arm32 insecure W+X mapping
Tim Harvey
tharvey at gateworks.com
Tue Sep 7 10:48:49 PDT 2021
On Fri, Aug 20, 2021 at 11:41 AM Tim Harvey <tharvey at gateworks.com> wrote:
>
> On Fri, Aug 20, 2021 at 10:48 AM Robin Murphy <robin.murphy at arm.com> wrote:
> >
> > On 2021-08-20 17:06, Tim Harvey wrote:
> > > On Thu, Aug 19, 2021 at 5:16 PM Russell King (Oracle)
> > > <linux at armlinux.org.uk> wrote:
> > >>
> > >> On Thu, Aug 19, 2021 at 04:59:15PM -0700, Tim Harvey wrote:
> > >>> On Thu, Aug 19, 2021 at 2:28 PM Russell King (Oracle)
> > >>> <linux at armlinux.org.uk> wrote:
> > >>>>
> > >>>> On Thu, Aug 19, 2021 at 10:19:46AM -0700, Tim Harvey wrote:
> > >>>>> Greetings,
> > >>>>>
> > >>>>> Since commit a8e53c151fe7 "(ARM: 8737/1: mm: dump: add checking for
> > >>>>> writable and executable)" I've been seeing the following appear on my
> > >>>>> arm32 kernel:
> > >>>>>
> > >>>>> arm/mm: Found insecure W+X mapping at address 0xf087d000
> > >>>>> ...
> > >>>>> Checked W+X mappings: FAILED, 1 W+X pages found
> > >>>>>
> > >>>>> As I haven't seen others report this I assume it's something unique to
> > >>>>> my kernel configuration. How do I debug what is causing the insecure
> > >>>>> page?
> > >>>>
> > >>>> If you check /proc/vmallocinfo, it should tell you the physical
> > >>>> address that was mapped there, and the function that created the
> > >>>> mapping. That should give enough clues to track it down.
> > >>>>
> > >>>
> > >>> Russell,
> > >>>
> > >>> Thanks for the tip!
> > >>>
> > >>> # dmesg | grep insecure
> > >>> [ 13.219582] arm/mm: Found insecure W+X mapping at address 0xf087d000
> > >>> # cat /proc/vmallocinfo | grep 0xf0
> > >>> 0x5f3045dd-0xf0020e05 20480 imx6_pm_get_base+0x64/0x98 phys=0x020e0000 ioremap
> > >>> 0xf0020e05-0x6e748217 8192 dma_common_contiguous_remap+0x88/0xa4 dma-coherent
> > >>> 0x127639d7-0x334ee291 4096 iotable_init+0x0/0xf0 phys=0x00a00000 ioremap
> > >>
> > >> Oh... the kernel's %p pointer munging (for security reasons) is
> > >> affecting your ability to debug your problem. Assuming this is a
> > >> recent kernel, you can disable this by passing "no_hash_pointers"
> > >> on the kernel command line. You should then see real addresses (and
> > >> a big fat message at boot time about it.
> > >>
> > >
> > > I'm using 5.13 and when I pass in 'no_hash_pointers' I do indeed see
> > > the huge warning but I get similar results that I can't make sense of:
> >
> > Pointer hashing always trips me up too, so I thought I'd chuck my
> > curiosity into the ring...
> >
> > Between the vmallocinfo and printk code, it looks like you need to set
> > /proc/sys/kptr_restrict to 1 and be root (or have CAP_SYSLOG privilege)
> > to get non-hashed addresses here. Because having only one way to confuse
> > debugging would be far too easy, I guess :/
> >
>
> Robin,
>
> Thanks, that's what I needed:
>
> # uname -r
> 5.13.12
> # cat /proc/cmdline
> console=ttymxc1,115200 no_hash_pointers
> # echo 1 > /proc/sys/kernel/kptr_restrict
> # dmesg | grep insecure
> [ 13.247957] arm/mm: Found insecure W+X mapping at address 0xf087d000
> # cat /proc/vmallocinfo | grep 0xf087d000
> 0xf0878000-0xf087d000 20480 of_iomap+0x44/0x68 phys=0x021b0000 ioremap
> 0xf087d000-0xf087f000 8192 imx6_pm_common_init+0x118/0x36c
> phys=0x00900000 ioremap
>
> Some debugging showed me that 0xf087d000 is 'suspend_ocram_base'
> remapped from imx6q_suspend_init() (called form imx6_pm_common_init()
> [1]
> suspend_ocram_base = __arm_ioremap_exec(ocram_pbase,
> MX6Q_SUSPEND_OCRAM_SIZE, false);
>
> This should be throwing 'Checked W+X mappings: FAILED, 1 W+X pages
> found' messages for all IMX6 users that have CONFIG_SUSPEND and
> CONFIG_DEBUG_WX enabled so I'm adding the IMX6 players to the thread
> to see if they know why this happens.
>
Shawn, Fabio and Pengutronix Kernel team,
Do you know why we get 'Checked W+X mappings: FAILED, 1 W+X pages
found' messages for IMX6 with CONFIG_SUSPEND and CONFIG_DEBUG_WX
enabled due to to __arm_ioremap_exec call remapping ocram? [1]
Best regards,
Tim
[1] https://elixir.bootlin.com/linux/v5.13.12/source/arch/arm/mach-imx/pm-imx6.c#L509
More information about the linux-arm-kernel
mailing list