Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git kaslr/memory
commit c92efeaa76bb548b9f1c302b8d9748bfdfd42f16
Author: Thomas Garnier <thgarnie(a)google.com>
AuthorDate: Thu May 12 12:28:19 2016 -0700
Commit: Kees Cook <keescook(a)chromium.org>
CommitDate: Fri Jun 3 09:04:34 2016 -0700
x86/mm: Implement ASLR for kernel memory sections (x86_64)
Randomizes the virtual address space of kernel memory sections (physical
memory mapping, vmalloc & vmemmap) for x86_64. This security feature
mitigates exploits relying on predictable kernel addresses. These
addresses can be used to disclose the kernel modules base addresses
or corrupt specific structures to elevate privileges bypassing the
current implementation of KASLR. This feature can be enabled with the
CONFIG_RANDOMIZE_MEMORY option.
The physical memory mapping holds most allocations from boot and heap
allocators. Knowing the base address and physical memory size, an
attacker can deduce the PDE virtual address for the vDSO memory page.
This attack was demonstrated at CanSecWest 2016, in the "Getting
Physical Extreme Abuse of Intel Based Paged Systems"
https://goo.gl/ANpWdV (see second part of the presentation). The
exploits used against Linux worked successfully against 4.6+ but fail
with KASLR memory enabled (
https://goo.gl/iTtXMJ). Similar research
was done at Google leading to this patch proposal. Variants exists to
overwrite /proc or /sys objects ACLs leading to elevation of privileges.
These variants were tested against 4.6+.
The vmalloc memory section contains the allocation made through the
vmalloc API. The allocations are done sequentially to prevent
fragmentation and each allocation address can easily be deduced
especially from boot.
The vmemmap section holds a representation of the physical
memory (through a struct page array). An attacker could use this section
to disclose the kernel memory layout (walking the page linked list).
The order of each memory section is not changed. The feature looks at
the available space for the sections based on different configuration
options and randomizes the base and space between each. The size of the
physical memory mapping is the available physical memory. No performance
impact was detected while testing the feature.
Entropy is generated using the KASLR early boot functions now shared in
the lib directory (originally written by Kees Cook). Randomization is
done on PGD & PUD page table levels to increase possible addresses. The
physical memory mapping code was adapted to support PUD level virtual
addresses. This implementation on the best configuration provides 30,000
possible virtual addresses in average for each memory section. An
additional low memory page is used to ensure each CPU can start with a
PGD aligned virtual address (for realmode).
x86/dump_pagetable was updated to correctly display each section.
The page offset used by the compressed kernel was changed to the static
value, since it is not yet randomized during this boot stage.
Updated documentation on x86_64 memory layout accordingly.
Performance data:
Kernbench shows almost no difference (-+ less than 1%):
Before:
Average Optimal load -j 12 Run (std deviation):
Elapsed Time 102.63 (1.2695)
User Time 1034.89 (1.18115)
System Time 87.056 (0.456416)
Percent CPU 1092.9 (13.892)
Context Switches 199805 (3455.33)
Sleeps 97907.8 (900.636)
After:
Average Optimal load -j 12 Run (std deviation):
Elapsed Time 102.489 (1.10636)
User Time 1034.86 (1.36053)
System Time 87.764 (0.49345)
Percent CPU 1095 (12.7715)
Context Switches 199036 (4298.1)
Sleeps 97681.6 (1031.11)
Hackbench shows 0% difference on average (hackbench 90
repeated 10 times):
attemp,before,after
1,0.076,0.069
2,0.072,0.069
3,0.066,0.066
4,0.066,0.068
5,0.066,0.067
6,0.066,0.069
7,0.067,0.066
8,0.063,0.067
9,0.067,0.065
10,0.068,0.071
average,0.0677,0.0677
Signed-off-by: Thomas Garnier <thgarnie(a)google.com>
Signed-off-by: Kees Cook <keescook(a)chromium.org>
+--------------------------------------------------------------+------------+------------+-----------------+
| | dfac57cb38 | c92efeaa76 |
v4.7-rc1_060505 |
