On Thu, 2017-03-16 at 00:50 +0000, Ben Hutchings wrote: > On Wed, 2017-03-15 at 22:24 +0000, Ben Hutchings wrote: > > Control: retitle -1 [xen] x86/mm: Found insecure W+X mapping > > Control: tag -1 upstream confirmed > > Control: found -1 4.9.13-1 > > > > I can reproduce this with a current Debian kernel on top of Xen 4.4. > > It doesn't happen with the same hardware booting the kernel directly. > > With CONFIG_X86_PTDUMP enabled, I can see that the first 16 MiB of the > low kernel mapping is mapped with W+X permissions, with a few > exceptions: > > 0xffff880000000000-0xffff880000099000 612K USR RW x pte > 0xffff880000099000-0xffff88000009a000 4K USR ro NX pte > 0xffff88000009a000-0xffff88000009b000 4K USR ro x pte > 0xffff88000009b000-0xffff88000009f000 16K USR RW NX pte > 0xffff88000009f000-0xffff880000100000 388K USR RW PWT PCD x pte > 0xffff880000100000-0xffff880000102000 8K USR RW x pte > 0xffff880000102000-0xffff880001000000 15352K USR RW x pte > > This accounts for all the 4090 pages reported at boot. I see this same mapping when running Linux 4.9 under either Xen 4.4 or 4.8 (from Debian stable or unstable). I don't really understand how the PV MMU page tables are set up. I did try setting the NX flag in make_lowmem_page_readwrite() and that didn't make any difference to the number of W+X pages. Ben. > When booting without Xen, the first 512 MiB is mapped like this: > > 0xffff9c2e40000000-0xffff9c2e40097000 604K RW GLB NX pte > 0xffff9c2e40097000-0xffff9c2e40098000 4K ro GLB NX pte > 0xffff9c2e40098000-0xffff9c2e40099000 4K ro GLB x pte > 0xffff9c2e40099000-0xffff9c2e40200000 1436K RW GLB NX pte > 0xffff9c2e40200000-0xffff9c2e60000000 510M RW PSE GLB NX pmd > > (looks like Xen inhibited kASLR too...). > > Ben. > -- Ben Hutchings The two most common things in the universe are hydrogen and stupidity.
Attachment:
signature.asc
Description: This is a digitally signed message part