From: Pavel Machek <pavel@ucw.cz>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Mark Seaborn <mseaborn@chromium.org>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Pavel Emelyanov <xemul@parallels.com>,
Konstantin Khlebnikov <khlebnikov@openvz.org>
Subject: rowhammer and pagemap (was Re: [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace)
Date: Tue, 17 Mar 2015 12:16:53 +0100 [thread overview]
Message-ID: <20150317111653.GA23711@amd> (raw)
In-Reply-To: <CALCETrU8SeOTSexLOi36sX7Smwfv0baraK=A3hq8twoyBN7NBg@mail.gmail.com>
> > Given that, I think it would still be worthwhile to disable /proc/PID/pagemap.
>
> Having slept on this further, I think that unprivileged pagemap access
> is awful and we should disable it with no option to re-enable. If we
> absolutely must, we could allow programs to read all zeros or to read
> addresses that are severely scrambled (e.g. ECB-encrypted by a key
> generated once per open of pagemap).
> - It could easily leak direct-map addresses, and there's a nice paper
> detailing a SMAP bypass using that technique.
Do you have a pointer?
> Can we just try getting rid of it except with global CAP_SYS_ADMIN.
>
> (Hmm. Rowhammer attacks targeting SMRAM could be interesting.)
:-).
> >> Can we do anything about that? Disabling cache flushes from userland
> >> should make it no longer exploitable.
> >
> > Unfortunately there's no way to disable userland code's use of
> > CLFLUSH, as far as I know.
> >
> > Maybe Intel or AMD could disable CLFLUSH via a microcode update, but
> > they have not said whether that would be possible.
>
> The Intel people I asked last week weren't confident. For one thing,
> I fully expect that rowhammer can be exploited using only reads and
> writes with some clever tricks involving cache associativity. I don't
> think there are any fully-associative caches, although the cache
> replacement algorithm could make the attacks interesting.
We should definitely get Intel/AMD to disable CLFLUSH, then.
Because if it can be exploited using reads, it is _extremely_
important to know. As it probably means rowhammer can be exploited
using Javascript / Java... and affected machines are unsafe even
without remote users.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Machek <pavel@ucw.cz>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Mark Seaborn <mseaborn@chromium.org>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Pavel Emelyanov <xemul@parallels.com>,
Konstantin Khlebnikov <khlebnikov@openvz.org>
Subject: rowhammer and pagemap (was Re: [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace)
Date: Tue, 17 Mar 2015 12:16:53 +0100 [thread overview]
Message-ID: <20150317111653.GA23711@amd> (raw)
In-Reply-To: <CALCETrU8SeOTSexLOi36sX7Smwfv0baraK=A3hq8twoyBN7NBg@mail.gmail.com>
> > Given that, I think it would still be worthwhile to disable /proc/PID/pagemap.
>
> Having slept on this further, I think that unprivileged pagemap access
> is awful and we should disable it with no option to re-enable. If we
> absolutely must, we could allow programs to read all zeros or to read
> addresses that are severely scrambled (e.g. ECB-encrypted by a key
> generated once per open of pagemap).
> - It could easily leak direct-map addresses, and there's a nice paper
> detailing a SMAP bypass using that technique.
Do you have a pointer?
> Can we just try getting rid of it except with global CAP_SYS_ADMIN.
>
> (Hmm. Rowhammer attacks targeting SMRAM could be interesting.)
:-).
> >> Can we do anything about that? Disabling cache flushes from userland
> >> should make it no longer exploitable.
> >
> > Unfortunately there's no way to disable userland code's use of
> > CLFLUSH, as far as I know.
> >
> > Maybe Intel or AMD could disable CLFLUSH via a microcode update, but
> > they have not said whether that would be possible.
>
> The Intel people I asked last week weren't confident. For one thing,
> I fully expect that rowhammer can be exploited using only reads and
> writes with some clever tricks involving cache associativity. I don't
> think there are any fully-associative caches, although the cache
> replacement algorithm could make the attacks interesting.
We should definitely get Intel/AMD to disable CLFLUSH, then.
Because if it can be exploited using reads, it is _extremely_
important to know. As it probably means rowhammer can be exploited
using Javascript / Java... and affected machines are unsafe even
without remote users.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
next prev parent reply other threads:[~2015-03-17 11:16 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-09 21:11 [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace Kirill A. Shutemov
2015-03-09 21:11 ` Kirill A. Shutemov
2015-03-09 21:20 ` Pavel Emelyanov
2015-03-09 21:20 ` Pavel Emelyanov
2015-03-09 22:09 ` Konstantin Khlebnikov
2015-03-09 22:09 ` Konstantin Khlebnikov
2015-03-10 0:11 ` Kees Cook
2015-03-10 0:11 ` Kees Cook
2015-03-10 0:19 ` Andy Lutomirski
2015-03-10 0:19 ` Andy Lutomirski
2015-03-10 2:36 ` Dave Hansen
2015-03-10 2:36 ` Dave Hansen
2015-03-16 21:11 ` Pavel Machek
2015-03-16 21:11 ` Pavel Machek
2015-03-17 0:49 ` Mark Seaborn
2015-03-17 0:49 ` Mark Seaborn
2015-03-17 1:21 ` Andy Lutomirski
2015-03-17 1:21 ` Andy Lutomirski
2015-03-17 11:16 ` Pavel Machek [this message]
2015-03-17 11:16 ` rowhammer and pagemap (was Re: [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace) Pavel Machek
2015-03-17 17:58 ` One Thousand Gnomes
2015-03-17 17:58 ` One Thousand Gnomes
2015-03-23 21:26 ` Pavel Machek
2015-03-23 21:26 ` Pavel Machek
2015-03-19 12:51 ` [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace Vlastimil Babka
2015-03-19 12:51 ` Vlastimil Babka
2015-03-23 21:26 ` Pavel Machek
2015-03-23 21:26 ` Pavel Machek
2015-03-23 22:36 ` Vlastimil Babka
2015-03-23 22:36 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150317111653.GA23711@amd \
--to=pavel@ucw.cz \
--cc=akpm@linux-foundation.org \
--cc=khlebnikov@openvz.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mseaborn@chromium.org \
--cc=torvalds@linux-foundation.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.