+--------------------------------------------------------------+------------+------------+-----------------+
| boot_successes | 59 | 0 |
0 |
| boot_failures | 47 | 27 |
13 |
| BUG:kernel_boot_crashed | 19 | 4 |
1 |
| BUG:kernel_boot_hang | 1 | 1 |
|
| INFO:rcu_sched_self-detected_stall_on_CPU | 22 | |
|
| INFO:rcu_sched_detected_stalls_on_CPUs/tasks | 25 | |
|
| backtrace:mark_rodata_ro | 22 | |
|
| BUG:KASAN:slab-out-of-bounds_in_apparmor_setprocattr_at_addr | 2 | |
|
| Out_of_memory:Kill_process | 1 | |
|
| BUG:unable_to_handle_kernel | 0 | 22 |
12 |
| Oops | 0 | 22 |
12 |
| RIP:reserve_bootmem_region | 0 | 11 |
4 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 22 |
12 |
| backtrace:free_all_bootmem | 0 | 11 |
4 |
| backtrace:mem_init | 0 | 11 |
4 |
| RIP:check_memory_region | 0 | 11 |
8 |
| backtrace:kmem_cache_create | 0 | 11 |
8 |
| backtrace:vfs_caches_init | 0 | 11 |
|
| bit_relocation_outside_of_kernel | 0 | 1 |
|
| System_halted | 0 | 1 |
|
| backtrace:nsproxy_cache_init | 0 | 0 |
8 |
| backtrace:proc_caches_init | 0 | 0 |
8 |
+--------------------------------------------------------------+------------+------------+-----------------+
[ 0.000000] PID hash table entries: 2048 (order: 2, 16384 bytes)
[ 0.000000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
[ 0.000000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)
[ 0.000000] BUG: unable to handle kernel paging request at fffff5df00000004
[ 0.000000] IP: [<ffffffffaae319ff>] reserve_bootmem_region+0x84/0xce
[ 0.000000] PGD 0
[ 0.000000] Oops: 0000 [#1] SMP KASAN
[ 0.000000] Modules linked in:
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.7.0-rc1-00130-gc92efea #1
[ 0.000000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1
04/01/2014
[ 0.000000] task: ffffffffaaa11e00 ti: ffffffffaaa00000 task.ti: ffffffffaaa00000
[ 0.000000] RIP: 0010:[<ffffffffaae319ff>] [<ffffffffaae319ff>]
reserve_bootmem_region+0x84/0xce
[ 0.000000] RSP: 0000:ffffffffaaa07d98 EFLAGS: 00010802
[ 0.000000] RAX: fffffbfff554bd10 RBX: 0000000000000000 RCX: 1ffff9df00000004
[ 0.000000] RDX: 1ffff21b2a2a5600 RSI: 0000000000000010 RDI: ffffffffaaf3db80
[ 0.000000] RBP: ffffffffaaa07dd0 R08: ffffffffaaa07d48 R09: ffffffffaadcd5f6
[ 0.000000] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
[ 0.000000] R13: dffffc0000000000 R14: ffffcef800000000 R15: ffffcef800000020
[ 0.000000] FS: 0000000000000000(0000) GS:ffff90d94dc00000(0000)
knlGS:0000000000000000
[ 0.000000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.000000] CR2: fffff5df00000004 CR3: 0000000007a0a000 CR4: 00000000000006b0
[ 0.000000] Stack:
[ 0.000000] fffffbfff554bd10 0000000000000010 ffffffffaaa07ec8 ffff90d95151fd01
[ 0.000000] ffffffffaaa07e08 ffffffffaaa07e48 ffffffffaaa07e88 ffffffffaaa07ef0
[ 0.000000] ffffffffaade10ea 1ffffffff5540fbd 0000000041b58ab3 ffffffffaa7aba45
[ 0.000000] Call Trace:
[ 0.000000] [<ffffffffaade10ea>] free_all_bootmem+0xea/0x223
[ 0.000000] [<ffffffffaade1000>] ? reset_all_zones_managed_pages+0x58/0x58
[ 0.000000] [<ffffffffaadba8ec>] ? find_dependents_of+0x9a/0x9a
[ 0.000000] [<ffffffffaadcd56e>] ? pci_swiotlb_detect_override+0x57/0x57
[ 0.000000] [<ffffffffaadcd5f6>] ? pci_xen_swiotlb_detect+0x8/0x8
[ 0.000000] [<ffffffffaadcd63a>] ? pci_swiotlb_init+0x44/0x44
[ 0.000000] [<ffffffffaadbab31>] ? check_iommu_entries+0xd6/0x133
[ 0.000000] [<ffffffffaadcea2c>] mem_init+0x13/0x57
[ 0.000000] [<ffffffffaada546c>] start_kernel+0x270/0x603
[ 0.000000] [<ffffffffaada51fc>] ? thread_info_cache_init+0xb/0xb
[ 0.000000] [<ffffffffaae35879>] ? memblock_reserve+0x59/0x5e
[ 0.000000] [<ffffffffaada4120>] ? early_idt_handler_array+0x120/0x120
[ 0.000000] [<ffffffffaada429a>] x86_64_start_reservations+0x29/0x2b
[ 0.000000] [<ffffffffaada4384>] x86_64_start_kernel+0xe8/0xf5
[ 0.000000] Code: 5e 48 8b 45 c8 80 38 00 74 0c 48 c7 c7 80 e8 a5 aa e8 28 5b 6a fe 4d
89 e6 4c 03 35 8c ce c2 ff 4d 8d 7e 20 4c 89 f9 48 c1 e9 03 <42> 80 3c 29 00 74 08
4c 89 ff e8 7b 5b 6a fe 49 8d 7e 28 4d 89
[ 0.000000] RIP [<ffffffffaae319ff>] reserve_bootmem_region+0x84/0xce
[ 0.000000] RSP <ffffffffaaa07d98>
