arm32 insecure W+X mapping

Fri Aug 20 11:41:38 PDT 2021

On Fri, Aug 20, 2021 at 10:48 AM Robin Murphy <robin.murphy at arm.com> wrote:
>
> On 2021-08-20 17:06, Tim Harvey wrote:
> > On Thu, Aug 19, 2021 at 5:16 PM Russell King (Oracle)
> > <linux at armlinux.org.uk> wrote:
> >>
> >> On Thu, Aug 19, 2021 at 04:59:15PM -0700, Tim Harvey wrote:
> >>> On Thu, Aug 19, 2021 at 2:28 PM Russell King (Oracle)
> >>> <linux at armlinux.org.uk> wrote:
> >>>>
> >>>> On Thu, Aug 19, 2021 at 10:19:46AM -0700, Tim Harvey wrote:
> >>>>> Greetings,
> >>>>>
> >>>>> Since commit a8e53c151fe7 "(ARM: 8737/1: mm: dump: add checking for
> >>>>> writable and executable)" I've been seeing the following appear on my
> >>>>> arm32 kernel:
> >>>>>
> >>>>> arm/mm: Found insecure W+X mapping at address 0xf087d000
> >>>>> ...
> >>>>> Checked W+X mappings: FAILED, 1 W+X pages found
> >>>>>
> >>>>> As I haven't seen others report this I assume it's something unique to
> >>>>> my kernel configuration. How do I debug what is causing the insecure
> >>>>> page?
> >>>>
> >>>> If you check /proc/vmallocinfo, it should tell you the physical
> >>>> address that was mapped there, and the function that created the
> >>>> mapping. That should give enough clues to track it down.
> >>>>
> >>>
> >>> Russell,
> >>>
> >>> Thanks for the tip!
> >>>
> >>> # dmesg | grep insecure
> >>> [   13.219582] arm/mm: Found insecure W+X mapping at address 0xf087d000
> >>> # cat /proc/vmallocinfo | grep 0xf0
> >>> 0x5f3045dd-0xf0020e05   20480 imx6_pm_get_base+0x64/0x98 phys=0x020e0000 ioremap
> >>> 0xf0020e05-0x6e748217    8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> >>> 0x127639d7-0x334ee291    4096 iotable_init+0x0/0xf0 phys=0x00a00000 ioremap
> >>
> >> Oh... the kernel's %p pointer munging (for security reasons) is
> >> affecting your ability to debug your problem. Assuming this is a
> >> recent kernel, you can disable this by passing "no_hash_pointers"
> >> on the kernel command line. You should then see real addresses (and
> >> a big fat message at boot time about it.
> >>
> >
> > I'm using 5.13 and when I pass in 'no_hash_pointers' I do indeed see
> > the huge warning but I get similar results that I can't make sense of:
>
> Pointer hashing always trips me up too, so I thought I'd chuck my
> curiosity into the ring...
>
> Between the vmallocinfo and printk code, it looks like you need to set
> /proc/sys/kptr_restrict to 1 and be root (or have CAP_SYSLOG privilege)
> to get non-hashed addresses here. Because having only one way to confuse
> debugging would be far too easy, I guess :/
>

Robin,

Thanks, that's what I needed:

# uname -r
5.13.12
# cat /proc/cmdline
console=ttymxc1,115200 no_hash_pointers
# echo 1 > /proc/sys/kernel/kptr_restrict
# dmesg | grep insecure
[   13.247957] arm/mm: Found insecure W+X mapping at address 0xf087d000
# cat /proc/vmallocinfo | grep 0xf087d000
0xf0878000-0xf087d000   20480 of_iomap+0x44/0x68 phys=0x021b0000 ioremap
0xf087d000-0xf087f000    8192 imx6_pm_common_init+0x118/0x36c
phys=0x00900000 ioremap

Some debugging showed me that 0xf087d000 is 'suspend_ocram_base'
remapped from imx6q_suspend_init() (called form imx6_pm_common_init()
[1]
suspend_ocram_base = __arm_ioremap_exec(ocram_pbase,
MX6Q_SUSPEND_OCRAM_SIZE, false);

This should be throwing 'Checked W+X mappings: FAILED, 1 W+X pages
found' messages for all IMX6 users that have CONFIG_SUSPEND and
CONFIG_DEBUG_WX enabled so I'm adding the IMX6 players to the thread
to see if they know why this happens.

Best regards,

Tim
https://elixir.bootlin.com/linux/v5.13.12/source/arch/arm/mach-imx/pm-imx6.c#L509