Re: [PATCH v2] x86/mm: Refuse W^X violations

From: Guenter Roeck
Date: Wed Sep 21 2022 - 19:00:10 EST


On 9/21/22 13:59, Dave Hansen wrote:
On 9/21/22 13:07, Guenter Roeck wrote:
[ 2.042861] CPA refuse W^X violation: 8000000000000063 -> 0000000000000063 range: 0x00000000c00a0000 - 0x00000000c00a0fff PFN a0
ILLOPC: cbc65efa: 0f 0b
[ 2.043267] WARNING: CPU: 0 PID: 1 at arch/x86/mm/pat/set_memory.c:600 __change_page_attr_set_clr+0xdca/0xdd0
...
[ 2.050307] ---[ end trace 0000000000000000 ]---
[ 2.050762] PCI: PCI BIOS area is rw and x. Use pci=nobios if you want it NX.
[ 2.051115] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[ 2.051115] BUG: unable to handle page fault for address: c00fd2bf

This _looks_ like it is working as intended. The PCI BIOS code tried to
make a RWX page. The CPA code refused to do it and presumably returned
an error, leaving a RW page, non-executable page. The PCI code didn't
check the set_memory_x() return code and tried to go execute anyway.
That resulted in the oops.

I was able to reproduce this pretty easily. The workaround from dmesg
is pci=nobios. That seems to do the trick for me, although that advise
was sandwiched between a warning and an oops, so not the easiest to find.

I'm a bit torn what to do on this one. Breaking the boot is bad, but so
is leaving RWX memory around.

Thoughts?

For my part I'll do what the above suggests, ie run tests with PAE enabled
with pci=nobios command line option. AFAICS that hides the problem in my tests.
I am just not sure if that is really appropriate.

Guenter