PaX Team wrote:can you guys try to add this somewhere at the beginning of kernel/resource.c:allocate_resource()
- Code: Select all
printk("PAX: root:%pR new:%pR\n", root, new);dump_stack();
and send me the results (or just show here the log related to the bad range)? also i expect that the primary caller will be drivers/pci/bus.c:pci_bus_alloc_resource and it'd be nice if you could print out the pci bus info there but i don't know if there's a handy function for it or not.
I don't actually get anything.
So far this is what I've added
- Code: Select all
# diff -up kernel/resource.c.orig kernel/resource.c
--- kernel/resource.c.orig 2013-04-15 17:07:53.000000000 +0100
+++ kernel/resource.c 2013-04-15 17:16:27.000000000 +0100
@@ -543,6 +543,7 @@ int allocate_resource(struct resource *r
int err;
struct resource_constraint constraint;
+printk("not-PAX: root:%pR new:%pR\n", root, new);dump_stack();
if (!alignf)
alignf = simple_align_resource;
# diff -up include/linux/ioport.h.orig include/linux/ioport.h
--- include/linux/ioport.h.orig 2013-04-16 16:11:05.000000000 +0100
+++ include/linux/ioport.h 2013-04-15 13:32:51.000000000 +0100
@@ -166,8 +166,10 @@ struct resource *lookup_resource(struct
int adjust_resource(struct resource *res, resource_size_t start,
resource_size_t size);
resource_size_t resource_alignment(struct resource *res);
+int printk(const char *fmt, ...);
static inline resource_size_t resource_size(const struct resource *res)
{
+ printk("not-PAX: %pR\n", res);
return res->end - res->start + 1;
}
static inline unsigned long resource_type(const struct resource *res)
And I get no 'not-PAX: root...' output
....
[ 2.037539] Brought up 16 CPUs
[ 2.040653] Total of 16 processors activated (76802.22 BogoMIPS).
[ 2.063571] devtmpfs: initialized
[ 2.069690] xor: automatically using best checksumming function: generic_sse
[ 2.097299] generic_sse: 9049.000 MB/sec
[ 2.101627] xor: using function: generic_sse (9049.000 MB/sec)
[ 2.107606] NET: Registered protocol family 16
[ 2.112525] ACPI: bus type pci registered
[ 2.116714] PCI: MMCONFIG for domain 0000 [bus 00-ff] at [mem 0xe0000000-0xefffffff] (base 0xe0000000)
[ 2.126082] not-PAX: [mem 0xe0000000-0xefffffff]
[ 2.130755] PCI: MMCONFIG at [mem 0xe0000000-0xefffffff] reserved in E820
[ 2.159738] PCI: Using configuration type 1 for base access
[ 2.171924] bio: create slab <bio-0> at 0
[ 2.241088] raid6: int64x1 2422 MB/s
[ 2.308997] raid6: int64x2 2361 MB/s
[ 2.376880] raid6: int64x4 1999 MB/s
[ 2.444777] raid6: int64x8 1578 MB/s
[ 2.512659] raid6: sse2x1 5919 MB/s
[ 2.580561] raid6: sse2x2 6878 MB/s
[ 2.652446] raid6: sse2x4 7835 MB/s
[ 2.656252] raid6: using algorithm sse2x4 (7835 MB/s)
[ 2.661450] ACPI: Added _OSI(Module Device)
[ 2.665687] ACPI: Added _OSI(Processor Device)
[ 2.670187] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 2.674945] ACPI: Added _OSI(Processor Aggregator Device)
[ 2.681967] ACPI: Executed 1 blocks of module-level executable AML code
[ 2.724368] ACPI: SSDT 00000000bf79e200 02FB4 (v01 DpgPmm P001Ist 00000011 INTL 20051117)
[ 2.733350] ACPI: Dynamic OEM Table Load:
[ 2.737534] ACPI: SSDT (nil) 02FB4 (v01 DpgPmm P001Ist 00000011 INTL 20051117)
[ 2.746117] ACPI: SSDT 00000000bf7a11c0 00961 (v01 PmRef P001Cst 00003001 INTL 20051117)
[ 2.754823] ACPI: Dynamic OEM Table Load:
[ 2.759020] ACPI: SSDT (nil) 00961 (v01 PmRef P001Cst 00003001 INTL 20051117)
[ 2.767745] ACPI: Interpreter enabled
[ 2.771465] ACPI: (supports S0 S5)
[ 2.775055] ACPI: Using IOAPIC for interrupt routing
[ 2.791201] ACPI: No dock devices found.
