[grsec] how to check the hardware support of XN/XI bit support on ARM/MIPS platform
Girish garg
girishgargdce at gmail.com
Thu Jan 3 04:46:24 EST 2013
Hi All,
Please let me know how to check the hardware support of XN/XI bit support
on ARM/MIPS platform.
As there is support of XN bit on ARM v >= 6 (I was using ARM 6), but no
support on MIPS (*MIPS 34Kc)*.
To check the hardware support , I run the paxtest i.e execstack. The
execstack test program must crash on ARM, but not on MIPS.
*But It is crashing on both ARM and MIPS.*
Please let me know how I can prove/check the hardware support of XN bit in
arm platform.
/* *execstack.c* - Tests wether code on the stack can be executed
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>
#include <limits.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/wait.h>
#ifndef PAGESIZE
#define PAGESIZE (4096)
#endif /* PAGESIZE */
typedef void (*fptr)(void);
char *testname = "Executable stack ";
void itworked( void )
{
printf( "Vulnerable\n" );
exit( 1 );
}
void doit( void )
{
char buf[8192];
fptr func;
/* Put a RETN instruction in the buffer */
buf[0] = '\xc3';
/* Convert the pointer to a function pointer */
func = (fptr)buf;
/* Call the code in the buffer */
func();
/* It worked when the function returns */
itworked();
}
int main( int argc, char *argv[] )
{
int status;
printf( "%s: ", testname );
fflush( stdout );
if( fork() == 0 ) {
do_mprotect((unsigned long)argv & ~4095U, 4096,
PROT_READ|PROT_WRITE|PROT_EXEC);
doit();
} else {
wait( &status );
if( WIFEXITED(status) == 0 ) {
printf( "Killed\n" );
exit( 0 );
}
}
exit( 0 );
}
void itfailed( void )
{
printf( "Ok\n" );
exit( 2 );
}
int do_mprotect( const void *addr, size_t len, int prot )
{
void *ptr;
int retval;
/* Allign to a multiple of PAGESIZE, assumed to be a power of two */
ptr = (char *)(((unsigned long) addr) & ~(PAGESIZE-1));
retval = mprotect( ptr, len, prot );
if( retval != 0 && errno == EINVAL ) {
perror( "could not mprotect():" );
exit( 1 );
}
return retval;
}
*On MIPS target the execstack testcase giving below coredump although I
assume that XI bit is not supported in MIPS.
*
*To check the XI bit support on MIPS target I read the bit No 12 i.e RXI of
Config 3 register.*
The value of config3 register is *0x2425 *in MIPS kernel (X13).
Followings are the bit wise representation:
* *
Position
31
24
16
13
10
5
2
0
Value
0
* *
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
*1*
0
0
*1*
0
0
0
0
*1*
0
0
*1*
0
*1*
* *
**
****
VDLinux#> ./execstack
Executable stack[ 53.272000] do_ri() : sending SIGILL to execstack,
PID:386
[ 53.280000]
================================================================================
[ 53.288000] KERNEL Version : 0045, debug
[ 53.292000]
================================================================================
[ 53.300000]
[ 53.304000]
--------------------------------------------------------------------------------------
[ 53.312000] EPC, RA MEMINFO
[ 53.316000]
--------------------------------------------------------------------------------------
[ 53.324000] epc:7f9c9548, ra:400854
[ 53.328000]
--------------------------------------------------------------------------------------
[ 53.336000] EPC meminfo (0x7f9c9148 to 0x7f9c9548)
[ 53.340000] 9140: 00000000 00000000 00000000 00000000
00000000 00000000
[ 53.348000] 9160: 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000
