0xbae166ed-0xb27fac72 8192 __devm_ioremap+0x94/0xa4 phys=0x02630000 ioremap
> 0x0868e824-0xa08b93b8 20480 __devm_ioremap+0x94/0xa4 phys=0x020a4000 ioremap
> 0xa08b93b8-0x73e79d37 8192 __devm_ioremap+0x94/0xa4 phys=0x02638000 ioremap
> 0x3ff71a53-0x1664550e 20480 __devm_ioremap+0x94/0xa4 phys=0x020a8000 ioremap
> 0x1664550e-0xdffb9edc 8192 __devm_ioremap+0x94/0xa4 phys=0x02620000 ioremap
> 0x1d0f2f08-0xb32e296b 20480 __devm_ioremap+0x94/0xa4 phys=0x020ac000 ioremap
> 0xb32e296b-0x7062006c 8192 __devm_ioremap+0x94/0xa4 phys=0x02668000 ioremap
> 0xff2f5a70-0xff7ff60a 20480 __devm_ioremap+0x94/0xa4 phys=0x020b0000 ioremap
> 0xff7ff60a-0x8779d9bc 8192 __devm_ioremap+0x94/0xa4 phys=0x02640000 ioremap
> 0xccc5d4a4-0xbbd8184e 20480 __devm_ioremap+0x94/0xa4 phys=0x020b4000 ioremap
> 0xf3211f15-0xdf4e4390 12288 __devm_ioremap+0x94/0xa4 phys=0x00110000 ioremap
> 0xdf4e4390-0x8b969f88 8192 __devm_ioremap+0x94/0xa4 phys=0x02648000 ioremap
> 0x67d4c705-0x2844e8ae 20480 __devm_ioremap+0x94/0xa4 phys=0x021a0000 ioremap
> 0x2844e8ae-0xe969daac 8192 __devm_ioremap+0x94/0xa4 phys=0x02658000 ioremap
> 0x6c51de7f-0x13285901 20480 __devm_ioremap+0x94/0xa4 phys=0x021a4000 ioremap
> 0x13285901-0xcf2d44dd 8192 __devm_ioremap+0x94/0xa4 phys=0x02780000 ioremap
> 0x632c016d-0x81fc4149 20480 __devm_ioremap+0x94/0xa4 phys=0x021a8000 ioremap
> 0x81fc4149-0xd005970a 8192 __devm_ioremap+0x94/0xa4 phys=0x02660000 ioremap
> 0xacd62b34-0x2369ad7d 20480 __devm_ioremap+0x94/0xa4 phys=0x021d8000 ioremap
> 0x2369ad7d-0x6c218545 8192 __devm_ioremap+0x94/0xa4 phys=0x02740000 ioremap
> 0xd8caee3b-0x8f7b3eae 20480 __devm_ioremap+0x94/0xa4 phys=0x01ffc000 ioremap
> 0x8f7b3eae-0x7754f3e6 8192 __devm_ioremap+0x94/0xa4 phys=0x02650000 ioremap
> 0xcf739a9c-0x86505b25 20480 __devm_ioremap+0x94/0xa4 phys=0x020ec000 ioremap
> 0x86505b25-0x4419339d 8192 __devm_ioremap+0x94/0xa4 phys=0x02a00000 ioremap
> 0x38550150-0xee5ad30c 20480 of_syscon_register+0xb8/0x2a0
> phys=0x021bc000 ioremap
> 0xee5ad30c-0x73467058 8192 __devm_ioremap+0x94/0xa4 phys=0x02a08000 ioremap
> 0x7659aedb-0xd37bf098 20480 __devm_ioremap+0x94/0xa4 phys=0x020dc000 ioremap
> 0xd37bf098-0x6b62199d 8192 __devm_ioremap+0x94/0xa4 phys=0x02a30000 ioremap
> 0xe2fcb2be-0x83ac2ff4 20480 __devm_ioremap+0x94/0xa4 phys=0x02020000 ioremap
> 0x83ac2ff4-0x498e66da 8192 __devm_ioremap+0x94/0xa4 phys=0x02a38000 ioremap
> 0xda200768-0x9519b5b7 20480 __devm_ioremap+0x94/0xa4 phys=0x021e8000 ioremap
> 0x9519b5b7-0xd8066315 8192 __devm_ioremap+0x94/0xa4 phys=0x02a20000 ioremap
> 0x327c6cd3-0xb09836e5 20480 __devm_ioremap+0x94/0xa4 phys=0x021f4000 ioremap
> 0xb09836e5-0x2ee61e13 8192 __devm_ioremap+0x94/0xa4 phys=0x02a68000 ioremap
> 0x28a28e71-0xfb74b75d 40960 __devm_ioremap+0x94/0xa4 phys=0x00120000 ioremap
