Bug 1411490

Summary: [RFE] Kernel address space layout randomization [KASLR] support (qemu-kvm)
Product: Red Hat Enterprise Linux 7 Reporter: Ademar Reis <areis>
Component: qemu-kvmAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: cliao <cliao>
Severity: high Docs Contact: Jiri Herrmann <jherrman>
Priority: medium    
Version: 7.3CC: anderson, areis, arozansk, berrange, bhe, chayang, chorn, cliao, coli, cye, drjones, fj-lsoft-kernel-it, fj-lsoft-rh-dump, herbert.xu, jinzhao, jpoimboe, juzhang, knoel, lersek, libvirt-maint, lmiksik, lwang, marcandre.lureau, michen, mrezanin, mtessun, ngu, pasik, pingl, pmatouse, rbalakri, ruyang, virt-bugs, virt-maint, yafu, yuhuang
Target Milestone: rcKeywords: FutureFeature, OtherQA
Target Release: 7.5   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm-1.5.3-154.el7 Doc Type: Release Note
Doc Text:
KASLR for KVM guests Red Hat Enteprise Linux 7.5 introduces the Kernel Address Space Randomization (KASLR) feature for KVM guest virtual machines. KASLR enables randomizing the physical and virtual address at which the kernel image is decompressed, and thus prevents guest security exploits based on the location of kernel objects. KASLR is activated by default, but can be deactivated on a specific guest by adding the `nokaslr` string to the guest's kernel command line. Note that kernel crash dumps of guests with KASLR activated cannot be analyzed using the *crash* utility. To fix this, add the `<vmcoreinfo/>` element to the `<features>` section of the XML configuration files of your guests. However, KVM guests with `<vmcoreinfo/>` cannot be migrated to a host system that does not support this element. This includes hosts that use Red Hat Enterprise Linux 7.4 and earlier
 Story Points: ---
Clone Of: 1398633
: 1484340 1519748 (view as bug list) Environment:
Last Closed: 2018-04-10 14:32:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1290840, 1398633, 1424943, 1493125    
Bug Blocks: 1288169, 1395248, 1469590, 1484340, 1519748, 1522983, 1555268, 1555276, 1568461, 1568736    

Description Ademar Reis 2017-01-09 20:28:29 UTC 
+++ This bug was initially created as a clone of Bug #1398633 +++

QEMU clone for the implementation of this feature. There's no consensus yet on how this part should be implemented (guest agent, acpi hook that sends this via qemu monitor, virtio-pstore?)

+++ This bug was initially created as a clone of Bug #1395248 +++

Patches are ready for most components, but we need a solution virsh dump when KVM guests have KASLR enabled.

The discussion upstream appears to be converging to a qemu-guest-agent solution for now: http://lists.nongnu.org/archive/html/qemu-devel/2016-11/msg01618.html

+++ This bug was initially created as a clone of Bug #1290840 +++

Description of problem:
Kernel Address Space Randomization [KASLR] allows to randomize the physical and virtual address at which the kernel image is decompressed, as a security feature that deters exploit attempts relying on knowledge of the location of kernel internals. 

The feature has been described in LWN article:
https://lwn.net/Articles/569635/
Comment 9 Fujitsu kernel team 2017-12-05 02:19:13 UTC 
Marc-Andre,

Thanks for your work to this issue.

We Fujitsu like to verify the fix for this issue, so I have added
OtherQA in this ticket.

Could you provide us with test rpm and source rpm packages?

Could you also tell me where the bugzilla ticket for kernel package
is?

Thanks.
HATAYAMA, Daisuke
Comment 11 Fujitsu kernel team 2017-12-11 08:27:54 UTC 
Marc-Andre,

Could you provide us with test rpm and source rpm packages?

If difficult now, could you tell me current plan?

Could you also tell me where the bugzilla ticket for kernel package
is? I need to track also the fix for kernel.

Thanks.
HATAYAMA, Daisuke
Comment 12 Ademar Reis 2017-12-11 18:15:46 UTC 
(In reply to fj-lsoft-kernel-it from comment #11)
> Marc-Andre,
> 
> Could you provide us with test rpm and source rpm packages?
> 
> If difficult now, could you tell me current plan?
> 

The code is being reviewed and RPM packages should be available soon, once BZs are moved to MODIFIED or ON_QA.

> Could you also tell me where the bugzilla ticket for kernel package
> is? I need to track also the fix for kernel.

Kernel BZs are: Bug 1493125 and Bug 1517775 (also available in the "depends on" field).
Comment 14 Fujitsu kernel team 2017-12-14 01:50:28 UTC 
Ademar,

> --- Comment #12 from Ademar Reis <areis> ---
> (In reply to fj-lsoft-kernel-it from comment #11)
> > Marc-Andre,
> >
> > Could you provide us with test rpm and source rpm packages?
> >
> > If difficult now, could you tell me current plan?
> >
>
> The code is being reviewed and RPM packages should be available soon, once BZs
> are moved to MODIFIED or ON_QA.
>

I see. I'm waiting for ON_QA.

> > Could you also tell me where the bugzilla ticket for kernel package
> > is? I need to track also the fix for kernel.
>
> Kernel BZs are: Bug 1493125 and Bug 1517775 (also available in the "depends
> on"
> field).

We Fujitsu have no permission to see Bug 1493125 and Bug
1517775. Could you give us permissions to see Bug 1493125 and Bug
1517775 just like this Bug 1411490 and Bug 1395248?

Thanks.
HATAYAMA, Daisuke
Comment 15 Ademar Reis 2017-12-18 12:28:11 UTC 
(In reply to fj-lsoft-kernel-it from comment #14)
> > Kernel BZs are: Bug 1493125 and Bug 1517775 (also available in the "depends
> > on"
> > field).
> 
> We Fujitsu have no permission to see Bug 1493125 and Bug
> 1517775. Could you give us permissions to see Bug 1493125 and Bug
> 1517775 just like this Bug 1411490 and Bug 1395248?
> 

Fixed, the BZs are public now. Thanks.
Comment 16 Miroslav Rezanina 2017-12-19 08:37:22 UTC 
Fix included in qemu-kvm-1.5.3-151.el7
Comment 22 Marc-Andre Lureau 2018-01-02 14:48:39 UTC 
Thanks cliao,

I have done some testing on my side, and it seems to work fine. Your testing of rhbz#1398633 also shows that kernel side is ok, as well as qemu-kvm-rhev backport.

Could you provide the crash debug log, "crash -d 4 ..."?

Can you check the kernel loaded the fw_cfg module? sudo cat /sys/firmware/qemu_fw_cfg/rev.

thanks
Comment 27 Miroslav Rezanina 2018-01-12 09:46:56 UTC 
Fix included in qemu-kvm-1.5.3-153.el7
Comment 29 Fujitsu kernel team 2018-01-15 00:25:22 UTC 
Hi Marc-Andre Lureau,

Is qemu-kvm-1.5.3-151.el7 is going to be included in 7.5 beta and so
for our test, is it OK to wait for 7.5 beta for now? Or, if it is not
to be included in 7.5. beta, could you provide us with the rpm
package?

Thanks.
HATAYAMA, Daisuke
Comment 32 Ademar Reis 2018-01-16 17:40:53 UTC 
(In reply to fj-lsoft-kernel-it from comment #29)
> Hi Marc-Andre Lureau,
> 
> Is qemu-kvm-1.5.3-151.el7 is going to be included in 7.5 beta and so
> for our test, is it OK to wait for 7.5 beta for now? Or, if it is not
> to be included in 7.5. beta, could you provide us with the rpm
> package?

I believe the beta compose includes (or will include) qemu-kvm-1.5.3-153, so this won't be necessary.
Comment 33 cliao 2018-01-17 02:42:23 UTC 
versions:
qemu : qemu-kvm-1.5.3-153.el7
kernel: kernel-3.10.0-829.el7.x86_64

steps:
1.boot guest:
/usr/libexec/qemu-kvm  \
                -m 1024 \
                -smp 1 \
                -vnc :0 \
                -name guest=test \
                -boot menu=on \
                -device virtio-scsi-pci,bus=pci.0,addr=0x5,id=scsi0 \
                -drive file=/home/rhel75-x86.raw,format=raw,if=none,id=drive-scsi0-0-0-0 \
                -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 \
                -device virtio-net-pci,mac=9a:70:71:72:74:73,id=idIBZSw2,vectors=4,netdev=idHrhHM9,bus=pci.0,addr=06,bootindex=2 \
                -netdev tap,id=idHrhHM9,vhost=on \
                -device vmcoreinfo \
                -monitor stdio -qmp tcp:0:4444,server,nowait