[ 53.360000] 9180: 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000
---- SKIP ---
[ 53.616000] 9540: 00000000 00000000 ffffffff
[ 53.624000]
--------------------------------------------------------------------------------------
[ 53.636000] RA meminfo (0x00400054 to 0x00400854)
[ 53.640000] 0040: 00000003
00000154 00400154
[ 53.648000] 0060: 00400154 0000000d 0000000d 00000004 00000001 70000000
00000184 00400184
[ 53.656000] 0080: 00400184 00000018 00000018 00000004 00000004 00000001
00000000 00400000
[ 53.692000] 0100: 00400164 00000020 00000020 00000004 00000004 6474e550
00000aac 00400aac
[ 53.700000] 0120: 00400aac 00000034 00000034 00000004 00000004 00000000
00000000 00000000
--SKIP --
[ 53.888000] 03e0: 001b0011 00000035 00000000 00000000 00000012 000000a0
00400568 00000000
[ 53.896000] 0400: 000c0012 00000001 00000000 00000000 00000022 675f5f00
5f6e6f6d 72617473
[ 54.200000]
--------------------------------------------------------------------------------------
[ 54.208000]
[ 54.208000] Cpu 0
[ 54.212000] $ 0 : 00000000 00000001 00000000 00000001
[ 54.216000] $ 4 : 7f9ca000 00001000 00000007 00000000
[ 54.224000] $ 8 : 00000000 80000008 800ebe90 fffffff8
[ 54.228000] $12 : 20202020 2af76000 00000000 7f9c9e20
[ 54.232000] $16 : 7f9ca0e4 00000000 00580000 00d584a8
[ 54.240000] $20 : 00590e05 00d5933c 005b0000 00000000
[ 54.244000] $24 : 00000000 7f9c7fd8
[ 54.248000] $28 : 2c1b6980 7f9c7fc0 00000000 00400854
[ 54.256000] Hi : 00000308
[ 54.256000] Lo : 0001e624
[ 54.260000] epc : 7f9c9548 0x7f9c9548
[ 54.264000] Tainted: P
[ 54.268000] ra : 00400854 0x400854
[ 54.272000] Status: 01008c13 USER EXL IE
[ 54.276000] Cause : 10800028
[ 54.280000] PrId : 00019555 (MIPS 34Kc)
[ 54.284000] -----------------------------------------------------------
[ 54.292000] * dump maps on pid (386)
[ 54.296000] -----------------------------------------------------------
[ 54.300000] 00400000-00401000 r-xp 00000000 08:01 353
/dtv/usb/sda1/pax_test_mips/execstack
[ 54.312000] 00410000-00411000 rw-p 00000000 08:01 353
/dtv/usb/sda1/pax_test_mips/execstack
[ 54.320000] 2af76000-2af88000 rw-p 00000000 00:00 0
[ 54.324000] 2c000000-2c021000 r-xp 00000000 8a:0a 67
/mtd_exe/lib/ld-2.14.1.so
[ 54.332000] 2c030000-2c031000 r--p 00020000 8a:0a 67
/mtd_exe/lib/ld-2.14.1.so
[ 54.340000] 2c031000-2c032000 rw-p 00021000 8a:0a 67
/mtd_exe/lib/ld-2.14.1.so
[ 54.348000] 2c040000-2c19b000 r-xp 00000000 8a:0a 71
/mtd_exe/lib/libc-2.14.1.so
[ 54.356000] 2c19b000-2c1aa000 ---p 0015b000 8a:0a 71
/mtd_exe/lib/libc-2.14.1.so
[ 54.368000] 2c1aa000-2c1ae000 r--p 0015a000 8a:0a 71
/mtd_exe/lib/libc-2.14.1.so
[ 54.376000] 2c1ae000-2c1b0000 rw-p 0015e000 8a:0a 71
/mtd_exe/lib/libc-2.14.1.so
[ 54.384000] 2c1b0000-2c1b3000 rw-p 00000000 00:00 0
[ 54.388000] 7f9a9000-7f9cb000 rwxp 00000000 00:00 0 [stack]
[ 54.396000] 7fff7000-7fff8000 r-xp 00000000 00:00 0 [vdso]
[ 54.400000] -----------------------------------------------------------
[ 54.400000]
[ 54.408000] task stack info : pid(386) stack area (0x7f9a9000 ~
0x7f9cb000)
[ 54.416000] -----------------------------------------------------------
[ 54.424000] * dump user stack
[ 54.428000] -----------------------------------------------------------
[ 54.432000] dump user stack(0x7f9c7fc0 to 0x7f9c9f78)
[ 54.440000] 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000