[ 0.000000] CR2: fffff5df00000004
[ 0.000000] ---[ end trace ad3a89ca250b9c80 ]---
[ 0.000000] Kernel panic - not syncing: Fatal exception
git bisect start 77480cfa52e7b51bab1a4f4711a4f52ad99f9b6a v4.6 --
git bisect good c174c6f15352dced3f47c92101feaea8729b4f59 # 11:41 22+ 22 Merge
'linux-review/Yingjoe-Chen/checkpatch-add-Kconfig-default-n-test/20160604-131412'
into devel-hourly-2016060505
git bisect bad fa883244e2ef4a2026dcd27670b333758468c2e6 # 11:52 3- 22 Merge
'linux-review/Andrew-F-Davis/hwmon-tmp401-Add-support-for-TI-TMP461/20160601-003137'
into devel-hourly-2016060505
git bisect good a4336b47e94878b4701ebd24c85375fc5bdddaf6 # 12:02 23+ 23 Merge
'linux-review/Guenter-Roeck/iwlwifi-Remove-unused-array-iwlagn_loose_lookup/20160604-054457'
into devel-hourly-2016060505
git bisect good 4efcffad022a9de72253bdd494c6764c1191251f # 12:12 22+ 23 Merge
'linux-review/Andy-Shevchenko/lib-uuid-add-a-test-module/20160530-224317' into
devel-hourly-2016060505
git bisect good cff8d2a4b6022c9cf2b651c592b5d44a530f2046 # 12:32 23+ 23 Merge
'random/dev' into devel-hourly-2016060505
git bisect bad 2346f731a5463a047c840830c941891fc84758ff # 12:45 3- 23 Merge
'linux-review/Florian-Fainelli/mtd-brcmnand-Add-v7-2-controller-support/20160601-013844'
into devel-hourly-2016060505
git bisect good 99195d5b1f89060b4a4cea4a7034f7d3c087a6ac # 12:51 22+ 22 Merge
'linux-review/Dan-Carpenter/usb-f_fs-off-by-one-bug-in-_ffs_func_bind/20160528-125152'
into devel-hourly-2016060505
git bisect good 7a5acb2e3273ba1823435e945b56a886290c1a34 # 13:05 23+ 23 Merge
'linux-review/Wei-Fang/scsi-fix-race-between-simultaneous-decrements-of-host_failed/20160602-163811'
into devel-hourly-2016060505
git bisect bad 0132202bbdd7ae165c184d98e1490e8c422b5a67 # 13:15 2- 22 Merge
'linux-review/dinguyen-opensource-altera-com/usb-dwc2-Add-reset-control-to-dwc2/20160604-000810'
into devel-hourly-2016060505
git bisect bad bfd7adf8fae005d026d9838641ec172607838b7d # 13:33 4- 22 Merge
'kees/kaslr/memory' into devel-hourly-2016060505
git bisect good a866e834997437307204efdc4f11a89d5dc39a89 # 13:46 24+ 4
x86/KASLR: Allow randomization below load address
git bisect good dfac57cb382d0e85382a4e530b1b913bdbf6cebb # 13:57 24+ 7 x86/mm:
PUD VA support for physical mapping (x86_64)
git bisect bad 8479658a975566b290854d83bc8b99411e024602 # 14:09 8- 23 x86/mm:
Memory hotplug support for KASLR memory randomization
git bisect bad c92efeaa76bb548b9f1c302b8d9748bfdfd42f16 # 14:21 4- 26 x86/mm:
Implement ASLR for kernel memory sections (x86_64)
# first bad commit: [c92efeaa76bb548b9f1c302b8d9748bfdfd42f16] x86/mm: Implement ASLR for
kernel memory sections (x86_64)
git bisect good dfac57cb382d0e85382a4e530b1b913bdbf6cebb # 14:27 81+ 46 x86/mm:
PUD VA support for physical mapping (x86_64)
# extra tests with CONFIG_DEBUG_INFO_REDUCED
git bisect bad c92efeaa76bb548b9f1c302b8d9748bfdfd42f16 # 14:32 4- 22 x86/mm:
Implement ASLR for kernel memory sections (x86_64)
# extra tests on HEAD of linux-devel/devel-hourly-2016060505
git bisect bad 77480cfa52e7b51bab1a4f4711a4f52ad99f9b6a # 14:32 0- 13 0day
head guard for 'devel-hourly-2016060505'
# extra tests on tree/branch kees/kaslr/memory
git bisect bad 8479658a975566b290854d83bc8b99411e024602 # 14:33 0- 24 x86/mm:
Memory hotplug support for KASLR memory randomization
# extra tests on tree/branch linus/master
git bisect good 049ec1b5a76d34a6980cccdb7c0baeb4eed7a993 # 14:43 81+ 22 Merge
tag 'drm-fixes-for-v4.7-rc2' of
git://people.freedesktop.org/~airlied/linux
# extra tests on tree/branch linux-next/master
git bisect good 64289ca05e2da843120e9ebf726dd336194996ae # 14:55 79+ 33 Add
linux-next specific files for 20160603
This script may reproduce the error.
----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu kvm64
-kernel $kernel
-m 300
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0
-boot order=nc
-no-reboot
-watchdog i6300esb
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
hung_task_panic=1
earlyprintk=ttyS0,115200
systemd.log_level=err
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
drbd.minor_count=8
)
"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation