Re: [RFC] transcendent memory for Linux

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jeremy Fitzhardinge <jeremy@goop.org>
To: Dan Magenheimer <dan.magenheimer@oracle.com>
Cc: Pavel Machek <pavel@ucw.cz>,
	linux-kernel@vger.kernel.org, xen-devel@lists.xensource.com,
	npiggin@suse.de, chris.mason@oracle.com, kurt.hackel@oracle.com,
	dave.mccracken@oracle.com, Avi Kivity <avi@redhat.com>,
	Rik van Riel <riel@redhat.com>,
	alan@lxorguk.ukuu.org.uk, Rusty Russell <rusty@rustcorp.com.au>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	akpm@osdl.org, Marcelo Tosatti <mtosatti@redhat.com>,
	Balbir Singh <balbir@linux.vnet.ibm.com>,
	tmem-devel@oss.oracle.com, sunil.mushran@oracle.com,
	linux-mm@kvack.org, Himanshu Raj <rhim@microsoft.com>,
	Keir Fraser <keir.fraser@eu.citrix.com>
Subject: Re: [RFC] transcendent memory for Linux
Date: Tue, 30 Jun 2009 15:46:48 -0700	[thread overview]
Message-ID: <4A4A95D8.6020708@goop.org> (raw)
In-Reply-To: <c31ca108-9b68-40ba-936f-3ed2a56fd90b@default>

On 06/30/09 14:21, Dan Magenheimer wrote:
> No, the uuid can't be verified.  Tmem gives no indication
> as to whether a newly-created pool is already in use (shared)
> by another guest.  So without both the 128-bit uuid and an
> already-in-use 64-bit object id and 32-bit page index, no data
> is readable or writable by the attacker.
>   

You have to consider things like timing attacks as well (for example, a
tmem hypercall might return faster if the uuid already exists).

Besides, you can tell whether a uuid exists, by at least a couple of
mechanisms (from a quick read of the source, so I might have overlooked
something):

   1. You can create new shared pools until it starts failing as a
      result of hitting the MAX_GLOBAL_SHARED_POOLS limit with junk
      uuids.  If you then successfully "create" a shared pool while
      searching, you know it already existed.
   2. The returned pool id will increase unless the pool already exists,
      in which case you'll get a smaller id back (ignoring wraparound).


> Hmmm... that is definitely a thornier problem.  I guess the
> security angle definitely deserves more design.  But, again,
> this affects only shared precache which is not intended
> to part of the proposed initial tmem patchset, so this is a futures
> issue.)

Yeah, a shared namespace of accessible objects is an entirely new thing
in the Xen universe.  I would also drop Xen support until there's a good
security story about how they can be used.

    J

WARNING: multiple messages have this Message-ID (diff)

From: Jeremy Fitzhardinge <jeremy@goop.org>
To: Dan Magenheimer <dan.magenheimer@oracle.com>
Cc: Pavel Machek <pavel@ucw.cz>,
	linux-kernel@vger.kernel.org, xen-devel@lists.xensource.com,
	npiggin@suse.de, chris.mason@oracle.com, kurt.hackel@oracle.com,
	dave.mccracken@oracle.com, Avi Kivity <avi@redhat.com>,
	Rik van Riel <riel@redhat.com>,
	alan@lxorguk.ukuu.org.uk, Rusty Russell <rusty@rustcorp.com.au>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	akpm@osdl.org, Marcelo Tosatti <mtosatti@redhat.com>,
	Balbir Singh <balbir@linux.vnet.ibm.com>,
	tmem-devel@oss.oracle.com, sunil.mushran@oracle.com,
	linux-mm@kvack.org, Himanshu Raj <rhim@microsoft.com>,
	Keir Fraser <keir.fraser@eu.citrix.com>
Subject: Re: [RFC] transcendent memory for Linux
Date: Tue, 30 Jun 2009 15:46:48 -0700	[thread overview]
Message-ID: <4A4A95D8.6020708@goop.org> (raw)
In-Reply-To: <c31ca108-9b68-40ba-936f-3ed2a56fd90b@default>

On 06/30/09 14:21, Dan Magenheimer wrote:
> No, the uuid can't be verified.  Tmem gives no indication
> as to whether a newly-created pool is already in use (shared)
> by another guest.  So without both the 128-bit uuid and an
> already-in-use 64-bit object id and 32-bit page index, no data
> is readable or writable by the attacker.
>   

You have to consider things like timing attacks as well (for example, a
tmem hypercall might return faster if the uuid already exists).

Besides, you can tell whether a uuid exists, by at least a couple of
mechanisms (from a quick read of the source, so I might have overlooked
something):

   1. You can create new shared pools until it starts failing as a
      result of hitting the MAX_GLOBAL_SHARED_POOLS limit with junk
      uuids.  If you then successfully "create" a shared pool while
      searching, you know it already existed.
   2. The returned pool id will increase unless the pool already exists,
      in which case you'll get a smaller id back (ignoring wraparound).


