From: Pavel Emelyanov <xemul@parallels.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Konstantin Khlebnikov <khlebnikov@openvz.org>,
Mark Seaborn <mseaborn@chromium.org>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace
Date: Tue, 10 Mar 2015 00:20:32 +0300 [thread overview]
Message-ID: <54FE0EA0.7030002@parallels.com> (raw)
In-Reply-To: <1425935472-17949-1-git-send-email-kirill@shutemov.name>
On 03/10/2015 12:11 AM, Kirill A. Shutemov wrote:
> From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
>
> As pointed by recent post[1] on exploiting DRAM physical imperfection,
> /proc/PID/pagemap exposes sensitive information which can be used to do
> attacks.
>
> This is RFC patch which disallow anybody without CAP_SYS_ADMIN to read
> the pagemap.
>
> Any comments?
If I'm not mistaken, the pagemap file is used by some userspace that does
working-set size analysis. But this thing only needs the flags (referenced
bit) from the PTE-s. Maybe it would be better not to lock this file completely,
but instead report the PFN part as zero?
Other than this, I don't mind :) Although we use this heavily in CRIU we
anyway work only with the CAP_SYS_ADMIN, so adding the new one doesn't hurt.
Thanks,
Pavel
> [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Cc: Pavel Emelyanov <xemul@parallels.com>
> Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Mark Seaborn <mseaborn@chromium.org>
> Cc: Andy Lutomirski <luto@amacapital.net>
> ---
> fs/proc/task_mmu.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index 246eae84b13b..b72b36e64286 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -1322,6 +1322,9 @@ out:
>
> static int pagemap_open(struct inode *inode, struct file *file)
> {
> + /* do not disclose physical addresses: attack vector */
> + if (!capable(CAP_SYS_ADMIN))
> + return -EPERM;
> pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
> "to stop being page-shift some time soon. See the "
> "linux/Documentation/vm/pagemap.txt for details.\n");
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Emelyanov <xemul@parallels.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>, <linux-mm@kvack.org>,
<linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
"Konstantin Khlebnikov" <khlebnikov@openvz.org>,
Mark Seaborn <mseaborn@chromium.org>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace
Date: Tue, 10 Mar 2015 00:20:32 +0300 [thread overview]
Message-ID: <54FE0EA0.7030002@parallels.com> (raw)
In-Reply-To: <1425935472-17949-1-git-send-email-kirill@shutemov.name>
On 03/10/2015 12:11 AM, Kirill A. Shutemov wrote:
> From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
>
> As pointed by recent post[1] on exploiting DRAM physical imperfection,
> /proc/PID/pagemap exposes sensitive information which can be used to do
> attacks.
>
> This is RFC patch which disallow anybody without CAP_SYS_ADMIN to read
> the pagemap.
>
> Any comments?
If I'm not mistaken, the pagemap file is used by some userspace that does
working-set size analysis. But this thing only needs the flags (referenced
bit) from the PTE-s. Maybe it would be better not to lock this file completely,
but instead report the PFN part as zero?
Other than this, I don't mind :) Although we use this heavily in CRIU we
anyway work only with the CAP_SYS_ADMIN, so adding the new one doesn't hurt.
Thanks,
Pavel
> [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Cc: Pavel Emelyanov <xemul@parallels.com>
> Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Mark Seaborn <mseaborn@chromium.org>
> Cc: Andy Lutomirski <luto@amacapital.net>
> ---
> fs/proc/task_mmu.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index 246eae84b13b..b72b36e64286 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -1322,6 +1322,9 @@ out:
>
> static int pagemap_open(struct inode *inode, struct file *file)
> {
> + /* do not disclose physical addresses: attack vector */
> + if (!capable(CAP_SYS_ADMIN))
> + return -EPERM;
> pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
> "to stop being page-shift some time soon. See the "
> "linux/Documentation/vm/pagemap.txt for details.\n");
>
next prev parent reply other threads:[~2015-03-09 21:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-09 21:11 [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace Kirill A. Shutemov
2015-03-09 21:11 ` Kirill A. Shutemov
2015-03-09 21:20 ` Pavel Emelyanov [this message]
2015-03-09 21:20 ` Pavel Emelyanov
2015-03-09 22:09 ` Konstantin Khlebnikov
2015-03-09 22:09 ` Konstantin Khlebnikov
2015-03-10 0:11 ` Kees Cook
2015-03-10 0:11 ` Kees Cook
2015-03-10 0:19 ` Andy Lutomirski
2015-03-10 0:19 ` Andy Lutomirski
2015-03-10 2:36 ` Dave Hansen
2015-03-10 2:36 ` Dave Hansen
2015-03-16 21:11 ` Pavel Machek
2015-03-16 21:11 ` Pavel Machek
2015-03-17 0:49 ` Mark Seaborn
2015-03-17 0:49 ` Mark Seaborn
2015-03-17 1:21 ` Andy Lutomirski
2015-03-17 1:21 ` Andy Lutomirski
2015-03-17 11:16 ` rowhammer and pagemap (was Re: [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace) Pavel Machek
2015-03-17 11:16 ` Pavel Machek
2015-03-17 17:58 ` One Thousand Gnomes
2015-03-17 17:58 ` One Thousand Gnomes
2015-03-23 21:26 ` Pavel Machek
2015-03-23 21:26 ` Pavel Machek
2015-03-19 12:51 ` [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace Vlastimil Babka
2015-03-19 12:51 ` Vlastimil Babka
2015-03-23 21:26 ` Pavel Machek
2015-03-23 21:26 ` Pavel Machek
2015-03-23 22:36 ` Vlastimil Babka
2015-03-23 22:36 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54FE0EA0.7030002@parallels.com \
--to=xemul@parallels.com \
--cc=akpm@linux-foundation.org \
--cc=khlebnikov@openvz.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mseaborn@chromium.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.