From: Ingo Molnar <mingo@elte.hu>
To: Pavel Machek <pavel@suse.cz>
Cc: linux-kernel@vger.kernel.org,
Thomas Gleixner <tglx@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
Stephane Eranian <eranian@googlemail.com>,
Eric Dumazet <dada1@cosmosbay.com>,
Robert Richter <robert.richter@amd.com>,
Arjan van de Ven <arjan@infradead.org>,
Peter Anvin <hpa@zytor.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Paul Mackerras <paulus@samba.org>,
"David S. Miller" <davem@davemloft.net>,
perfctr-devel@lists.sourceforge.net
Subject: Re: [patch] Performance Counters for Linux, v4
Date: Tue, 16 Dec 2008 13:50:00 +0100 [thread overview]
Message-ID: <20081216125000.GC25019@elte.hu> (raw)
In-Reply-To: <20081216122229.GA1430@ucw.cz>
* Pavel Machek <pavel@suse.cz> wrote:
> Hmm, if I timec some setuid program, what happens?
yes, i already had a quick look at that a few days ago when i implemented
counter inheritance (for different reasons) and couldnt find the cleanest
place to put the exec() flushing into so i procrastinated that a bit :)
> Performance counters seem like great tool to pull secret keys out of
> other processes :-).
if you worry about _that_ angle you also have to:
- turn off the cycle counter
- turn off precise utimes
- plus you have to forbid SMT CPUs as well. On HT a task could
co-schedule with your setuid task and observe its timing
characteristics via its _own_ behavior. (which is impacted by whatever
is running on another SMT/HT thread.)
the real exec() worry are: active, IRQ driven samples/events. Not possible
yet via the current iteration of counter inheritance (hence my
procrastination) - but it makes sense and that's why i was looking at the
exec() angle.
and that will flush simple counters too, removing your theoretical attack
angle as well.
So how about the patch below?
Ingo
--------------->
Subject: perfcounters: flush on setuid exec
From: Ingo Molnar <mingo@elte.hu>
Date: Tue Dec 16 13:40:44 CET 2008
Pavel Machek pointed out that performance counters should be flushed
when crossing protection domains on setuid execution.
Reported-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
fs/exec.c | 8 ++++++++
1 file changed, 8 insertions(+)
Index: linux/fs/exec.c
===================================================================
--- linux.orig/fs/exec.c
+++ linux/fs/exec.c
@@ -33,6 +33,7 @@
#include <linux/string.h>
#include <linux/init.h>
#include <linux/pagemap.h>
+#include <linux/perf_counter.h>
#include <linux/highmem.h>
#include <linux/spinlock.h>
#include <linux/key.h>
@@ -1015,6 +1016,13 @@ int flush_old_exec(struct linux_binprm *
set_dumpable(current->mm, suid_dumpable);
}
+ /*
+ * Flush performance counters when crossing a
+ * security domain:
+ */
+ if (!get_dumpable(current->mm))
+ perf_counter_exit_task(current);
+
/* An exec changes our domain. We are no longer part of the thread
group */
next prev parent reply other threads:[~2008-12-16 12:50 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-14 21:28 [patch] Performance Counters for Linux, v4 Ingo Molnar
2008-12-15 11:59 ` Paul Mackerras
2008-12-15 12:11 ` Paul Mackerras
2008-12-16 14:22 ` Peter Zijlstra
2008-12-16 23:06 ` Paul Mackerras
2008-12-16 23:51 ` Ingo Molnar
2008-12-17 1:55 ` Andi Kleen
2009-01-16 18:01 ` Corey Ashford
2009-01-16 22:14 ` Maynard Johnson
2009-01-16 23:11 ` Ingo Molnar
2009-01-17 1:26 ` Paul Mackerras
2009-01-17 9:53 ` Andi Kleen
2008-12-17 2:23 ` [Perfctr-devel] " Dan Terpstra
2008-12-17 7:34 ` stephane eranian
2008-12-15 17:44 ` Vince Weaver
2008-12-15 21:07 ` Vince Weaver
2008-12-15 22:13 ` Paul Mackerras
2008-12-15 21:42 ` Paul Mackerras
2008-12-15 22:03 ` stephane eranian
2008-12-16 14:42 ` Peter Zijlstra
2008-12-16 16:55 ` Vince Weaver
2008-12-16 21:52 ` Paul Mackerras
2008-12-16 12:22 ` Pavel Machek
2008-12-16 12:50 ` Ingo Molnar [this message]
2008-12-16 12:57 ` Pavel Machek
2008-12-16 13:03 ` Ingo Molnar
2008-12-16 13:13 ` Arjan van de Ven
2008-12-16 20:04 ` Pavel Machek
2008-12-16 14:45 ` Peter Zijlstra
2008-12-16 15:46 ` [Perfctr-devel] " Martin Cracauer
2008-12-16 17:38 ` Vince Weaver
2008-12-16 19:47 ` Corey Ashford
2008-12-16 20:55 ` Vince Weaver
2008-12-16 19:56 ` [Perfctr-devel] " William Cohen
2008-12-17 1:51 ` Andi Kleen
2008-12-17 1:56 ` Samuel Thibault
[not found] ` <d484eb1f0812162357n7a851f2fncc0abaae9bd293a4@mail.gmail.com>
2008-12-17 9:18 ` Andi Kleen
[not found] ` <d484eb1f0812170611s597e014cl5fb98d6dd81afd49@mail.gmail.com>
2008-12-17 15:06 ` Andi Kleen
2008-12-17 16:00 ` William Cohen
2008-12-17 20:53 ` Corey Ashford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081216125000.GC25019@elte.hu \
--to=mingo@elte.hu \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=dada1@cosmosbay.com \
--cc=davem@davemloft.net \
--cc=eranian@googlemail.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paulus@samba.org \
--cc=pavel@suse.cz \
--cc=perfctr-devel@lists.sourceforge.net \
--cc=robert.richter@amd.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.