[ 54.448000] 7fe0: 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000
--- SKIP ---
[ 55.884000] 94c0: 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000
[ 55.912000] 9520: 00000000 00000000 2c039000 00000000 00000000 2c007458
00000000 00000000
[ 55.920000] 9540: 00000000 00000000 ffffffff 00000000 00000000 00000000
00000000 00000000
--- SKIP ---
[ 56.600000] 9f20: 00000000 00000000 00000000 00000000 00410bbc 00d584a8
00590e05 00d5933c
[ 56.608000] 9f40: 005b0000 00000000 00000000 2c00fea8 00410be0 00d584a8
00590e05 2af7628c
[ 56.616000] 9f60: 2af76a70 00000001 00000001 00000000 2c039000 00d5933c
2c04a2bc
[ 56.624000] -----------------------------------------------------------
[ 56.624000]
[ 56.636000] ##### send signal from KERNEL, SIG : 4, execstack, PID:386,
force_sig_info
[ 56.644000] Call Trace:
[ 56.644000] [<802fccd8>] dump_stack+0x8/0x34 from[<80044180>]
force_sig_info+0x54/0x1b0
[ 56.652000] [<80044180>] force_sig_info+0x54/0x1b0 from[<80007364>]
ret_from_exception+0x0/0x10
[ 56.664000]
[ 56.664000] ##### send signal SIG : 4, execstack(386)->execstack(386)
__send_signal
[ 56.672000] ##### deliver signal SIG : 4, execstack(386)
get_signal_to_deliver
[ 56.680000] [VDLP COREDUMP] SIGNR:4
[ 56.680000]
[ 56.684000] ***** Coredump : Insert USB memory stick, mount check per
10sec... *****
[ 57.724000] ***** USB detected *****
[ 57.728000] ***** Create pid : 386 coredump file to USB mount dir
/dtv/usb/sda1/Coredump.386.gz ******
[ 57.736000] * Ultimate CoreDump v1.0 : started dumping core into
'Coredump.386.gz' file *
[ 57.744000] <1>##### elf aligned pages num : 1 + (3 Coredump guard
buffers)
[ 57.752000] ##### Not used first lower guard page, elf_foffset : 1364,
aligned_elf_foffset : 4096
[ 57.764000] ##### set_gzip_header() return success...
[ 57.768000] ##### Allocated 267980 bytes for deflate workspace
[ 57.776000] ##### coredump_alloc_workspaces() return success...
[ 57.980000] ##### (vma->vm_next) == NULL ...
[ 57.992000] ##### Process addr space debug Info #####
[ 57.996000] ##### vma_cnt : 13
[ 58.000000] ##### vm_page : 65
[ 58.004000] ##### user_page_cnt : 17
[ 58.008000] ##### zero_page_cnt : 48
[ 58.012000] ##### kernel_page_cnt : 0
[ 58.016000] ##### uncomp_coredump_file_size : 270336
[ 58.020000] ##### GZIP tailer CRC32 : 2982301179
[ 58.028000] ***** Create coredump file to USB mount dir ******
[ 58.032000] CoreDump: finished dumping core
: Killed
*Similarly for ARM also it is giving core dump like this:*
VDLinux#> ./execstack
Executable stack[ 451.784000] execstack: unhandled page fault (11) at
0xbead5860, code 0x80000007
[ 451.792000]
================================================================================
[ 451.800000] KERNEL Version : 0000
[ 451.804000]
================================================================================
[ 451.812000]
[ 451.812000]
--------------------------------------------------------------------------------------
[ 451.820000] PC, LR MEMINFO
[ 451.824000]
--------------------------------------------------------------------------------------
[ 451.832000] PC:bead5860, LR:85c0
[ 451.836000]
--------------------------------------------------------------------------------------
[ 451.844000] PC meminfo (0xbead5460 to 0xbead5c60)
[ 451.848000] 5460: ???????? ???????? ???????? ???????? ???????? ????????
