Re: port-amd64/58366: KASLR broken

To: gnats-bugs%netbsd.org@localhost
Subject: Re: port-amd64/58366: KASLR broken
From: Harold Gutch <logix%foobar.franken.de@localhost>
Date: Sat, 29 Jun 2024 17:42:49 +0200

On Tue, Jun 25, 2024 at 06:05:01PM +0000, Taylor R Campbell wrote:
>  > Date: Tue, 25 Jun 2024 18:07:44 +0200
>  > From: Harold Gutch <logix%foobar.franken.de@localhost>
>  >=20
>  > On Tue, Jun 25, 2024 at 01:36:07PM +0000, Taylor R Campbell wrote:
>  > > Can you please try the attached patch?
>  >=20
>  > Thanks, that gets past prekern but then panics:
>  >=20
>  > [   1.4884345] trap type 4 code 0 rip 0xffffffffacefd336 cs 0x8 rflags 0x=
>  246 cr2 0 ilevel 0x6 rsp 0xffffffffe9e85a80
>  > [   1.5005255] curlwp 0xffffffffa0be8480 pid 0.0 lowest kstack 0xffffffff=
>  e9e812c0
>  > kernel: protection fault trap, code=3D0
>  > Stopped in pid 0.0 (system) at  netbsd:aes_sse2_selftest+0xb9:  ???
>  > aes_sse2_selftest() at netbsd:aes_sse2_selftest+0xb9
>  
>  Can you try the patch on top of the first revision you found with
>  broken prekern?
>  
>  If that works, time for another round of bisection, I guess!

Redoing round two now points to

https://mail-index.netbsd.org/source-changes/2024/03/09/msg150314.html

With a KASLR kernel from just before that commit I ran a 10 reboot
loop in qemu and I also went through a few additional cold boots.  I
didn't run into that panic a single time.

... but once again, I don't see how that might be related, so this
might be a red herring.  I'll run another few boot cycles with a
kernel from just before this commit and see what happens.


In the meanwhile:

1) Output from a *successful* pkboot /netbsd.KASLR -vx:
[   1.2098422] acpicpu0: ACPI CPUs started
[   1.2500817] IPsec: Initialized Security Association Processing.
[   1.2998684] aes: Intel SSE2 bitsliced
[   1.3103742] chacha: x86 SSE2 ChaCha
[   1.3103742] adiantum: self-test passed
[   1.3198766] aes_ccm: self-test passed
[   1.3198766] blake2s: self-test passed
[   2.3400158] waiting for devices: atabus0 atabus1
[   3.3400611] waiting for devices: atabus0 atabus1
[   4.3100719] wd0 at atabus0 drive 0
[   4.3100719] wd0: <QEMU HARDDISK>
[   4.3100719] wd0: drive supports 16-sector PIO transfers, LBA48 addressing
[   4.3100719] wd0: 5120 MB, 10402 cyl, 16 head, 63 sec, 512 bytes/sect x 10485760 sectors
[   4.3400349] waiting for devices: atabus0 atabus1 wd0
[   4.3700128] wd0: GPT GUID: 2e1ad449-2ee1-451a-8189-e947f29f9634
[   4.3800016] dk0 at wd0: "3f2e9cef-87be-4a09-939c-51e87ce238e4", 8388480 blocks at 64, type: ffs
[   4.3800016] dk1 at wd0: "337fa9b6-c1c5-4fc0-a64e-711efac5b191", 2097152 blocks at 8388544, type: swap
[   4.3900440] wd0: 32-bit data port
[   4.3900440] wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
[   4.3900440] wd0(piixide0:0:0): using PIO mode 4, DMA mode 2 (using DMA)
[   4.3999894] atapibus0 at atabus1: 2 targets
[   4.4099915] cd0 at atapibus0 drive 0: <QEMU DVD-ROM, QM00003, 2.5+> cdrom removable
[   4.4099915] cd0: 32-bit data port
[   4.4099915] cd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
[   4.4099915] cd0(piixide0:1:0): using PIO mode 4, DMA mode 2 (using DMA)
[   4.4200051] crypto: assign driver 0, flags 2
[   4.4200051] crypto: driver 0 registers alg 1 flags 0 maxoplen 0
[...]
[   4.4399868] crypto: driver 0 registers alg 22 flags 0 maxoplen 0
[   4.4399868] cgd: self-test aes-xts-256
[   4.4399868] cgd: self-test aes-xts-512
[   4.4399868] cgd: self-test aes-cbc-128
[   4.4399868] cgd: self-test aes-cbc-256
[   4.4399868] cgd: self-test 3des-cbc-192
[   4.4499762] cgd: self-test blowfish-cbc-448
[   4.4499762] cgd: self-test aes-cbc-128 (encblkno8)
[   4.4499762] cgd: self-tests passed
[   4.4499762] swwdog0: software watchdog initialized