2.qmp commands:
{ "execute": "qmp_capabilities" }
{"return": {}}
{"execute": "dump-guest-memory", "arguments": { "paging": false, "protocol": "file:/home/dump.normal"}}
{"timestamp": {"seconds": 1516153500, "microseconds": 111592}, "event": "STOP"}
{"timestamp": {"seconds": 1516153501, "microseconds": 10422}, "event": "RESUME"}
{"return": {}}
{"execute":"query-dump-guest-memory-capability"}
{"return": {"formats": ["elf", "kdump-zlib", "kdump-lzo", "kdump-snappy"]}}
{"execute": "dump-guest-memory", "arguments": { "paging": false, "protocol": "file:/home/dump.elf", "format": "elf"}}
{"timestamp": {"seconds": 1516153515, "microseconds": 152697}, "event": "STOP"}
{"timestamp": {"seconds": 1516153516, "microseconds": 57862}, "event": "RESUME"}
{"return": {}}
{"execute": "dump-guest-memory", "arguments": { "paging": false, "protocol": "file:/home/dump.zlib", "format": "kdump-zlib"}}
{"timestamp": {"seconds": 1516153523, "microseconds": 863578}, "event": "STOP"}
{"timestamp": {"seconds": 1516153541, "microseconds": 376711}, "event": "RESUME"}
{"return": {}}
{"timestamp": {"seconds": 1516153541, "microseconds": 376864}, "event": "VNC_DISCONNECTED", "data": {"server": {"auth": "none", "family": "ipv4", "service": "5900", "host": "0.0.0.0"}, "client": {"family": "ipv4", "service": "58640", "host": "10.66.4.105"}}}
SSaaa{"timestamp": {"seconds": 1516154109, "microseconds": 979025}, "event": "SHUTDOWN"}
{"timestamp": {"seconds": 1516154109, "microseconds": 979200}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}}
{"timestamp": {"seconds": 1516154109, "microseconds": 979222}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "floppy0", "tray-open": true}}


3.
crash /usr/lib/debug/lib/modules/3.10.0-829.el7.x86_64/vmlinux  dump.elf 

crash 7.2.0-2.el7
Copyright (C) 2002-2017  Red Hat, Inc.
Copyright (C) 2004, 2005, 2006, 2010  IBM Corporation
Copyright (C) 1999-2006  Hewlett-Packard Co
Copyright (C) 2005, 2006, 2011, 2012  Fujitsu Limited
Copyright (C) 2006, 2007  VA Linux Systems Japan K.K.
Copyright (C) 2005, 2011  NEC Corporation
Copyright (C) 1999, 2002, 2007  Silicon Graphics, Inc.
Copyright (C) 1999, 2000, 2001, 2002  Mission Critical Linux, Inc.
This program is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of it under
certain conditions.  Enter "help copying" to see the conditions.
This program has absolutely no warranty.  Enter "help warranty" for details.
 
GNU gdb (GDB) 7.6
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu"...

WARNING: kernel relocated [646MB]: patching 82021 gdb minimal_symbol values

      KERNEL: /usr/lib/debug/lib/modules/3.10.0-829.el7.x86_64/vmlinux 
    DUMPFILE: dump.elf
        CPUS: 1
        DATE: Tue Jan 16 20:45:14 2018
      UPTIME: 00:00:54
LOAD AVERAGE: 0.00, 0.00, 0.00
       TASKS: 107
    NODENAME: bootp-73-194-178.rhts.eng.pek2.redhat.com
     RELEASE: 3.10.0-829.el7.x86_64
     VERSION: #1 SMP Tue Jan 9 23:06:01 EST 2018
     MACHINE: x86_64  (3492 Mhz)
      MEMORY: 1 GB
       PANIC: ""
         PID: 0
     COMMAND: "swapper/0"
        TASK: ffffffffaa216480  [THREAD_INFO: ffffffffaa200000]
         CPU: 0
       STATE: TASK_RUNNING (ACTIVE)
     WARNING: panic task not found

