Re: x86/mm: Found insecure W+X mapping at address (ptrval)/0xc00a0000

From: Thomas Gleixner
Date: Fri Oct 05 2018 - 05:27:39 EST


On Thu, 4 Oct 2018, Joerg Roedel wrote:

> On Wed, Oct 03, 2018 at 11:22:55PM +0200, Borislav Petkov wrote:
> > On Fri, Sep 28, 2018 at 04:55:19PM +0200, Thomas Gleixner wrote:
> > > Sorry for the delay and thanks for the data. A quick diff did not reveal
> > > anything obvious. I'll have a closer look and we probably need more (other)
> > > information to nail that down.
>
> I also triggered this when working in the PTI-x32 code. It always
> happens on a 32-bit PAE kernel for me.
>
> Tracking it down I ended up in (iirc) arch/x86/mm/pageattr.c
> function static_protections():
>
> /*
> * The BIOS area between 640k and 1Mb needs to be executable for
> * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
> */
> #ifdef CONFIG_PCI_BIOS
> if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
> pgprot_val(forbidden) |= _PAGE_NX;
> #endif
>
> I think that is the reason we are seeing this in that configuration.

Uurgh. Yes.

If pcibios is enabled and used, need to look at the gory details of that
first, then the W+X check has to exclude that region. We can't do much
about that.

Thanks,

tglx