Re: "bad pmd" errors + oops with KPTI on 4.14.11 after loading X.509 certs

From: Andy Lutomirski
Date: Wed Jan 03 2018 - 23:46:26 EST

Next message: syzbot: "KASAN: use-after-free Read in __dev_queue_xmit"
Previous message: Al Viro: "Re: [RFC PATCH] asm/generic: introduce if_nospec and nospec_barrier"
In reply to: Benjamin Gilbert: "Re: "bad pmd" errors + oops with KPTI on 4.14.11 after loading X.509 certs"
Next in thread: Thomas Gleixner: "Re: "bad pmd" errors + oops with KPTI on 4.14.11 after loading X.509 certs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 3, 2018 at 8:35 PM, Benjamin Gilbert
<benjamin.gilbert@xxxxxxxxxx> wrote:
> On Wed, Jan 03, 2018 at 04:37:53PM -0800, Andy Lutomirski wrote:
>> Maybe try rebuilding a bad kernel with free_ldt_pgtables() modified
>> to do nothing, and the read /sys/kernel/debug/page_tables/current (or
>> current_kernel, or whatever it's called). The problem may be obvious.
>
> current_kernel attached. I have not seen any crashes with
> free_ldt_pgtables() stubbed out.

I haven't reproduced it, but I think I see what's wrong. KASLR sets
vaddr_end to a totally bogus value. It should be no larger than
LDT_BASE_ADDR. I suspect that your vmemmap is getting randomized into
the LDT range. If it weren't for that, it could just as easily land
in the cpu_entry_area range. This will need fixing in all versions
that aren't still called KAISER.

Our memory map code is utter shite. This kind of bug should not be
possible without a giant warning at boot that something is screwed up.

Next message: syzbot: "KASAN: use-after-free Read in __dev_queue_xmit"
Previous message: Al Viro: "Re: [RFC PATCH] asm/generic: introduce if_nospec and nospec_barrier"
In reply to: Benjamin Gilbert: "Re: "bad pmd" errors + oops with KPTI on 4.14.11 after loading X.509 certs"
Next in thread: Thomas Gleixner: "Re: "bad pmd" errors + oops with KPTI on 4.14.11 after loading X.509 certs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]