From patchwork Wed Dec 13 11:58:36 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Mark Rutland <mark.rutland@arm.com>
X-Patchwork-Id: 847956
Return-Path: 
 <linux-arm-kernel-bounces+incoming-imx=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming-imx@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-imx@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.infradead.org
	(client-ip=65.50.211.133; helo=bombadil.infradead.org;
	envelope-from=linux-arm-kernel-bounces+incoming-imx=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org
	header.b="c8ur2ohn"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3yxZwn6dXhz9s72
	for <incoming-imx@patchwork.ozlabs.org>;
	Wed, 13 Dec 2017 22:59:05 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:
	Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=mqwq9ytl7egYh8bkENyzpGLzIHiRPFodBfE0CcG+Ikw=;
	b=c8ur2ohnsx1qdd
	YOrWnE9cPV0N3hQ4PKzYd1Eh/yNODKWP2BvzZKzCnkt+4b1agkkSayqYHiPW7GR8FSzmPe5TR3wuR
	+Oc10CelQQRb7gLymg3GmG8fLHBBAQfYUllNS8kQ+13cnoyisafj0T7fwPaHJc6UAN+fsE2hFe8lO
	M12oKSbPVadBDkJX2dhy2/IioEtoRobmZ6CIdheRJ37lzFEsSvWkAN+nhTw3vydDxDLWMpw+1X4W3
	YIxfNjeGQ6RKHnmCz+KuHduxvxFfAYV4SFWGHK9kD1vW7F2Ipbssc35sgu+w2rj4Ou5RqhWs4Zl8W
	342duECnza3cX5UE3JWw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1eP5gm-0003eN-Aj; Wed, 13 Dec 2017 11:59:04 +0000
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]
	helo=foss.arm.com)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1eP5gi-0003Mu-Lu for linux-arm-kernel@lists.infradead.org;
	Wed, 13 Dec 2017 11:59:02 +0000
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B8D9415A2;
	Wed, 13 Dec 2017 03:58:39 -0800 (PST)
Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com
	[10.72.51.249])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id
	C9DC73F246; Wed, 13 Dec 2017 03:58:38 -0800 (PST)
Date: Wed, 13 Dec 2017 11:58:36 +0000
From: Mark Rutland <mark.rutland@arm.com>
To: Laura Abbott <labbott@redhat.com>, Timur Tabi <timur@codeaurora.org>
Subject: [PATCH] arm64: fix CONFIG_DEBUG_WX address reporting (was: Re: How
	to debug "insecure W+X mapping"?)
Message-ID: <20171213115835.pkt3fyqcbk7lgdeb@lakrids.cambridge.arm.com>
References: <bff5a2b3-0d93-5f55-c129-4b14a5a09b45@codeaurora.org>
	<680ec27a-1557-f2d9-8159-bd49326bd36c@redhat.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <680ec27a-1557-f2d9-8159-bd49326bd36c@redhat.com>
User-Agent: NeoMutt/20170113 (1.7.2)
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20171213_035900_737960_32ACBC77 
X-CRM114-Status: GOOD (  17.07  )
X-Spam-Score: -6.9 (------)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-6.9 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/,
	high trust [217.140.101.70 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Kees Cook <keescook@chromium.org>, linux-arm-kernel@lists.infradead.org
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+incoming-imx=patchwork.ozlabs.org@lists.infradead.org
List-Id: linux-imx-kernel.lists.patchwork.ozlabs.org

On Tue, Dec 12, 2017 at 03:30:00PM -0800, Laura Abbott wrote:
> On 12/12/2017 02:57 PM, Timur Tabi wrote:
> > We have a 4.10-based kernel that occasionally displays an insecure W+X mapping (courtesy of CONFIG_DEBUG_WX):
> > 
> > [    7.151680] arm64/mm: Found insecure W+X mapping at address 0000345a049d2000/0x345a049d2000
> > ...
> > [    7.435481] Checked W+X mappings: FAILED, 4 W+X pages found, 0 non-UXN pages found
> > 
> > The number of actual W+X pages varies, e.g. sometimes it says 6 pages.
> > 
> > How do I go about debugging this? How do I identify the source of 0000345a049d2000?	
> 
> That's a funny address. The check was written to scan the init_mm
> page table but that's not a kernel address on arm64. It almost looks
> like something set up a userspace mapping very early in the boot process?

Whoops; I think we forgot to apply the VA_START offset in
ptdump_check_wx(), so we report the address wrong.

Does the below (untested) patch result in a sane-looking report?

Thanks,
Mark.

---->8----
From b3021b76b9ea1e65388b38dfe622ea956cb18647 Mon Sep 17 00:00:00 2001
From: Mark Rutland <mark.rutland@arm.com>
Date: Wed, 13 Dec 2017 11:45:42 +0000
Subject: [PATCH] arm64: fix CONFIG_DEBUG_WX address reporting

In ptdump_check_wx(), we pass walk_pgd() a start address of 0 (rather
than VA_START) for the init_mm. This means that any reported W&X
addresses are offset by VA_START, which is unexepcted and confusing.

Let's fix this by telling the ptdump code that we're walking init_mm
starting at VA_START. We don't need to update the addr_markers, since
these are still valid bounds regardless.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@redhat.com>
Reported-by: Timur Tabi <timur@codeaurora.org>
Tested-by: Laura Abbott <labbott@redhat.com>
---
 arch/arm64/mm/dump.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/mm/dump.c b/arch/arm64/mm/dump.c
index ca74a2aace42..7b60d62ac593 100644
--- a/arch/arm64/mm/dump.c
+++ b/arch/arm64/mm/dump.c
@@ -389,7 +389,7 @@ void ptdump_check_wx(void)
 		.check_wx = true,
 	};
 
-	walk_pgd(&st, &init_mm, 0);
+	walk_pgd(&st, &init_mm, VA_START);
 	note_page(&st, 0, 0, 0);
 	if (st.wx_pages || st.uxn_pages)
 		pr_warn("Checked W+X mappings: FAILED, %lu W+X pages found, %lu non-UXN pages found\n",