???????? ????????
--- SKIP --
[ 452.524000] 7fe0: ???????? ???????? ???????? ???????? ???????? ????????
???????? ????????
[ 452.532000] 8000: 464c457f 00010101 00000000 00000000 00280002 00000001
00008500 00000034
--- SKIP ---
[ 453.156000] 8980: 04000000 0000001d 00841901 05010000 0086b403 004f0500
14000000 02000001
[ 453.164000] 89a0: 00004200 9a010400 01000000 000000da 00000043 00008644
000086ac 00000027
[ 453.172000]
--------------------------------------------------------------------------------------
[ 453.180000]
[ 453.180000] pgd = e317c000
[ 453.184000] [bead5860] *pgd=a9d2e831, *pte=00000000, *ppte=00000000
[ 453.192000]
[ 453.192000] Pid: 429, comm: execstack
[ 453.196000] CPU: 1 Tainted: P (3.0.33 #124)
[ 453.200000] PC is at 0xbead5860
[ 453.204000] LR is at 0x85c0
[ 453.208000] pc : [<bead5860>] lr : [<000085c0>] psr: 60000010
[ 453.208000] sp : bead5860 ip : 40220f80 fp : 00000000
[ 453.220000] r10: 40119000 r9 : 00000000 r8 : 00000000
[ 453.224000] r7 : 00000000 r6 : 00008500 r5 : 00000000 r4 : bead79c4
[ 453.232000] r3 : bead5860 r2 : 00000007 r1 : 00001000 r0 : 00000000
[ 453.236000] Flags: nZCv IRQs on FIQs on Mode USER_32 ISA ARM Segment
user
[ 453.244000] Control: 10c53c7d Table: a9d7c04a DAC: 00000015
[ 453.252000] [<c004b034>] (show_regs+0x0/0x58) from [<c004e588>]
(show_info+0xb0/0x104)
[ 453.260000] r4:e38e4ba0 r3:00000002
[ 453.260000] [<c004e4d8>] (show_info+0x0/0x104) from [<c0055468>]
(__do_user_fault+0x50/0x94)
[ 453.272000] r6:0000000b r5:bead5860 r4:e38e4ba0 r3:00000000
[ 453.276000] [<c0055418>] (__do_user_fault+0x0/0x94) from [<c03bf93c>]
(do_page_fault+0x2d8/0x324)
[ 453.284000] r7:e38e4ba0 r6:bead5860 r5:00030002 r4:e31c7fb0
[ 453.292000] [<c03bf664>] (do_page_fault+0x0/0x324) from [<c003b260>]
(do_PrefetchAbort+0x44/0xa8)
[ 453.300000] [<c003b21c>] (do_PrefetchAbort+0x0/0xa8) from [<c03bd6c8>]
(ret_from_exception+0x0/0x10)
[ 453.308000] Exception stack(0xe31c7fb0 to 0xe31c7ff8)
[ 453.312000] 7fa0: 00000000 00001000
00000007 bead5860
[ 453.320000] 7fc0: bead79c4 00000000 00008500 00000000 00000000 00000000
40119000 00000000
[ 453.328000] 7fe0: 40220f80 bead5860 000085c0 bead5860 60000010 ffffffff
[ 453.336000] r7:00000000 r6:00008500 r5:00000007 r4:0000040f
[ 453.344000] -----------------------------------------------------------
[ 453.348000] * dump maps on pid (429)
[ 453.352000] -----------------------------------------------------------
[ 453.360000] 00008000-00009000 r-xp 00000000 08:11 440
/dtv/usb/sdb1/paxtest-0.9.5/execstack
[ 453.368000] 00010000-00011000 rw-p 00000000 08:11 440
/dtv/usb/sdb1/paxtest-0.9.5/execstack
[ 453.376000] 400bc000-400bd000 rw-p 400bc000 08:11 440
[ 453.380000] 400ce000-400cf000 rw-p 400ce000 08:11 440
[ 453.384000] 400f2000-40110000 r-xp 00000000 b3:03 105 /mtd_exe/lib/
ld-2.14.1.so
[ 453.392000] 40118000-40119000 r--p 0001e000 b3:03 105 /mtd_exe/lib/