crash> bt
PID: 0      TASK: ffffffffaa216480  CPU: 0   COMMAND: "swapper/0"
    [exception RIP: native_safe_halt+6]
    RIP: ffffffffa9cfc526  RSP: ffffffffaa203eb0  RFLAGS: 00000286
    RAX: 00000000ffffffed  RBX: ffffffffaa340c80  RCX: 0100000000000000
    RDX: 0000000000000000  RSI: 0000000000000000  RDI: 0000000000000046
    RBP: ffffffffaa203eb0   R8: 0000000000000000   R9: 0000000000000000
    R10: 0000000000000000  R11: 00000070446de780  R12: 0000000000000000
    R13: ffffffffaa200000  R14: ffffffffaa200000  R15: ffffffffaa200000
    CS: 0010  SS: 0018
 #0 [ffffffffaa203eb8] default_idle at ffffffffa9cfc35e
 #1 [ffffffffaa203ed8] arch_cpu_idle at ffffffffa96352b6
 #2 [ffffffffaa203ee8] cpu_startup_entry at ffffffffa96f103a
 #3 [ffffffffaa203f30] rest_init at ffffffffa9ce3dd7
 #4 [ffffffffaa203f40] start_kernel at ffffffffaa36b1af
 #5 [ffffffffaa203f88] x86_64_start_reservations at ffffffffaa36a72f
 #6 [ffffffffaa203f98] x86_64_start_kernel at ffffffffaa36a885
 #7 [ffffffffaa203ff0] start_cpu at ffffffffa96000d5
crash> q
Comment 35 Miroslav Rezanina 2018-01-24 11:17:41 UTC 
Fix included in qemu-kvm-1.5.3-154.el7
Comment 37 cliao 2018-01-25 03:12:09 UTC 
versions:
qemu : qemu-kvm-1.5.3-154.el7
kernel: kernel-3.10.0-829.el7.x86_64
python: Python 2.7.5

steps:
gdb core.131814 
......
(gdb) source /usr/share/qemu-kvm/dump-guest-memory.py
(gdb) set height 0
(gdb) dump-guest-memory /home/vmcore 
guest RAM blocks:
target_start     target_end       host_addr        message count
---------------- ---------------- ---------------- ------- -----
0000000000000000 00000000000a0000 00007fe37dc00000 added       1
00000000000c0000 00000000000ca000 00007fe37dcc0000 added       2
00000000000ca000 00000000000cd000 00007fe37dcca000 joined      2
00000000000cd000 00000000000e8000 00007fe37dccd000 joined      2
00000000000e8000 00000000000f0000 00007fe37dce8000 joined      2
00000000000f0000 0000000000100000 00007fe37dcf0000 joined      2
0000000000100000 0000000040000000 00007fe37dd00000 joined      2
00000000fc000000 00000000fd000000 00007fe37c800000 added       3
00000000fffc0000 0000000100000000 00007fe37da00000 added       4
dumping range at 00007fe37dc00000 for length 00000000000a0000
dumping range at 00007fe37dcc0000 for length 000000003ff40000
dumping range at 00007fe37c800000 for length 0000000001000000
dumping range at 00007fe37da00000 for length 0000000000040000
(gdb) q
Comment 38 fj-lsoft-rh-dump 2018-01-29 04:49:01 UTC 
Hi Marc-Andre Lureau,

Could you provide us with the rpm and source rpm packages of
qemu-kvm-1.5.3-154.el7 for our testing?

I tried qemu-kvm-1.5.3-152.el7.x86_64 provided in RHEL7.5 beta
but vmcoreinfo device was not detected by fw_cfg on the guest
using kernel-3.10.0-830.el7.x86_64, default kernel in RHEL7.5 beta.
On the other hand, when I tried the upstream version of qemu instead, then
vmcoreinfo device was successfully detected on the same guest.
So, I guess the two additional patches from 152 to 154 include
some necessary fix for this ticket.

Thanks.
HATAYAMA, Daisuke
Comment 39 Marc-Andre Lureau 2018-01-30 10:10:46 UTC 
(In reply to fj-lsoft-rh-dump from comment #38)
> Hi Marc-Andre Lureau,
> 
> Could you provide us with the rpm and source rpm packages of
> qemu-kvm-1.5.3-154.el7 for our testing?

ACPI fix included in qemu-kvm-1.5.3-153.el7, and qemu gdb python 2 script fix included in in qemu-kvm-1.5.3-154.el7.

rpm and srpm requests need to be emailed to partner-mentor by the onsite partner engineer
Comment 40 fj-lsoft-rh-dump 2018-02-02 06:37:16 UTC 
Hi Marc-Andre Lureau,

I confirmed that the issue in this ticket has been fixed correctly.

qemu-kvm-1.5.3-154.el7.x86_64 is shipped with RHEL7.5 SnapShot1
released tomorrow and I see that using the package, the vmcoreinfo
device is detected by the guest kernel as expected.

I really appreciated for your work.

Thanks.
HATAYAMA, Daisuke
Comment 44 errata-xmlrpc 2018-04-10 14:32:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0816