| 1 |
On 5 Jul 2007 at 10:19, Natanael Copa wrote: |
| 2 |
|
| 3 |
> I'm tryning to run a gentoo hardened kernel as a qemu guest but PAX is |
| 4 |
> not happy. It works fine in vmware. |
| 5 |
|
| 6 |
'fine' is a relative word here, see below ;-). |
| 7 |
|
| 8 |
> Any ideas how to find out what this really is? |
| 9 |
> |
| 10 |
> I tried kvm-28 (with kvm-intel) and qemu-0.9 (non kvm). |
| 11 |
[...] |
| 12 |
> PAX: swapper:1, uid/euid: 0/0, attempted to modify kernel code at virtual address c0551c08 |
| 13 |
> printing eip: |
| 14 |
> 0000e9d7 |
| 15 |
|
| 16 |
this says that the kernel wanted to write to some otherwise read-only |
| 17 |
area (as created/enforced by KERNEXEC that the hardened kernel uses). |
| 18 |
after some decoding of the oops code i figured that it must come from |
| 19 |
the free_initmem() function where KERNEXEC activates the read-only |
| 20 |
mappings for the kernel. and after a split second of reflection one |
| 21 |
can figure out that there's indeed a bug in there in that KERNEXEC |
| 22 |
can shoot itself in the foot so to speak. |
| 23 |
|
| 24 |
while going through the kernel's page directory to modify the writable |
| 25 |
entries to become read-only (covering the read-only kernel virtual |
| 26 |
address range), it will make the page directory (swapper_p[gm]_dir) |
| 27 |
read-only as well - even before it has modified the last needed entry |
| 28 |
in it -> instant page fault as you reported it, but only *if* the TLBs |
| 29 |
get flushed somehow during this short tight loop. |
| 30 |
|
| 31 |
apparently the intercept logic in qemu/kvm does/causes this TLB flush |
| 32 |
while vmware doesn't (or it has some extra detection logic that still |
| 33 |
enables writes to this read-only area, not that good then as it |
| 34 |
circumvents security, and to be honest, i've never once seen vmware |
| 35 |
fault here for the past 4 years, so my bet is on the extra logic). |
| 36 |
|
| 37 |
for an extra confirmation, can you post the output of |
| 38 |
|
| 39 |
egrep 'swapper_p|MODULES_| _data' System.map |
| 40 |
|
| 41 |
? |
| 42 |
|
| 43 |
in any case, thanks for the report, i'll fix it for 2.6.22. |
| 44 |
|
| 45 |
-- |
| 46 |
gentoo-hardened@g.o mailing list |
Archives