[ 2.795188] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[ 2.804634] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[ 2.811141] pci_root PNP0A08:00: host bridge window [io 0x0000-0x03af]
[ 2.817808] pci_root PNP0A08:00: host bridge window [io 0x03e0-0x0cf7]
[ 2.824478] pci_root PNP0A08:00: host bridge window [io 0x03b0-0x03bb]
[ 2.831139] pci_root PNP0A08:00: host bridge window [io 0x03c0-0x03df]
[ 2.838860] pci_root PNP0A08:00: host bridge window [io 0x0d00-0xefff]
[ 2.845522] pci_root PNP0A08:00: host bridge window [io 0xf000-0xffff]
[ 2.852186] pci_root PNP0A08:00: host bridge window [mem 0x000a0000-0x000bffff]
[ 2.859558] pci_root PNP0A08:00: host bridge window [mem 0x000d0000-0x000dffff]
[ 2.866930] pci_root PNP0A08:00: host bridge window [mem 0xc0000000-0xdfffffff]
[ 2.874304] pci_root PNP0A08:00: host bridge window [mem 0xf0000000-0xfed8ffff]
[ 2.881675] pci_root PNP0A08:00: host bridge window [mem 0xfed40000-0xfed44fff]
[ 2.889050] pci_root PNP0A08:00: host bridge window expanded to [mem 0xf0000000-0xfed8ffff]; [mem 0xfed40000-0xfed44fff] ignored
[ 2.900674] pci_root PNP0A08:00: ignoring host bridge window [mem 0x000d0000-0x000dffff] (conflicts with Adapter ROM [mem 0x000cb000-0x000d13ff])
[ 2.916382] pci 0000:00:1f.0: ICH7 LPC Generic IO decode 1 PIO at 0a00 (mask 00ff)
[ 2.924021] pci 0000:00:1f.0: ICH7 LPC Generic IO decode 2 PIO at 4700 (mask 00ff)
[ 2.931661] pci 0000:00:1f.0: ICH7 LPC Generic IO decode 4 PIO at 0ca0 (mask 000f)
[ 2.939542] pci 0000:00:01.0: PCI bridge to [bus 01-01]
[ 2.944856] pci 0000:00:03.0: PCI bridge to [bus 02-02]
[ 2.950168] pci 0000:00:07.0: PCI bridge to [bus 03-03]
[ 2.959980] pci 0000:00:09.0: PCI bridge to [bus 04-04]
[ 2.965305] pci 0000:00:1c.0: PCI bridge to [bus 05-05]
[ 2.975959] pci 0000:00:1c.4: PCI bridge to [bus 06-06]
[ 2.987940] pci 0000:00:1c.5: PCI bridge to [bus 07-07]
[ 2.993398] pci 0000:00:1e.0: PCI bridge to [bus 08-08] (subtractive decode)
[ 3.001428] pci0000:00: Requesting ACPI _OSC control (0x1d)
[ 3.007501] pci0000:00: ACPI _OSC control (0x1c) granted
[ 3.036284] ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 6 7 10 *11 12 14 15)
[ 3.043923] ACPI: PCI Interrupt Link [LNKB] (IRQs 3 4 6 7 *10 11 12 14 15)
[ 3.051554] ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 6 7 10 11 12 14 *15)
[ 3.059184] ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 6 7 10 11 12 *14 15)
[ 3.066817] ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 6 7 10 11 12 14 15) *0, disabled.
