Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933098AbbLOH5C (ORCPT <rfc822;w@1wt.eu>);
	Tue, 15 Dec 2015 02:57:02 -0500
Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:34935 "EHLO
	atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932077AbbLOH47 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 15 Dec 2015 02:56:59 -0500
Date: Tue, 15 Dec 2015 08:56:56 +0100
From: Pavel Machek <pavel@ucw.cz>
To: Arjan van de Ven <arjan@linux.intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Borislav Petkov <bp@alien8.de>,
        kernel list <linux-kernel@vger.kernel.org>,
        Stephen Smalley <sds@tycho.nsa.gov>, Brian Gerst <brgerst@gmail.com>,
        Denys Vlasenko <dvlasenk@redhat.com>, Peter Anvin <hpa@zytor.com>,
        Mike Galbraith <efault@gmx.de>, Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>
Subject: Re: 4.4-rc5: ugly warn on: 5 W+X pages found
Message-ID: <20151215075656.GA3734@amd>
References: <20151115070022.GA15417@amd>
 <20151214080403.GA3708@amd>
 <20151214085803.GA10520@pd.tnic>
 <20151214090726.GA6472@amd>
 <CA+55aFwivS6pnNKqy6aFrh4H5HC2izW_Rw0GL1hV9EdbV+HhkA@mail.gmail.com>
 <20151214202627.GA15104@amd>
 <CALCETrX6DrW2AJz=WGjMW+nNTsq08+Cte0m=CF_Q9+uzsuR1vA@mail.gmail.com>
 <566F3378.8070009@linux.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <566F3378.8070009@linux.intel.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2140
Lines: 64

On Mon 2015-12-14 13:24:08, Arjan van de Ven wrote:
> 
> >That's weird.  The only API to do that seems to be manually setting
> >kmap_prot to _PAGE_KERNEL_EXEC, and nothing does that.  (Why is
> >kmap_prot a variable on x86 at all?  It has exactly one writer, and
> >that's the code that initializes it in the first place.  Shouldn't we
> >#define kmap_prot _PAGE_KERNEL?
> 
> iirc it changes based on runtime detection of NX capability

Huh. Is it possible that core duo is so old that it has no NX?

processor  : 1
vendor_id  : GenuineIntel
cpu family : 6
model	     : 14
model name   : Genuine Intel(R) CPU           T2400  @ 1.83GHz
stepping     : 8
microcode    : 0x39
...
wp    		 : yes
flags		   : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr
pge mca cmov clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx
constant_tsc arch_perfmon bts aperfmperf pni monitor vmx est tm2 xtpr
pdcm dtherm

No, it lists nx in flags. Linus asked me about trying without
CONFIG_EFI. I should have no EFI here, but I'll try it.

I turned off CONFIG_EFI, but CONFIG_UEFI_CPER can't seem to be
disabled easily.

Still:

[    3.269750] WARNING: CPU: 1 PID: 1 at
arch/x86/mm/dump_pagetables.c:225 note_page+0x5ec/0x790()
[    3.271999] x86/mm: Found insecure W+X mapping at address
ffe69000/0xffe69000

pavel@duo:~$ zcat /proc/config.gz  | grep EFI
# CONFIG_EFI_PARTITION is not set
# CONFIG_EFI is not set
CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
CONFIG_UEFI_CPER=y
pavel@duo:~$

Ok, I managed to turn off even CONFIG_UEFI_CPER after some fight, but
result is the same.

(Hmm... I'll probably regret it, but... I guess config.gz does contain
some information useful for the attacker. How long till some "hardened
distro" chmods it to 600?)

Best regards,

							Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/