Bug 1411490
Summary: | [RFE] Kernel address space layout randomization [KASLR] support (qemu-kvm) | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ademar Reis <areis> | |
Component: | qemu-kvm | Assignee: | Marc-Andre Lureau <marcandre.lureau> | |
Status: | CLOSED ERRATA | QA Contact: | cliao <cliao> | |
Severity: | high | Docs Contact: | Jiri Herrmann <jherrman> | |
Priority: | medium | |||
Version: | 7.3 | CC: | anderson, areis, arozansk, berrange, bhe, chayang, chorn, cliao, coli, cye, drjones, fj-lsoft-kernel-it, fj-lsoft-rh-dump, herbert.xu, jinzhao, jpoimboe, juzhang, knoel, lersek, libvirt-maint, lmiksik, lwang, marcandre.lureau, michen, mrezanin, mtessun, ngu, pasik, pingl, pmatouse, rbalakri, ruyang, virt-bugs, virt-maint, yafu, yuhuang | |
Target Milestone: | rc | Keywords: | FutureFeature, OtherQA | |
Target Release: | 7.5 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | qemu-kvm-1.5.3-154.el7 | Doc Type: | Release Note | |
Doc Text: |
KASLR for KVM guests
Red Hat Enteprise Linux 7.5 introduces the Kernel Address Space Randomization (KASLR) feature for KVM guest virtual machines. KASLR enables randomizing the physical and virtual address at which the kernel image is decompressed, and thus prevents guest security exploits based on the location of kernel objects.
KASLR is activated by default, but can be deactivated on a specific guest by adding the `nokaslr` string to the guest's kernel command line.
Note that kernel crash dumps of guests with KASLR activated cannot be analyzed using the *crash* utility. To fix this, add the `<vmcoreinfo/>` element to the `<features>` section of the XML configuration files of your guests. However, KVM guests with `<vmcoreinfo/>` cannot be migrated to a host system that does not support this element. This includes hosts that use Red Hat Enterprise Linux 7.4 and earlier
|
Story Points: | --- | |
Clone Of: | 1398633 | |||
: | 1484340 1519748 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-10 14:32:19 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1290840, 1398633, 1424943, 1493125 | |||
Bug Blocks: | 1288169, 1395248, 1469590, 1484340, 1519748, 1522983, 1555268, 1555276, 1568461, 1568736 |
Description
Ademar Reis
2017-01-09 20:28:29 UTC
Marc-Andre, Thanks for your work to this issue. We Fujitsu like to verify the fix for this issue, so I have added OtherQA in this ticket. Could you provide us with test rpm and source rpm packages? Could you also tell me where the bugzilla ticket for kernel package is? Thanks. HATAYAMA, Daisuke Marc-Andre, Could you provide us with test rpm and source rpm packages? If difficult now, could you tell me current plan? Could you also tell me where the bugzilla ticket for kernel package is? I need to track also the fix for kernel. Thanks. HATAYAMA, Daisuke (In reply to fj-lsoft-kernel-it from comment #11) > Marc-Andre, > > Could you provide us with test rpm and source rpm packages? > > If difficult now, could you tell me current plan? > The code is being reviewed and RPM packages should be available soon, once BZs are moved to MODIFIED or ON_QA. > Could you also tell me where the bugzilla ticket for kernel package > is? I need to track also the fix for kernel. Kernel BZs are: Bug 1493125 and Bug 1517775 (also available in the "depends on" field). Ademar, > --- Comment #12 from Ademar Reis <areis> --- > (In reply to fj-lsoft-kernel-it from comment #11) > > Marc-Andre, > > > > Could you provide us with test rpm and source rpm packages? > > > > If difficult now, could you tell me current plan? > > > > The code is being reviewed and RPM packages should be available soon, once BZs > are moved to MODIFIED or ON_QA. > I see. I'm waiting for ON_QA. > > Could you also tell me where the bugzilla ticket for kernel package > > is? I need to track also the fix for kernel. > > Kernel BZs are: Bug 1493125 and Bug 1517775 (also available in the "depends > on" > field). We Fujitsu have no permission to see Bug 1493125 and Bug 1517775. Could you give us permissions to see Bug 1493125 and Bug 1517775 just like this Bug 1411490 and Bug 1395248? Thanks. HATAYAMA, Daisuke (In reply to fj-lsoft-kernel-it from comment #14) > > Kernel BZs are: Bug 1493125 and Bug 1517775 (also available in the "depends > > on" > > field). > > We Fujitsu have no permission to see Bug 1493125 and Bug > 1517775. Could you give us permissions to see Bug 1493125 and Bug > 1517775 just like this Bug 1411490 and Bug 1395248? > Fixed, the BZs are public now. Thanks. Fix included in qemu-kvm-1.5.3-151.el7 Thanks cliao, I have done some testing on my side, and it seems to work fine. Your testing of rhbz#1398633 also shows that kernel side is ok, as well as qemu-kvm-rhev backport. Could you provide the crash debug log, "crash -d 4 ..."