> 0xfb74b75d-0x94731aa5 8192 __devm_ioremap+0x94/0xa4 phys=0x02a40000 ioremap
> 0x94731aa5-0x9ed95f4b 20480 __devm_ioremap+0x94/0xa4 phys=0x00130000 ioremap
> 0x9ed95f4b-0xb6679e93 8192 __devm_ioremap+0x94/0xa4 phys=0x02a48000 ioremap
> 0xd2083a49-0xd15b1ee5 20480 __devm_ioremap+0x94/0xa4 phys=0x00134000 ioremap
> 0xd15b1ee5-0xb873e80d 8192 __devm_ioremap+0x94/0xa4 phys=0x02a58000 ioremap
> 0xb873e80d-0xad853c5f 8192 __devm_ioremap+0x94/0xa4 phys=0x02b80000 ioremap
> 0xad853c5f-0x727a169b 8192 __devm_ioremap+0x94/0xa4 phys=0x02a60000 ioremap
> 0x79bcf223-0xd8778c7f 528384 devm_pci_remap_cfgspace+0x3c/0x74
> phys=0x01f00000 ioremap
> 0xd8778c7f-0xcd8f995b 135168 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xcd8f995b-0x0e93c50d 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x0e93c50d-0x35d018fd 20480 __devm_ioremap+0x94/0xa4 phys=0x02204000 ioremap
> 0x35d018fd-0x30dd9119 528384 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x30dd9119-0x1d49a1b3 8192 __devm_ioremap+0x94/0xa4 phys=0x02b40000 ioremap
> 0x1d49a1b3-0xe202a461 8192 __devm_ioremap+0x94/0xa4 phys=0x02a50000 ioremap
> 0x3c5f9898-0x7c998da8 135168 __devm_ioremap+0x94/0xa4 phys=0x02700000 ioremap
> 0x0be6bff2-0xe617431b 12288 __devm_ioremap+0x94/0xa4 phys=0x00112000 ioremap
> 0xe617431b-0x1894871f 8192 __pci_enable_msix_range+0x1b4/0x50c
> phys=0x01420000 ioremap
> 0xcc3e24ea-0x24fc33d0 69632 __devm_ioremap+0x94/0xa4 phys=0x02760000 ioremap
> 0x24fc33d0-0x2ad2fe2c 81920 pcpu_create_chunk+0x14c/0x290 pages=19 vmalloc
> 0x064e8962-0x041a1631 8192 __devm_ioremap+0x94/0xa4 phys=0x02184000 ioremap
> 0x041a1631-0xa78f78b0 135168 __devm_ioremap+0x94/0xa4 phys=0x02b00000 ioremap
> 0x482eea6f-0xa04223bd 12288 __devm_ioremap+0x94/0xa4 phys=0x00114000 ioremap
> 0xa04223bd-0x47cd64d8 8192 __devm_ioremap+0x94/0xa4 phys=0x02184000 ioremap
> 0x496ff4b8-0x1b8cd27f 69632 __devm_ioremap+0x94/0xa4 phys=0x02b60000 ioremap
> 0x1b8cd27f-0x9a03a792 1576960 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x9e844161-0x46bbc5c3 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x46bbc5c3-0x061f37bb 20480 __devm_ioremap+0x94/0xa4 phys=0x02200000 ioremap
> 0x061f37bb-0x099e44f8 98304 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x099e44f8-0x5a73428f 36864 iscsi_target_init_module+0xb4/0x234
> pages=8 vmalloc
> 0x5a73428f-0x6b24094e 20480 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x8763af88-0xc279660f 20480 __devm_ioremap+0x94/0xa4 phys=0x0200c000 ioremap
> 0xc279660f-0x0746510e 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xc42e58a5-0x9bb92a15 20480 __devm_ioremap+0x94/0xa4 phys=0x02188000 ioremap
