From: Alexey Dobriyan <adobriyan@gmail.com>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, linux-kernel@vger.kernel.org,
x86@kernel.org
Subject: Re: [PATCH] selftests/x86: add "ffff8" -- kernel memory scanner
Date: Sat, 29 Oct 2022 12:55:29 +0300 [thread overview]
Message-ID: <Y1z4kZVRmX33GJ0F@p183> (raw)
In-Reply-To: <84E9CFF2-760D-4A5D-9B19-11CA804E1FE8@zytor.com>
On Fri, Oct 28, 2022 at 03:14:31PM -0700, H. Peter Anvin wrote:
> On October 28, 2022 12:33:49 PM PDT, Alexey Dobriyan <adobriyan@gmail.com> wrote:
> >During Meltdown drama Microsoft managed to screw up pagetables and give
> >full kernel memory access to userspace:
> >
> > https://blog.frizk.net/2018/03/total-meltdown.html
> >
> >We don't want _any_ of that.
> >
> >This utility named ffff8 tries to read upper half of virtual address space
> >and report access that went through (excluding vsyscall page if present).
> >
> >It works by doing access and rewriting RDI in the SIGSEGV handler.
> >
> >I've tested it with kernel patch which installs rogue page and it was found.
> >
> > $ ./a.out -h
> > usage: ./a.out [-f] [-r] [-n N] [-s S]
> > -f: sequential scan
> > -r: random scan (default)
> > -n: use N threads (default: $(nproc))
> > -s: lowest address shift (default: 47)
> > -t: time to run (default: 256 seconds)
> >
> >Intended usages are:
> >
> > $ ./a.out -f # full scan on all cores
> >or
> > $ ./a.out -r -t ... # time limited random scan for QA test
> >
> >Features include:
> >* multithreading
> >* auto spreads over CPUs given by taskset
> >* full sequential scan / random scan
> >* auto split work for full scan
> >* smaller than 47-bit scanning (for benchmarking)
> >* time limit
> >
> >Note 1:
> >HT appears to make scanning slower. If this is the case use taskset(1)
> >to exclude HT siblings.
> >
> >Note 2:
> >Full 47-bit window scan takes a long time. My 16c/32t potato can do it
> >in ~8 hours. Benchmark with smaller shifts first.
>
> Good initiative!
Thanks!
> Only complaint I have is the name and the limit to LA48. LA57 (5-level
> page tables) have the same potential issue.
Yes. It would take only half a year to scan 57-bit space if my system
had one. :-)
> You may want to consider doing a breadth-first sweep scanning
> by decreasing powers of 2 as that will more quickly catch errors caused
> by problems in the upper levels of the page table hierarchy.
It can scan from top to bottom so that fixmap space is easily covered.
next prev parent reply other threads:[~2022-10-29 9:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-28 19:33 [PATCH] selftests/x86: add "ffff8" -- kernel memory scanner Alexey Dobriyan
2022-10-28 22:14 ` H. Peter Anvin
2022-10-29 9:55 ` Alexey Dobriyan [this message]
2022-10-29 17:25 ` [PATCH v2] " Alexey Dobriyan
2022-10-31 21:37 ` Dave Hansen
2022-11-01 6:45 ` Alexey Dobriyan
2022-11-01 7:04 ` Dave Hansen
2022-11-23 13:29 ` [PATCH v3] " Alexey Dobriyan
2022-10-29 2:14 ` [PATCH] " Bagas Sanjaya
2022-10-29 9:45 ` Alexey Dobriyan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1z4kZVRmX33GJ0F@p183 \
--to=adobriyan@gmail.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.