early_serial_setup() is unavailable after init

[ttg-public]

See discussion in c390f74#comments

cc @semool @jumkey

[semool]

With kernel4 for DSM6 i already have the crash with early_setup. Only the kernel3 loaders are working while they dont do a reinit. When i disable reinit for DS918 in platform.h all is working.

[    3.584374] <redpill/runtime_config.c:159> Runtime config populated
[    3.587588] <redpill/call_protected.c:81> Got addr ffffffff818ba4e0 for early_serial_setup
[    3.588433] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[    3.589185] BUG: unable to handle kernel paging request at ffffffff818ba4e0
[    3.589422] IP: [<ffffffff818ba4e0>] early_serial_setup+0x0/0x13e
[    3.589422] PGD 180d067 PUD 180e063 PMD 7d05c063 PTE 80000000018ba163
[    3.589422] Oops: 0011 [#1] PREEMPT SMP
[    3.589422] Modules linked in: redpill(OE+)
[    3.589422] CPU: 1 PID: 3406 Comm: insmod Tainted: G           OE   4.4.59+ #25556
[    3.589422] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[    3.589422] task: ffff88007c8cf3c0 ti: ffff880035178000 task.ti: ffff880035178000
[    3.589422] RIP: 0010:[<ffffffff818ba4e0>]  [<ffffffff818ba4e0>] early_serial_setup+0x0/0x13e
[    3.589422] RSP: 0018:ffff88003517bb28  EFLAGS: 00010286
[    3.589422] RAX: ffffffff818ba4e0 RBX: ffff88003517bb48 RCX: 0000000000000000
[    3.589422] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88003517bb48
[    3.589422] RBP: ffff88003517bb38 R08: 6c6c69706465723c R09: 5f6c6c61632f6c6c
[    3.589422] R10: ffffffff817154ee R11: 65746365746f7270 R12: ffffffffa0007dd0
[    3.589422] R13: 0000000000000000 R14: ffffffffa0012000 R15: ffff88007d218340
[    3.589422] FS:  00007ff05f0b0700(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
[    3.589422] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.589422] CR2: ffffffff818ba4e0 CR3: 000000003608b000 CR4: 00000000000006f0
[    3.589422] Stack:
[    3.589422]  ffffffffa00010e9 0000000000000000 ffff88003517bcc0 ffffffffa0007473
[    3.589422]  0000000000000000 00000000000003f8 0000000000000000 0000000000000000
[    3.589422]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[    3.589422] Call Trace:
[    3.589422]  [<ffffffffa00010e9>] ? _early_serial_setup+0x19/0xa0 [redpill]
[    3.589422]  [<ffffffffa0007473>] fix_muted_ttyS0+0x53/0xd0 [redpill]
[    3.589422]  [<ffffffffa000753e>] register_uart_fixer+0x1e/0xa0 [redpill]
[    3.589422]  [<ffffffffa001207f>] init_redpill+0x7f/0x151 [redpill]
[    3.589422]  [<ffffffff810003b6>] do_one_initcall+0x86/0x1b0
[    3.589422]  [<ffffffff810e32f4>] do_init_module+0x56/0x1c2
[    3.589422]  [<ffffffff810b9129>] load_module+0x1b29/0x2020
[    3.589422]  [<ffffffff810b6860>] ? __symbol_put+0x50/0x50
[    3.589422]  [<ffffffff810b971f>] SYSC_init_module+0xff/0x110
[    3.589422]  [<ffffffff810b97b9>] SyS_init_module+0x9/0x10
[    3.589422]  [<ffffffff81578b8a>] entry_SYSCALL_64_fastpath+0x1e/0x92
[    3.589422] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc <cc> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
[    3.589422] RIP  [<ffffffff818ba4e0>] early_serial_setup+0x0/0x13e
[    3.589422]  RSP <ffff88003517bb28>
[    3.589422] CR2: ffffffff818ba4e0
[    3.589422] ---[ end trace 140e8d9d14363746 ]---
Killed

[ttg-public]

Hm, so it seems to be even worse - it's install dependent as to when early_serial_setup() is removed. Technically we can expect that because kernel has all the rights to remove it after boot but it somehow worked for years (and in fact Jun's loader used the same method as there aren't many options).

[semool]

Juns loader 1.04 works fine with the same virtual Machine. Strange.

[ttg-public]

The thing is the early_serial_setip() CAN be removed but doesn't HAVE TO be removed. It's a combination of decision based on compiler and machine characteristics and sometimes even on the pseudo-random factors during boot.