[ 3.075712] ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 6 *7 10 11 12 14 15)
[ 3.083344] ACPI: PCI Interrupt Link [LNKG] (IRQs 3 4 *6 7 10 11 12 14 15)
[ 3.090977] ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 6 7 *10 11 12 14 15)
[ 3.099884] vgaarb: device added: PCI:0000:08:01.0,decodes=io+mem,owns=io+mem,locks=none
[ 3.108033] vgaarb: loaded
[ 3.110792] vgaarb: bridge control possible 0000:08:01.0
[ 3.116414] SCSI subsystem initialized
[ 3.120579] PCI: Using ACPI for IRQ routing
[ 3.130522] PCI: Discovered peer bus fe
[ 3.136331] PCI: Discovered peer bus ff
[ 3.142580] Switching to clocksource hpet
[ 3.146861] pnp: PnP ACPI init
[ 3.149991] ACPI: bus type pnp registered
[ 3.154597] system 00:01: [mem 0xfed1c000-0xfed1ffff] has been reserved
[ 3.162071] system 00:06: [io 0x0a10-0x0a1f] has been reserved
[ 3.169230] system 00:09: [io 0x0ca2-0x0ca3] has been reserved
[ 3.175204] system 00:09: [io 0x0cf8-0x0cff] could not be reserved
[ 3.181530] system 00:09: [io 0x04d0-0x04d1] has been reserved
[ 3.187502] system 00:09: [io 0x0800-0x087f] has been reserved
[ 3.193481] system 00:09: [io 0x0500-0x057f] has been reserved
[ 3.199452] system 00:09: [mem 0x00000400-0x000004ff] could not be reserved
[ 3.206470] system 00:09: [mem 0xfed1c000-0xfed1ffff] has been reserved
[ 3.213143] system 00:09: [mem 0xfed20000-0xfed3ffff] has been reserved
[ 3.219814] system 00:09: [mem 0xfed40000-0xfed8ffff] has been reserved
[ 3.226906] system 00:0b: [mem 0xfec00000-0xfec00fff] could not be reserved
[ 3.233919] system 00:0b: [mem 0xfee00000-0xfee00fff] has been reserved
[ 3.240793] system 00:0c: [mem 0xe0000000-0xefffffff] has been reserved
[ 3.247757] system 00:0d: [mem 0x000c0000-0x000cffff] could not be reserved
[ 3.254773] system 00:0d: [mem 0x000e0000-0x000fffff] could not be reserved
[ 3.261791] system 00:0d: [mem 0xfed90000-0xffffffff] could not be reserved
[ 3.268962] pnp: PnP ACPI: found 14 devices
[ 3.273204] ACPI: ACPI bus type pnp unregistered
[ 3.288707] not-PAX: [io 0x0000]
[ 3.292077] not-PAX: [mem 0x00000000 pref]
[ 3.296231] not-PAX: [mem 0x00000000]
[ 3.299955] not-PAX: [io 0x0000]
[ 3.303326] not-PAX: [mem 0x00000000 pref]
[ 3.307479] not-PAX: [mem 0x00000000]
[ 3.311205] not-PAX: [io 0x0000]
[ 3.314576] not-PAX: [mem 0x00000000 pref]
[ 3.318728] not-PAX: [mem 0x00000000]
[ 3.322455] not-PAX: [mem 0x00000000 pref]
[ 3.326610] not-PAX: [io 0x0000]
[ 3.329974] not-PAX: [io 0x0000]
[ 3.333345] not-PAX: [mem 0x00000000 pref]
[ 3.337498] not-PAX: [mem 0x00000000 pref]
[ 3.341652] not-PAX: [mem 0x00000000]
[ 3.345372] not-PAX: [mem 0x00000000]
[ 3.350173] not-PAX: [mem 0x00000000 pref]
[ 3.354330] not-PAX: [mem 0x00000000 pref]
[ 3.358488] not-PAX: [mem 0x00000000 pref]
[ 3.362637] not-PAX: [mem 0x00000000 pref]
[ 3.366795] not-PAX: [io 0x0000]
[ 3.370180] not-PAX: [mem 0x00100000-0x000fffff]
[ 3.374857] PAX: size overflow detected in function resource_size include/linux/ioport.h:173 cicus.54_10 min, count: 6
[ 3.385613] Pid: 1, comm: swapper/0 Not tainted 3.2.43-hardened #1
[ 3.391851] Call Trace:
