Re: hv_hypercall_pg page permissios

From: Christoph Hellwig
Date: Tue Jun 16 2020 - 03:23:24 EST

Next message: syzbot: "upstream test error: KASAN: use-after-free Write in afs_wake_up_async_call"
Previous message: Mauro Carvalho Chehab: "Re: [PATCH 18/22] docs: trace: ring-buffer-design.txt: convert to ReST format"
Next in thread: Peter Zijlstra: "Re: hv_hypercall_pg page permissios"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jun 15, 2020 at 07:49:41PM +0000, Dexuan Cui wrote:
> I did this experiment:
> 1. export vmalloc_exec and ptdump_walk_pgd_level_checkwx.
> 2. write a test module that calls them.
> 3. It turns out that every call of vmalloc_exec() triggers such a warning.
>
> vmalloc_exec() uses PAGE_KERNEL_EXEC, which is defined as
> (__PP|__RW| 0|___A| 0|___D| 0|___G)
>
> It looks the logic in note_page() is: for_each_RW_page, if the NX bit is unset,
> then report the page as an insecure W+X mapping. IMO this explains the
> warning?

It does. But it also means every other user of PAGE_KERNEL_EXEC
should trigger this, of which there are a few (kexec, tboot, hibernate,
early xen pv mapping, early SEV identity mapping)

We really shouldn't create mappings like this by default. Either we
need to flip PAGE_KERNEL_EXEC itself based on the needs of the above
users, or add another define to overload vmalloc_exec as there is no
other user of that for x86.

Next message: syzbot: "upstream test error: KASAN: use-after-free Write in afs_wake_up_async_call"
Previous message: Mauro Carvalho Chehab: "Re: [PATCH 18/22] docs: trace: ring-buffer-design.txt: convert to ReST format"
Next in thread: Peter Zijlstra: "Re: hv_hypercall_pg page permissios"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]