ld-2.14.1.so
[ 453.400000] 40119000-4011a000 rw-p 0001f000 b3:03 105 /mtd_exe/lib/
ld-2.14.1.so
[ 453.408000] 4011c000-4011d000 rw-p 4011c000 b3:03 105
[ 453.412000] 4015d000-40277000 r-xp 00000000 b3:03 113 /mtd_exe/lib/
libc-2.14.1.so
[ 453.420000] 40277000-4027f000 ---p 0011a000 b3:03 113 /mtd_exe/lib/
libc-2.14.1.so
[ 453.428000] 4027f000-40281000 r--p 0011a000 b3:03 113 /mtd_exe/lib/
libc-2.14.1.so
[ 453.436000] 40281000-40282000 rw-p 0011c000 b3:03 113 /mtd_exe/lib/
libc-2.14.1.so
[ 453.444000] 40282000-40285000 rw-p 40282000 b3:03 113
[ 453.448000] beab6000-bead7000 rw-p befde000 b3:03 113
[ 453.452000] bead7000-bead8000 rwxp befff000 b3:03 113
[ 453.460000] ffff0000-ffff1000 r-xp ffff0000 b3:03 113
[ 453.464000] -----------------------------------------------------------
[ 453.464000]
[ 453.472000] task stack info : pid(429) stack area (0xbead7000 ~
0xbead8000)
[ 453.480000] -----------------------------------------------------------
[ 453.484000] * dump user stack
[ 453.488000] -----------------------------------------------------------
[ 453.496000] pid(429) : seems stack overflow.
[ 453.496000] sp(bead5860), stack vma (0xbead7000 ~ 0xbead8000)
[ 453.504000] -----------------------------------------------------------
[ 453.504000]
[ 453.512000] [VDLP COREDUMP] SIGNR:11
[ 453.512000]
[ 453.520000] ***** Coredump : Insert USB memory stick, mount check per
10sec... *****
[ 453.528000] ***** USB detected *****
[ 453.528000] ***** Create pid : 429 coredump file to USB mount dir
/dtv/usb/sdb1/Coredump.429.gz ******
[ 453.540000] * Ultimate CoreDump v0.4 : started dumping core into
'Coredump.429.gz' file *
[ 453.548000] <1>##### elf aligned pages num : 1 + (3 Coredump guard
buffers)
[ 453.552000] ##### Not used first lower guard page, elf_foffset : 1488,
aligned_elf_foffset : 4096
[ 453.564000] ##### set_gzip_header() return success...
[ 453.568000] ##### Allocated 267980 bytes for deflate workspace
[ 453.572000] ##### coredump_alloc_workspaces() return success...
: [ 453.692000] ##### (vma->vm_next) == NULL ...
[ 453.700000] ##### Process addr space debug Info #####
[ 453.704000] ##### vma_cnt : 16
[ 453.708000] ##### vm_page : 47
[ 453.708000] ##### user_page_cnt : 15
[ 453.712000] ##### zero_page_cnt : 32
[ 453.716000] ##### kernel_page_cnt : 0
[ 453.720000] ##### uncomp_coredump_file_size : 196608
[ 453.724000] ##### GZIP tailer CRC32 : 1604686521
[ 453.732000] ***** Create coredump file to USB mount dir ******
[ 453.736000] CoreDump: finished dumping core
Killed
*Please let me know how to check the hardware support of XN bit in ARMv6
/ARMv7 and XI bit support on MIPS 34Kc.*
* *
Thnaks and Regards,
Girish Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://grsecurity.net/pipermail/grsecurity/attachments/20130103/d9b7c938/attachment-0001.html>
More information about the grsecurity
mailing list