> 0x9bb92a15-0xbffbc968 135168 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xbffbc968-0xc3135661 36864 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x7f8906cc-0x57602490 20480 __devm_ioremap+0x94/0xa4 phys=0x021e4000 ioremap
> 0x57602490-0x32a0cd25 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x32a0cd25-0xccf592e4 8192 __devm_ioremap+0x94/0xa4 phys=0x02184000 ioremap
> 0xccf592e4-0xc3d5117e 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xd80eccd6-0x1eccdd8b 135168 igb_probe+0x150/0x10a4 phys=0x01400000 ioremap
> 0x1eccdd8b-0x360f1603 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x32fecfc9-0x71e47aa2 20480 __devm_ioremap+0x94/0xa4 phys=0x020c0000 ioremap
> 0x71e47aa2-0x5098c2fb 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xaf379216-0x24330e7c 20480 __devm_ioremap+0x94/0xa4 phys=0x02198000 ioremap
> 0x3dd54ba7-0x2392a17a 20480 __devm_ioremap+0x94/0xa4 phys=0x02034000 ioremap
> 0x2392a17a-0x1e11712d 16384 n_tty_open+0x10/0x9c pages=3 vmalloc
> 0x300b1fb4-0x33dba900 20480 __devm_ioremap+0x94/0xa4 phys=0x02028000 ioremap
> 0xf02c73a9-0xfa933595 20480 __devm_ioremap+0x94/0xa4 phys=0x0202c000 ioremap
> 0xbe5c4daa-0x6af5bd9c 528384 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x6af5bd9c-0x9ea7250e 528384 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0x9ea7250e-0x74bbeefe 1294336 zstd_comp_init+0x58/0xb0 pages=315 vmalloc
> 0x74bbeefe-0x591c7299 163840 zstd_decomp_init+0x14/0x54 pages=39 vmalloc
> 0x591c7299-0x27154f89 274432 deflate_comp_init+0x20/0x90 pages=66 vmalloc
> 0x27154f89-0x3978b460 49152 deflate_decomp_init+0x14/0x58 pages=11 vmalloc
> 0x3978b460-0x99da8daa 212992 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xe9a5ec5f-0xb0e53888 249856 __devm_ioremap+0x94/0xa4 phys=0x02040000 ioremap
> 0xb0e53888-0xc24dd16d 528384 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> 0xc02cb795-0x054951d9 4096 iotable_init+0x0/0xf0 phys=0x00a00000 ioremap
> 0x32815c21-0x48bd192d 2097152 pci_reserve_io+0x0/0x30 ioremap
> 0xba73986b-0x4f91845f 311296 pcpu_get_vm_areas+0x0/0x10c0 vmalloc
> 0x4f91845f-0x86cbfbfa 311296 pcpu_get_vm_areas+0x0/0x10c0 vmalloc
> 0x17d9341e-0xbe008562 16384 unpurged vm_area
> 0xecfce701-0xd35ab9b8 8192 unpurged vm_area
> 0xce35bdb8-0xd0da9915 8192 unpurged vm_area
> 0x6b04db7d-0xb849bd1c 15609856 unpurged vm_area
> 0xe202a461-0x3c5f9898 73728 unpurged vm_area
> 0x7c998da8-0x0be6bff2 36864 unpurged vm_area
> 0x2ad2fe2c-0x064e8962 36864 unpurged vm_area
> 0xa78f78b0-0x482eea6f 36864 unpurged vm_area
> 0x9a03a792-0x9e844161 442368 unpurged vm_area
> 0x92d57223-0xd09758da 249856 unpurged vm_area
> 0xfa933595-0xbe5c4daa 36864 unpurged vm_area
>
> Thanks for your help!
>
> Tim
>
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
>
More information about the linux-arm-kernel
mailing list