? Can you check the kernel loaded the fw_cfg module? sudo cat /sys/firmware/qemu_fw_cfg/rev. thanks Fix included in qemu-kvm-1.5.3-153.el7 Hi Marc-Andre Lureau, Is qemu-kvm-1.5.3-151.el7 is going to be included in 7.5 beta and so for our test, is it OK to wait for 7.5 beta for now? Or, if it is not to be included in 7.5. beta, could you provide us with the rpm package? Thanks. HATAYAMA, Daisuke (In reply to fj-lsoft-kernel-it from comment #29) > Hi Marc-Andre Lureau, > > Is qemu-kvm-1.5.3-151.el7 is going to be included in 7.5 beta and so > for our test, is it OK to wait for 7.5 beta for now? Or, if it is not > to be included in 7.5. beta, could you provide us with the rpm > package? I believe the beta compose includes (or will include) qemu-kvm-1.5.3-153, so this won't be necessary. versions: qemu : qemu-kvm-1.5.3-153.el7 kernel: kernel-3.10.0-829.el7.x86_64 steps: 1.boot guest: /usr/libexec/qemu-kvm \ -m 1024 \ -smp 1 \ -vnc :0 \ -name guest=test \ -boot menu=on \ -device virtio-scsi-pci,bus=pci.0,addr=0x5,id=scsi0 \ -drive file=/home/rhel75-x86.raw,format=raw,if=none,id=drive-scsi0-0-0-0 \ -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 \ -device virtio-net-pci,mac=9a:70:71:72:74:73,id=idIBZSw2,vectors=4,netdev=idHrhHM9,bus=pci.0,addr=06,bootindex=2 \ -netdev tap,id=idHrhHM9,vhost=on \ -device vmcoreinfo \ -monitor stdio -qmp tcp:0:4444,server,nowait 2.qmp commands: { "execute": "qmp_capabilities" } {"return": {}} {"execute": "dump-guest-memory", "arguments": { "paging": false, "protocol": "file:/home/dump.normal"}} {"timestamp": {"seconds": 1516153500, "microseconds": 111592}, "event": "STOP"} {"timestamp": {"seconds": 1516153501, "microseconds": 10422}, "event": "RESUME"} {"return": {}} {"execute":"query-dump-guest-memory-capability"} {"return": {"formats": ["elf", "kdump-zlib", "kdump-lzo", "kdump-snappy"]}} {"execute": "dump-guest-memory", "arguments": { "paging": false, "protocol": "file:/home/dump.elf", "format": "elf"}} {"timestamp": {"seconds": 1516153515, "microseconds": 152697}, "event": "STOP"} {"timestamp": {"seconds": 1516153516, "microseconds": 57862}, "event": "RESUME"} {"return": {}} {"execute": "dump-guest-memory", "arguments": { "paging": false, "protocol": "file:/home/dump.zlib", "format": "kdump-zlib"}} {"timestamp": {"seconds": 1516153523, "microseconds": 863578}, "event": "STOP"} {"timestamp": {"seconds": 1516153541, "microseconds": 376711}, "event": "RESUME"} {"return": {}} {"timestamp": {"seconds": 1516153541, "microseconds": 376864}, "event": "VNC_DISCONNECTED", "data": {"server": {"auth": "none", "family": "ipv4", "service": "5900", "host": "0.0.0.0"}, "client": {"family": "ipv4", "service": "58640", "host": "10.66.4.105"}}} SSaaa{"timestamp": {"seconds": 1516154109, "microseconds": 979025}, "event": "SHUTDOWN"} {"timestamp": {"seconds": 1516154109, "microseconds": 979200}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}} {"timestamp": {"seconds": 1516154109, "microseconds": 979222}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "floppy0", "tray-open": true}} 3. crash /usr/lib/debug/lib/modules/3.10.0-829.el7.x86_64/vmlinux dump.elf crash 7.2.0-2.el7 Copyright (C) 2002-2017 Red Hat, Inc. Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation Copyright (C) 1999-2006 Hewlett-Packard Co Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. Copyright (C) 2005, 2011 NEC Corporation Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. This program is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Enter "help copying" to see the conditions. This program has absolutely no warranty. Enter "help warranty" for details. GNU gdb (GDB) 7.6 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-unknown-linux-gnu"... WARNING: kernel relocated [646MB]: patching 82021 gdb minimal_symbol values KERNEL: /usr/lib/debug/lib/modules/3.10.0-829.el7.x86_64/vmlinux DUMPFILE: dump.elf CPUS: 1 DATE: Tue Jan 16 20:45:14 2018 UPTIME: 00:00:54 LOAD AVERAGE: 0.00, 0.00, 0.00 TASKS: 107 NODENAME: bootp-73-194-178.rhts.eng.pek2.redhat.com RELEASE: 3.10.0-829.el7.x86_64 VERSION: #1 SMP Tue Jan 9 23:06:01 EST 2018 MACHINE: x86_64 (3492 Mhz) MEMORY: 1 GB PANIC: "" PID: 0 COMMAND: "swapper/0" TASK: ffffffffaa216480 [THREAD_INFO: ffffffffaa200000] CPU: 0 STATE: TASK_RUNNING (ACTIVE) WARNING: panic task not found crash> bt PID: 0 TASK: ffffffffaa216480 CPU: 0 COMMAND: "swapper/0" [exception RIP: native_safe_halt+6] RIP: ffffffffa9cfc526 RSP: ffffffffaa203eb0 RFLAGS: 00000286 RAX: 00000000ffffffed RBX: ffffffffaa340c80 RCX: 0100000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000046 RBP: ffffffffaa203eb0 R8: 0000000000000000 R9: 0000000000000000 R10: 0000000000000000 R11: 00000070446de780 R12: 0000000000000000 R13: ffffffffaa200000 R14: ffffffffaa200000 R15: ffffffffaa200000 CS: 0010 SS: 0018 #0 [ffffffffaa203eb8] default_idle at ffffffffa9cfc35e #1 [ffffffffaa203ed8] arch_cpu_idle at ffffffffa96352b6 #2 [ffffffffaa203ee8] cpu_startup_entry at ffffffffa96f103a #3 [ffffffffaa203f30] rest_init at ffffffffa9ce3dd7 #4 [ffffffffaa203f40] start_kernel at ffffffffaa36b1af #5 [ffffffffaa203f88] x86_64_start_reservations at ffffffffaa36a72f #6 [ffffffffaa203f98] x86_64_start_kernel at ffffffffaa36a885 #7 [ffffffffaa203ff0] start_cpu at ffffffffa96000d5 crash> q Fix included in qemu-kvm-1.5.3-154.el7 versions: qemu : qemu-kvm-1.5.3-154.el7 kernel: kernel-3.10.0-829.el7.x86_64 python: Python 2.7.5 steps: gdb core.131814 ...... (gdb) source /usr/share/qemu-kvm/dump-guest-memory.py (gdb) set height 0 (gdb) dump-guest-memory /home/vmcore guest RAM blocks: target_start target_end host_addr message count ---------------- ---------------- ---------------- ------- ----- 0000000000000000 00000000000a0000 00007fe37dc00000 added 1 00000000000c0000 00000000000ca000 00007fe37dcc0000 added 2 00000000000ca000 00000000000cd000 00007fe37dcca000 joined 2 00000000000cd000 00000000000e8000 00007fe37dccd000 joined 2 00000000000e8000 00000000000f0000 00007fe37dce8000 joined 2 00000000000f0000 0000000000100000 00007fe37dcf0000 joined 2 0000000000100000 0000000040000000 00007fe37dd00000 joined 2 00000000fc000000 00000000fd000000 00007fe37c800000 added 3 00000000fffc0000 0000000100000000 00007fe37da00000 added 4 dumping range at 00007fe37dc00000 for length 00000000000a0000 dumping range at 00007fe37dcc0000 for length 000000003ff40000 dumping range at 00007fe37c800000 for length 0000000001000000 dumping range at 00007fe37da00000 for length 0000000000040000 (gdb) q Hi Marc-Andre Lureau, Could you provide us with the rpm and source rpm packages of qemu-kvm-1.5.3-154.el7 for our testing? I tried qemu-kvm-1.5.3-152.el7.x86_64 provided in RHEL7.5 beta but vmcoreinfo device was not detected by fw_cfg on the guest using kernel-3.10.0-830.el7.x86_64, default kernel in RHEL7.5 beta. On the other hand, when I tried the upstream version of qemu instead, then vmcoreinfo device was successfully detected on the same guest. So, I guess the two additional patches from 152 to 154 include some necessary fix for this ticket. Thanks. HATAYAMA, Daisuke (In reply to fj-lsoft-rh-dump from comment #38) > Hi Marc-Andre Lureau, > > Could you provide us with the rpm and source rpm packages of > qemu-kvm-1.5.3-154.el7 for our testing? ACPI fix included in qemu-kvm-1.5.3-153.el7, and qemu gdb python 2 script fix included in in qemu-kvm-1.5.3-154.el7. rpm and srpm requests need to be emailed to partner-mentor by the onsite partner engineer Hi Marc-Andre Lureau, I confirmed that the issue in this ticket has been fixed correctly. qemu-kvm-1.5.3-154.el7.x86_64 is shipped with RHEL7.5 SnapShot1 released tomorrow and I see that using the package, the vmcoreinfo device is detected by the guest kernel as expected. I really appreciated for your work. Thanks. HATAYAMA, Daisuke Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0816 |