1 |
On 5 Jul 2007 at 10:19, Natanael Copa wrote: |
2 |
|
3 |
> I'm tryning to run a gentoo hardened kernel as a qemu guest but PAX is |
4 |
> not happy. It works fine in vmware. |
5 |
|
6 |
'fine' is a relative word here, see below ;-). |
7 |
|
8 |
> Any ideas how to find out what this really is? |
9 |
> |
10 |
> I tried kvm-28 (with kvm-intel) and qemu-0.9 (non kvm). |
11 |
[...] |
12 |
> PAX: swapper:1, uid/euid: 0/0, attempted to modify kernel code at virtual address c0551c08 |
13 |
> printing eip: |
14 |
> 0000e9d7 |
15 |
|
16 |
this says that the kernel wanted to write to some otherwise read-only |
17 |
area (as created/enforced by KERNEXEC that the hardened kernel uses). |
18 |
after some decoding of the oops code i figured that it must come from |
19 |
the free_initmem() function where KERNEXEC activates the read-only |
20 |
mappings for the kernel. and after a split second of reflection one |
21 |
can figure out that there's indeed a bug in there in that KERNEXEC |
22 |
can shoot itself in the foot so to speak. |
23 |
|
24 |
while going through the kernel's page directory to modify the writable |
25 |
entries to become read-only (covering the read-only kernel virtual |
26 |
address range), it will make the page directory (swapper_p[gm]_dir) |
27 |
read-only as well - even before it has modified the last needed entry |
28 |
in it -> instant page fault as you reported it, but only *if* the TLBs |
29 |
get flushed somehow during this short tight loop. |
30 |
|
31 |
apparently the intercept logic in qemu/kvm does/causes this TLB flush |
32 |
while vmware doesn't (or it has some extra detection logic that still |
33 |
enables writes to this read-only area, not that good then as it |
34 |
circumvents security, and to be honest, i've never once seen vmware |
35 |
fault here for the past 4 years, so my bet is on the extra logic). |
36 |
|
37 |
for an extra confirmation, can you post the output of |
38 |
|
39 |
egrep 'swapper_p|MODULES_| _data' System.map |
40 |
|
41 |
? |
42 |
|
43 |
in any case, thanks for the report, i'll fix it for 2.6.22. |
44 |
|
45 |
-- |
46 |
gentoo-hardened@g.o mailing list |