Re: general protection fault in perf_misc_flags

From: Borislav Petkov
Date: Sat Sep 26 2020 - 13:14:58 EST


On Fri, Sep 25, 2020 at 05:32:14PM -0700, Nick Desaulniers wrote:
> Boris, one question I have. Doesn't the kernel mark pages backing
> executable code as read only at some point?

Yes, I added some debug output:

[ 562.959995][ T1] Freeing unused kernel image (initmem) memory: 2548K
[ 563.672645][ T1] Write protecting the kernel read-only data: 137216k [0xffffffff81000000:0xffffffff89600000]

and perf_misc_flags() is well within that range:

ffffffff810118e0 <perf_misc_flags>:

[ 566.076923][ T1] unused kernel image (text/rodata gap): [0xffffffff88608000:0xffffffff88800000]
[ 567.039076][ T1] unused kernel image (rodata/data gap): [0xffffffff8941d000:0xffffffff89600000]
[ 568.205550][ T1] Freeing unused kernel image (text/rodata gap) memory: 2016K
[ 569.277742][ T1] Freeing unused kernel image (rodata/data gap) memory: 1932K

We also have this debug option which I enabled:

[ 570.598533][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.

so that looks ok too.

> If that were the case, then I don't see how the instruction stream
> could be modified. I guess static key patching would have to undo that
> permission mapping before patching.

Yap, and I still have no clue about the mechanism which would lead to
this corruption.

> You're right about the length shorter than what I would have expected
> from static key patching. That could very well be a write through
> dangling int pointer...

Right.

Lemme try to setup one of my test boxes to run syzkaller and see how far
I can get. But don't hold your breath...

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette