Re: port-amd64/58366: KASLR broken

To: port-amd64-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,logix%foobar.franken.de@localhost
Subject: Re: port-amd64/58366: KASLR broken
From: Harold Gutch <logix%foobar.franken.de@localhost>
Date: Sat, 29 Jun 2024 15:45:02 +0000 (UTC)
The following reply was made to PR port-amd64/58366; it has been noted by GNATS.

From: Harold Gutch <logix%foobar.franken.de@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: port-amd64-maintainer%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
        netbsd-bugs%netbsd.org@localhost
Subject: Re: port-amd64/58366: KASLR broken
Date: Sat, 29 Jun 2024 17:42:49 +0200

 On Tue, Jun 25, 2024 at 06:05:01PM +0000, Taylor R Campbell wrote:
 >  > Date: Tue, 25 Jun 2024 18:07:44 +0200
 >  > From: Harold Gutch <logix%foobar.franken.de@localhost>
 >  >=20
 >  > On Tue, Jun 25, 2024 at 01:36:07PM +0000, Taylor R Campbell wrote:
 >  > > Can you please try the attached patch?
 >  >=20
 >  > Thanks, that gets past prekern but then panics:
 >  >=20
 >  > [   1.4884345] trap type 4 code 0 rip 0xffffffffacefd336 cs 0x8 rflags 0x=
 >  246 cr2 0 ilevel 0x6 rsp 0xffffffffe9e85a80
 >  > [   1.5005255] curlwp 0xffffffffa0be8480 pid 0.0 lowest kstack 0xffffffff=
 >  e9e812c0
 >  > kernel: protection fault trap, code=3D0
 >  > Stopped in pid 0.0 (system) at  netbsd:aes_sse2_selftest+0xb9:  ???
 >  > aes_sse2_selftest() at netbsd:aes_sse2_selftest+0xb9
 >  
 >  Can you try the patch on top of the first revision you found with
 >  broken prekern?
 >  
 >  If that works, time for another round of bisection, I guess!
 
 Redoing round two now points to
 
 https://mail-index.netbsd.org/source-changes/2024/03/09/msg150314.html
 
 With a KASLR kernel from just before that commit I ran a 10 reboot
 loop in qemu and I also went through a few additional cold boots.  I
 didn't run into that panic a single time.
 
 ... but once again, I don't see how that might be related, so this
 might be a red herring.  I'll run another few boot cycles with a
 kernel from just before this commit and see what happens.
 
 
 In the meanwhile:
 
 1) Output from a *successful* pkboot /netbsd.KASLR -vx:
 [   1.2098422] acpicpu0: ACPI CPUs started
 [   1.2500817] IPsec: Initialized Security Association Processing.
 [   1.2998684] aes: Intel SSE2 bitsliced
 [   1.3103742] chacha: x86 SSE2 ChaCha
 [   1.3103742] adiantum: self-test passed
 [   1.3198766] aes_ccm: self-test passed
 [   1.3198766] blake2s: self-test passed
 [   2.3400158] waiting for devices: atabus0 atabus1
 [   3.3400611] waiting for devices: atabus0 atabus1
 [   4.3100719] wd0 at atabus0 drive 0
 [   4.3100719] wd0: <QEMU HARDDISK>
 [   4.3100719] wd0: drive supports 16-sector PIO transfers, LBA48 addressing
 [   4.3100719] wd0: 5120 MB, 10402 cyl, 16 head, 63 sec, 512 bytes/sect x 10485760 sectors
 [   4.3400349] waiting for devices: atabus0 atabus1 wd0
 [   4.3700128] wd0: GPT GUID: 2e1ad449-2ee1-451a-8189-e947f29f9634
 [   4.3800016] dk0 at wd0: "3f2e9cef-87be-4a09-939c-51e87ce238e4", 8388480 blocks at 64, type: ffs
 [   4.3800016] dk1 at wd0: "337fa9b6-c1c5-4fc0-a64e-711efac5b191", 2097152 blocks at 8388544, type: swap
 [   4.3900440] wd0: 32-bit data port
 [   4.3900440] wd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
 [   4.3900440] wd0(piixide0:0:0): using PIO mode 4, DMA mode 2 (using DMA)
 [   4.3999894] atapibus0 at atabus1: 2 targets
 [   4.4099915] cd0 at atapibus0 drive 0: <QEMU DVD-ROM, QM00003, 2.5+> cdrom removable
 [   4.4099915] cd0: 32-bit data port
 [   4.4099915] cd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 5 (Ultra/100)
 [   4.4099915] cd0(piixide0:1:0): using PIO mode 4, DMA mode 2 (using DMA)
 [   4.4200051] crypto: assign driver 0, flags 2
 [   4.4200051] crypto: driver 0 registers alg 1 flags 0 maxoplen 0
 [...]
 [   4.4399868] crypto: driver 0 registers alg 22 flags 0 maxoplen 0
 [   4.4399868] cgd: self-test aes-xts-256
 [   4.4399868] cgd: self-test aes-xts-512
 [   4.4399868] cgd: self-test aes-cbc-128
 [   4.4399868] cgd: self-test aes-cbc-256
 [   4.4399868] cgd: self-test 3des-cbc-192
 [   4.4499762] cgd: self-test blowfish-cbc-448
 [   4.4499762] cgd: self-test aes-cbc-128 (encblkno8)
 [   4.4499762] cgd: self-tests passed
 [   4.4499762] swwdog0: software watchdog initialized
 
