On Wed, 2017-03-15 at 22:24 +0000, Ben Hutchings wrote: > Control: retitle -1 [xen] x86/mm: Found insecure W+X mapping > Control: tag -1 upstream confirmed > Control: found -1 4.9.13-1 > > I can reproduce this with a current Debian kernel on top of Xen 4.4. > It doesn't happen with the same hardware booting the kernel directly. With CONFIG_X86_PTDUMP enabled, I can see that the first 16 MiB of the low kernel mapping is mapped with W+X permissions, with a few exceptions: 0xffff880000000000-0xffff880000099000 612K USR RW x pte 0xffff880000099000-0xffff88000009a000 4K USR ro NX pte 0xffff88000009a000-0xffff88000009b000 4K USR ro x pte 0xffff88000009b000-0xffff88000009f000 16K USR RW NX pte 0xffff88000009f000-0xffff880000100000 388K USR RW PWT PCD x pte 0xffff880000100000-0xffff880000102000 8K USR RW x pte 0xffff880000102000-0xffff880001000000 15352K USR RW x pte This accounts for all the 4090 pages reported at boot. When booting without Xen, the first 512 MiB is mapped like this: 0xffff9c2e40000000-0xffff9c2e40097000 604K RW GLB NX pte 0xffff9c2e40097000-0xffff9c2e40098000 4K ro GLB NX pte 0xffff9c2e40098000-0xffff9c2e40099000 4K ro GLB x pte 0xffff9c2e40099000-0xffff9c2e40200000 1436K RW GLB NX pte 0xffff9c2e40200000-0xffff9c2e60000000 510M RW PSE GLB NX pmd (looks like Xen inhibited kASLR too...). Ben. -- Ben Hutchings The two most common things in the universe are hydrogen and stupidity.
Attachment:
signature.asc
Description: This is a digitally signed message part