In the newer compilation of the kernel (starting with 6.2.4) they modified the init process by adding some of their own flags to it (the boot_header chain of trust). This shifted the code just enough to mess up Jun's ELF patching for ramdisk and also cause early_serial_setup() to be removed. The one trick which we will try is to load as a fake I/O scheduler which loads quite much earlier, which drastically increases the chance of early_serial_setup() still being available in memory ;)

[lazosweb]

Aug 14 20:13:21 kernel: [ 3.197447] <redpill/runtime_config.c:172> Config validation resulted in OK
Aug 14 20:13:21 kernel: [ 3.198476] <redpill/runtime_config.c:189> Runtime config populated
Aug 14 20:13:21 kernel: [ 3.201491] <redpill/call_protected.c:85> Got addr ffffffff81928292 for early_serial_setup
Aug 14 20:13:21 kernel: [ 3.202721] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
Aug 14 20:13:21 kernel: [ 3.203712] BUG: unable to handle kernel paging request at ffffffff81928292
Aug 14 20:13:21 kernel: [ 3.203712] IP: [] early_serial_setup+0x0/0x150
Aug 14 20:13:21 kernel: [ 3.203712] PGD 180d067 PUD 180e063 PMD 2768ad063 PTE 8000000001928163
Aug 14 20:13:21 kernel: [ 3.203712] Oops: 0011 [#1] SMP
Aug 14 20:13:21 kernel: [ 3.203712] Modules linked in: redpill(OE+)
Aug 14 20:13:21 kernel: [ 3.203712] CPU: 2 PID: 3813 Comm: insmod Tainted: G OE 4.4.180+ #41890
Aug 14 20:13:21 kernel: [ 3.203712] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
Aug 14 20:13:21 kernel: [ 3.203712] task: ffff880079762640 ti: ffff8802715d4000 task.ti: ffff8802715d4000
Aug 14 20:13:21 kernel: [ 3.203712] RIP: 0010:[] [] early_serial_setup+0x0/0x150
Aug 14 20:13:21 kernel: [ 3.203712] RSP: 0018:ffff8802715d7b40 EFLAGS: 00010246
Aug 14 20:13:21 kernel: [ 3.203712] RAX: ffffffff81928292 RBX: ffff8802715d7b60 RCX: 00000000000001fa
Aug 14 20:13:21 kernel: [ 3.203712] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff8802715d7b60
Aug 14 20:13:21 kernel: [ 3.203712] RBP: ffff8802715d7b50 R08: 6c6c69706465723c R09: 00000000000001fa
Aug 14 20:13:21 kernel: [ 3.203712] R10: ffffffff816fab40 R11: 65746365746f7270 R12: ffff880272b6d020
Aug 14 20:13:21 kernel: [ 3.203712] R13: 0000000000000000 R14: ffffffffa0013000 R15: ffff880274db3e40
Aug 14 20:13:21 kernel: [ 3.203712] FS: 00007f3df8292740(0000) GS:ffff88027fd00000(0000) knlGS:0000000000000000
Aug 14 20:13:21 kernel: [ 3.203712] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 14 20:13:21 kernel: [ 3.203712] CR2: ffffffff81928292 CR3: 000000027310e000 CR4: 00000000003406b0
Aug 14 20:13:21 kernel: [ 3.203712] Stack:
Aug 14 20:13:21 kernel: [ 3.203712] ffffffffa000039c ffffffff81811040 ffff8802715d7cd8 ffffffffa0002323
Aug 14 20:13:21 kernel: [ 3.203712] 0000000000000000 00000000000003f8 0000000000000000 0000000000000000
Aug 14 20:13:21 kernel: [ 3.203712] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
Aug 14 20:13:21 kernel: [ 3.203712] Call Trace:
Aug 14 20:13:21 kernel: [ 3.203712] [] ? _early_serial_setup+0x1c/0x40 [redpill]
Aug 14 20:13:21 kernel: [ 3.203712] [] fix_muted_ttyS0+0x53/0x70 [redpill]
Aug 14 20:13:21 kernel: [ 3.203712] [] register_uart_fixer+0x1f/0x60 [redpill]
Aug 14 20:13:21 kernel: [ 3.203712] [] init_redpill+0x6e/0x11a [redpill]
Aug 14 20:13:21 kernel: [ 3.203712] [] do_one_initcall+0x88/0x1a0
Aug 14 20:13:21 kernel: [ 3.203712] [] ? __vunmap+0x9a/0xf0
Aug 14 20:13:21 kernel: [ 3.203712] [] do_init_module+0x5a/0x1bf
Aug 14 20:13:21 kernel: [ 3.203712] [] load_module+0x1ca0/0x22b0
Aug 14 20:13:21 kernel: [ 3.203712] [] ? __symbol_put+0x40/0x40
Aug 14 20:13:21 kernel: [ 3.203712] [] SYSC_finit_module+0x81/0xa0
Aug 14 20:13:21 kernel: [ 3.203712] [] SyS_finit_module+0x9/0x10
Aug 14 20:13:21 kernel: [ 3.203712] [] entry_SYSCALL_64_fastpath+0x1e/0x8e
Aug 14 20:13:21 kernel: [ 3.203712] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
Aug 14 20:13:21 kernel: [ 3.203712] RIP [] early_serial_setup+0x0/0x150
Aug 14 20:13:21 kernel: [ 3.203712] RSP
Aug 14 20:13:21 kernel: [ 3.203712] CR2: ffffffff81928292
Aug 14 20:13:21 kernel: [ 3.203712] ---[ end trace 95cce87ae55286a2 ]---

[ttg-public]

We disabled it for now - afe20e4

The least invasive solution we can cobble together would be to try loading RP as I/O scheduler as - if we're reading the kernel code correctly - should ensure it executes just milliseconds before early_serial_setup is removed from memory.

[ttg-public]

This is no longer an issue due to the following commits:

• 22d4019
• 601c7e9
• RedPill-TTG/redpill-load@5a91059