> Hmmm... that is definitely a thornier problem.  I guess the
> security angle definitely deserves more design.  But, again,
> this affects only shared precache which is not intended
> to part of the proposed initial tmem patchset, so this is a futures
> issue.)

Yeah, a shared namespace of accessible objects is an entirely new thing
in the Xen universe.  I would also drop Xen support until there's a good
security story about how they can be used.

    J

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

next prev parent reply	other threads:[~2009-06-30 22:47 UTC|newest]

Thread overview: 57+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-19 23:53 [RFC] transcendent memory for Linux Dan Magenheimer
2009-06-20  1:35 ` [RFC PATCH 0/4] transcendent memory ("tmem") " Dan Magenheimer
2009-06-20  1:35   ` Dan Magenheimer
2009-06-20  1:35 ` [RFC PATCH 1/4] tmem: infrastructure for tmem layer Dan Magenheimer
2009-06-20  1:35   ` Dan Magenheimer
2009-06-20  1:50   ` Rik van Riel
2009-06-20  1:50     ` Rik van Riel
2009-06-20  1:35 ` [RFC PATCH 2/4] tmem: precache implementation (layered on tmem) Dan Magenheimer
2009-06-20  1:35   ` Dan Magenheimer
2009-06-20  2:28   ` Rik van Riel
2009-06-20  2:28     ` Rik van Riel
2009-06-20  1:36 ` [RFC PATCH 3/4] tmem: preswap " Dan Magenheimer
2009-06-20  1:36   ` Dan Magenheimer
2009-06-20  1:36 ` [RFC PATCH 4/4] tmem: interface code for tmem on top of xen Dan Magenheimer
2009-06-20  1:36   ` Dan Magenheimer
2009-06-22 11:27 ` [RFC] transcendent memory for Linux Martin Schwidefsky
2009-06-22 11:27   ` Martin Schwidefsky
2009-06-22 20:41   ` Dan Magenheimer
2009-06-22 20:41     ` Dan Magenheimer
2009-06-22 14:31 ` Chris Friesen
2009-06-22 14:31   ` Chris Friesen
2009-06-22 20:50   ` Dan Magenheimer
2009-06-22 20:50     ` Dan Magenheimer
2009-06-24 15:04 ` Pavel Machek
2009-06-24 15:04   ` Pavel Machek
2009-06-29 14:34   ` Dan Magenheimer
2009-06-29 14:34     ` Dan Magenheimer
2009-06-29 20:36     ` Pavel Machek
2009-06-29 20:36       ` Pavel Machek
2009-06-29 21:13       ` Dan Magenheimer
2009-06-29 21:13         ` Dan Magenheimer
2009-06-29 21:23         ` Jeremy Fitzhardinge
2009-06-29 21:23           ` Jeremy Fitzhardinge
2009-06-29 21:57           ` Dan Magenheimer
2009-06-29 21:57             ` Dan Magenheimer
2009-06-29 22:15             ` Jeremy Fitzhardinge
2009-06-29 22:15               ` Jeremy Fitzhardinge
2009-06-30 21:21               ` Dan Magenheimer
2009-06-30 21:21                 ` Dan Magenheimer
2009-06-30 22:46                 ` Jeremy Fitzhardinge [this message]
2009-06-30 22:46                   ` Jeremy Fitzhardinge
2009-07-01 23:02                   ` Dan Magenheimer
2009-07-01 23:02                     ` Dan Magenheimer
2009-07-01 23:31                     ` Jeremy Fitzhardinge
2009-07-01 23:31                       ` Jeremy Fitzhardinge
2009-07-02  6:38                     ` Pavel Machek
2009-07-02  6:38                       ` Pavel Machek
2009-07-02 14:03                       ` Dan Magenheimer
2009-07-02 14:03                         ` Dan Magenheimer
2009-06-27 13:18 ` Linus Walleij
2009-06-27 13:18   ` Linus Walleij
2009-06-28  7:42   ` Avi Kivity
2009-06-28  7:42     ` Avi Kivity
2009-06-29 14:44   ` Dan Magenheimer
2009-06-29 14:44     ` Dan Magenheimer
2009-07-01  3:41     ` Roland Dreier
2009-07-01  3:41       ` Roland Dreier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A4A95D8.6020708@goop.org \
    --to=jeremy@goop.org \
    --cc=akpm@osdl.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=avi@redhat.com \
    --cc=balbir@linux.vnet.ibm.com \
    --cc=chris.mason@oracle.com \
    --cc=dan.magenheimer@oracle.com \
    --cc=dave.mccracken@oracle.com \
    --cc=keir.fraser@eu.citrix.com \
    --cc=kurt.hackel@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mtosatti@redhat.com \
    --cc=npiggin@suse.de \
    --cc=pavel@ucw.cz \
    --cc=rhim@microsoft.com \
    --cc=riel@redhat.com \
    --cc=rusty@rustcorp.com.au \
    --cc=schwidefsky@de.ibm.com \
    --cc=sunil.mushran@oracle.com \
    --cc=tmem-devel@oss.oracle.com \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.