On Fri, Sep 25, 2020 at 05:32:14PM -0700, Nick Desaulniers wrote:
> Boris, one question I have. Doesn't the kernel mark pages backing
> executable code as read only at some point?
Yes, I added some debug output:
[ 562.959995][ T1] Freeing unused kernel image (initmem) memory: 2548K
[ 563.672645][ T1] Write protecting the kernel read-only data: 137216k
[0xffffffff81000000:0xffffffff89600000]
and perf_misc_flags() is well within that range:
ffffffff810118e0 <perf_misc_flags>:
[ 566.076923][ T1] unused kernel image (text/rodata gap):
[0xffffffff88608000:0xffffffff88800000]
[ 567.039076][ T1] unused kernel image (rodata/data gap):
[0xffffffff8941d000:0xffffffff89600000]
[ 568.205550][ T1] Freeing unused kernel image (text/rodata gap) memory:
2016K
[ 569.277742][ T1] Freeing unused kernel image (rodata/data gap) memory:
1932K
We also have this debug option which I enabled:
[ 570.598533][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
so that looks ok too.
> If that were the case, then I don't see how the instruction stream
> could be modified. I guess static key patching would have to undo that
> permission mapping before patching.
Yap, and I still have no clue about the mechanism which would lead to
this corruption.
> You're right about the length shorter than what I would have expected
> from static key patching. That could very well be a write through
> dangling int pointer...
Right.
Lemme try to setup one of my test boxes to run syzkaller and see how far
I can get. But don't hold your breath...
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