2) Output from a failed pkgboot /netbsd.KASLR -vx:
[   1.2131918] acpicpu0: ACPI CPUs started
[   1.2430493] IPsec: Initialized Security Association Processing.
[   1.2730054] fatal protection fault in supervisor mode
[   1.2730054] trap type 4 code 0 rip 0xffffffffe78c60a6 cs 0x8 rflags 0x246 cr2 0 ilevel 0x6 rsp 0xffffffff91ed6a80
[   1.2730054] curlwp 0xffffffffc1f00f00 pid 0.0 lowest kstack 0xffffffff91ed22c0
kernel: protection fault trap, code=0
Stopped in pid 0.0 (system) at  netbsd:aes_sse2_selftest+0xb9:  ???
aes_sse2_selftest() at netbsd:aes_sse2_selftest+0xb9
aes_sse2_probe() at netbsd:aes_sse2_probe+0x14
aes_selftest() at netbsd:aes_selftest+0x26
aes_modcmd() at netbsd:aes_modcmd+0xf7
module_do_builtin() at netbsd:module_do_builtin+0x17d
module_do_builtin() at netbsd:module_do_builtin+0x132
module_init_class() at netbsd:module_init_class+0x1cf
main() at netbsd:main+0x4fc
start_prekern() at netbsd:start_prekern+0xf5
?() at 100641
ds          0
es          1
fs          8
gs          f1ef
rdi         0
rsi         2
rbp         ffffffff91ed6ac0
rbx         fffffffff6ab4714
rdx         0
rcx         0
rax         0
db{0}> show page
PAGE 0xffffffffe78c60a6:
  flags=0x6601f173<CLEAN,DIRTY,PAGEOUT,RELEASED,FAKE,ZERO,FILE,READAHEAD,FREE,MARKER,PAGER1>
  pqflags=0xf66d04d<INTENT_0,INTENT_SET,INTENT_QUEUED,PRIVATE3,WANTED>
  uobject=0x6a0f66c86f0f66c8, uanon=0x7e0f416655c8700f, offset=0xf66c97e0f4166c8

[   1.2851297] panic: kernel diagnostic assertion "upm != UVM_PHYSSEG_TYPE_INVALID" failed: file "/home/h/netbsd/git/src/sys/uvm/uvm_page.c", line 2015 
[   1.2851297] cpu0: Begin traceback...
[   1.2851297] vpanic() at netbsd:vpanic+0x173
[   1.2851297] kern_assert() at netbsd:kern_assert+0x4b
[   1.2851297] uvm_page_lookup_freelist() at netbsd:uvm_page_lookup_freelist+0x59
[   1.2851297] uvm_page_printit() at netbsd:uvm_page_printit+0xc1
[   1.2851297] db_command() at netbsd:db_command+0x123
[   1.2851297] db_command_loop() at netbsd:db_command_loop+0xa4
[   1.2851297] db_trap() at netbsd:db_trap+0xcc
[   1.2851297] kdb_trap() at netbsd:kdb_trap+0x106
[   1.2851297] trap() at netbsd:trap+0x28f
[   1.2851297] --- trap (number 4) ---
[   1.2851297] aes_sse2_selftest() at netbsd:aes_sse2_selftest+0xb9
[   1.2851297] aes_sse2_probe() at netbsd:aes_sse2_probe+0x14
[   1.2851297] aes_selftest() at netbsd:aes_selftest+0x26
[   1.2851297] aes_modcmd() at netbsd:aes_modcmd+0xf7
[   1.2851297] module_do_builtin() at netbsd:module_do_builtin+0x17d
[   1.2851297] module_do_builtin() at netbsd:module_do_builtin+0x132
[   1.2851297] module_init_class() at netbsd:module_init_class+0x1cf
[   1.2851297] main() at netbsd:main+0x4fc
[   1.2851297] start_prekern() at netbsd:start_prekern+0xf5
[   1.2851297] ?() at 100641
[   1.2851297] cpu0: End traceback...
[   1.2851297] fatal breakpoint trap in supervisor mode
[   1.2851297] trap type 1 code 0 rip 0xffffffffae63c405 cs 0x8 rflags 0x202 cr2 0 ilevel 0x8 rsp 0xffffffff91ed6480
[   1.2851297] curlwp 0xffffffffc1f00f00 pid 0.0 lowest kstack 0xffffffff91ed22c0
Stopped in pid 0.0 (system) at  netbsd:breakpoint+0x5:  leave
db{0}> 


  Harold

Follow-Ups:
- Re: port-amd64/58366: KASLR broken
  - From: Taylor R Campbell

References:
- Re: port-amd64/58366: KASLR broken
  - From: Taylor R Campbell

Prev by Date: Re: kern/58374 (X stopped working)
Next by Date: Re: port-amd64/58366: KASLR broken
Previous by Thread: Re: port-amd64/58366: KASLR broken
Next by Thread: Re: port-amd64/58366: KASLR broken
Indexes:

Home | Main Index | Thread Index | Old Index