[ 3.394368] [<ffffffff810c697b>] ? report_size_overflow+0x22/0x2c
[ 3.400606] [<ffffffff812719bc>] ? __assign_resources_sorted+0x160/0x2b3
[ 3.407448] [<ffffffff814222ac>] ? __pci_bus_assign_resources+0x4d/0xdf
[ 3.414206] [<ffffffff81a46b8c>] ? pci_assign_unassigned_resources+0xf7/0x3ed
[ 3.421500] [<ffffffff812675ce>] ? pci_do_find_bus+0x42/0x42
[ 3.427307] [<ffffffff812e6185>] ? bus_find_device+0x88/0x9e
[ 3.433112] [<ffffffff812675ce>] ? pci_do_find_bus+0x42/0x42
[ 3.438909] [<ffffffff81267802>] ? pci_get_subsys+0x67/0x7f
[ 3.444621] [<ffffffff81a55c31>] ? pcibios_assign_resources+0xe3/0xf7
[ 3.451205] [<ffffffff81a55b4e>] ? pcibios_allocate_bus_resources+0x11e/0x11e
[ 3.458493] [<ffffffff8100021d>] ? do_one_initcall+0x8d/0x134
[ 3.464379] [<ffffffff81a0f1bf>] ? kernel_init+0x129/0x219
[ 3.470014] [<ffffffff81442a39>] ? kernel_thread_helper+0x9/0x20
[ 3.476164] [<ffffffff814402aa>] ? retint_restore_args+0x6/0xd
[ 3.482143] [<ffffffff81a0f096>] ? start_kernel+0x44a/0x44a
[ 3.492943] [<ffffffff81442a30>] ? gs_change+0x1b/0x1b
[ 3.498223] Kernel panic - not syncing: Attempted to kill init!
[ 3.504196] Pid: 1, comm: swapper/0 Not tainted 3.2.43-hardened #1
[ 3.510425] Call Trace:
[ 3.512929] [<ffffffff81435f15>] ? panic+0xaf/0x1dc
[ 3.517949] [<ffffffff810377c1>] ? do_exit+0xa0/0x733
[ 3.523139] [<ffffffff81038123>] ? do_group_exit+0x6f/0x99
[ 3.528763] [<ffffffff810c6985>] ? report_size_overflow+0x2c/0x2c
[ 3.534995] [<ffffffff812719bc>] ? __assign_resources_sorted+0x160/0x2b3
[ 3.541832] [<ffffffff814222ac>] ? __pci_bus_assign_resources+0x4d/0xdf
[ 3.548580] [<ffffffff81a46b8c>] ? pci_assign_unassigned_resources+0xf7/0x3ed
[ 3.555866] [<ffffffff812675ce>] ? pci_do_find_bus+0x42/0x42
[ 3.561663] [<ffffffff812e6185>] ? bus_find_device+0x88/0x9e
[ 3.567462] [<ffffffff812675ce>] ? pci_do_find_bus+0x42/0x42
[ 3.573259] [<ffffffff81267802>] ? pci_get_subsys+0x67/0x7f
[ 3.578971] [<ffffffff81a55c31>] ? pcibios_assign_resources+0xe3/0xf7
[ 3.585548] [<ffffffff81a55b4e>] ? pcibios_allocate_bus_resources+0x11e/0x11e
[ 3.592833] [<ffffffff8100021d>] ? do_one_initcall+0x8d/0x134
[ 3.598718] [<ffffffff81a0f1bf>] ? kernel_init+0x129/0x219
[ 3.605409] [<ffffffff81442a39>] ? kernel_thread_helper+0x9/0x20
[ 3.611551] [<ffffffff814402aa>] ? retint_restore_args+0x6/0xd
[ 3.617523] [<ffffffff81a0f096>] ? start_kernel+0x44a/0x44a
[ 3.623232] [<ffffffff81442a30>] ? gs_change+0x1b/0x1b
When adding it like this and I hope I did so at the right place, I cannot compile it anymore:
) as the struct resource based code encodes a 0 sized interval with a ULLONG_MAX size (i.e., end = start + 0 - 1). resource_size() then computes the actual size by end-start+1 which will trigger an integer underflow on the end-start computation and is what the overflow plugin catches. now integer overflows are well defined for unsigned quantities, so from a strict language point of view this code works but oh boy, is it a badly designed API.... so i think we'll have no choice but to take struct resource related computations out of the overflow plugin coverage.