 
 2) Output from a failed pkgboot /netbsd.KASLR -vx:
 [   1.2131918] acpicpu0: ACPI CPUs started
 [   1.2430493] IPsec: Initialized Security Association Processing.
 [   1.2730054] fatal protection fault in supervisor mode
 [   1.2730054] trap type 4 code 0 rip 0xffffffffe78c60a6 cs 0x8 rflags 0x246 cr2 0 ilevel 0x6 rsp 0xffffffff91ed6a80
 [   1.2730054] curlwp 0xffffffffc1f00f00 pid 0.0 lowest kstack 0xffffffff91ed22c0
 kernel: protection fault trap, code=0
 Stopped in pid 0.0 (system) at  netbsd:aes_sse2_selftest+0xb9:  ???
 aes_sse2_selftest() at netbsd:aes_sse2_selftest+0xb9
 aes_sse2_probe() at netbsd:aes_sse2_probe+0x14
 aes_selftest() at netbsd:aes_selftest+0x26
 aes_modcmd() at netbsd:aes_modcmd+0xf7
 module_do_builtin() at netbsd:module_do_builtin+0x17d
 module_do_builtin() at netbsd:module_do_builtin+0x132
 module_init_class() at netbsd:module_init_class+0x1cf
 main() at netbsd:main+0x4fc
 start_prekern() at netbsd:start_prekern+0xf5
 ?() at 100641
 ds          0
 es          1
 fs          8
 gs          f1ef
 rdi         0
 rsi         2
 rbp         ffffffff91ed6ac0
 rbx         fffffffff6ab4714
 rdx         0
 rcx         0
 rax         0
 db{0}> show page
 PAGE 0xffffffffe78c60a6:
   flags=0x6601f173<CLEAN,DIRTY,PAGEOUT,RELEASED,FAKE,ZERO,FILE,READAHEAD,FREE,MARKER,PAGER1>
   pqflags=0xf66d04d<INTENT_0,INTENT_SET,INTENT_QUEUED,PRIVATE3,WANTED>
   uobject=0x6a0f66c86f0f66c8, uanon=0x7e0f416655c8700f, offset=0xf66c97e0f4166c8
 
 [   1.2851297] panic: kernel diagnostic assertion "upm != UVM_PHYSSEG_TYPE_INVALID" failed: file "/home/h/netbsd/git/src/sys/uvm/uvm_page.c", line 2015 
 [   1.2851297] cpu0: Begin traceback...
 [   1.2851297] vpanic() at netbsd:vpanic+0x173
 [   1.2851297] kern_assert() at netbsd:kern_assert+0x4b
 [   1.2851297] uvm_page_lookup_freelist() at netbsd:uvm_page_lookup_freelist+0x59
 [   1.2851297] uvm_page_printit() at netbsd:uvm_page_printit+0xc1
 [   1.2851297] db_command() at netbsd:db_command+0x123
 [   1.2851297] db_command_loop() at netbsd:db_command_loop+0xa4
 [   1.2851297] db_trap() at netbsd:db_trap+0xcc
 [   1.2851297] kdb_trap() at netbsd:kdb_trap+0x106
 [   1.2851297] trap() at netbsd:trap+0x28f
 [   1.2851297] --- trap (number 4) ---
 [   1.2851297] aes_sse2_selftest() at netbsd:aes_sse2_selftest+0xb9
 [   1.2851297] aes_sse2_probe() at netbsd:aes_sse2_probe+0x14
 [   1.2851297] aes_selftest() at netbsd:aes_selftest+0x26
 [   1.2851297] aes_modcmd() at netbsd:aes_modcmd+0xf7
 [   1.2851297] module_do_builtin() at netbsd:module_do_builtin+0x17d
 [   1.2851297] module_do_builtin() at netbsd:module_do_builtin+0x132
 [   1.2851297] module_init_class() at netbsd:module_init_class+0x1cf
 [   1.2851297] main() at netbsd:main+0x4fc
 [   1.2851297] start_prekern() at netbsd:start_prekern+0xf5
 [   1.2851297] ?() at 100641
 [   1.2851297] cpu0: End traceback...
 [   1.2851297] fatal breakpoint trap in supervisor mode
 [   1.2851297] trap type 1 code 0 rip 0xffffffffae63c405 cs 0x8 rflags 0x202 cr2 0 ilevel 0x8 rsp 0xffffffff91ed6480
 [   1.2851297] curlwp 0xffffffffc1f00f00 pid 0.0 lowest kstack 0xffffffff91ed22c0
 Stopped in pid 0.0 (system) at  netbsd:breakpoint+0x5:  leave
 db{0}> 
 
 
   Harold
Prev by Date: Re: port-amd64/58366: KASLR broken
Next by Date: Re: bin/58369 (sshd blocklistd integration spuriously blocks legitimate users with multiple public keys)
Previous by Thread: Re: port-amd64/58366: KASLR broken
Next by Thread: Re: port-amd64/58366: KASLR broken
Indexes:
Home | Main Index | Thread Index | Old Index