From: Michal Hocko <mhocko@kernel.org>
To: Jann Horn <jannh@google.com>
Cc: Matthew Garrett <matthewgarrett@google.com>,
Linux-MM <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
Matthew Garrett <mjg59@google.com>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH V2] mm: Allow userland to request that the kernel clear memory on release
Date: Fri, 26 Apr 2019 15:47:22 +0200 [thread overview]
Message-ID: <20190426134722.GH22245@dhcp22.suse.cz> (raw)
In-Reply-To: <CAG48ez1MGyAd5tE=JLmjkFqou-VvsQHcJ5TU5f8_L43km9eoYA@mail.gmail.com>
On Fri 26-04-19 15:33:25, Jann Horn wrote:
> On Fri, Apr 26, 2019 at 7:31 AM Michal Hocko <mhocko@kernel.org> wrote:
> > On Thu 25-04-19 14:42:52, Jann Horn wrote:
> > > On Thu, Apr 25, 2019 at 2:14 PM Michal Hocko <mhocko@kernel.org> wrote:
> > > [...]
> > > > On Wed 24-04-19 14:10:39, Matthew Garrett wrote:
> > > > > From: Matthew Garrett <mjg59@google.com>
> > > > >
> > > > > Applications that hold secrets and wish to avoid them leaking can use
> > > > > mlock() to prevent the page from being pushed out to swap and
> > > > > MADV_DONTDUMP to prevent it from being included in core dumps. Applications
> > > > > can also use atexit() handlers to overwrite secrets on application exit.
> > > > > However, if an attacker can reboot the system into another OS, they can
> > > > > dump the contents of RAM and extract secrets. We can avoid this by setting
> > > > > CONFIG_RESET_ATTACK_MITIGATION on UEFI systems in order to request that the
> > > > > firmware wipe the contents of RAM before booting another OS, but this means
> > > > > rebooting takes a *long* time - the expected behaviour is for a clean
> > > > > shutdown to remove the request after scrubbing secrets from RAM in order to
> > > > > avoid this.
> > > > >
> > > > > Unfortunately, if an application exits uncleanly, its secrets may still be
> > > > > present in RAM. This can't be easily fixed in userland (eg, if the OOM
> > > > > killer decides to kill a process holding secrets, we're not going to be able
> > > > > to avoid that), so this patch adds a new flag to madvise() to allow userland
> > > > > to request that the kernel clear the covered pages whenever the page
> > > > > reference count hits zero. Since vm_flags is already full on 32-bit, it
> > > > > will only work on 64-bit systems.
> > > [...]
> > > > > diff --git a/mm/madvise.c b/mm/madvise.c
> > > > > index 21a7881a2db4..989c2fde15cf 100644
> > > > > --- a/mm/madvise.c
> > > > > +++ b/mm/madvise.c
> > > > > @@ -92,6 +92,22 @@ static long madvise_behavior(struct vm_area_struct *vma,
> > > > > case MADV_KEEPONFORK:
> > > > > new_flags &= ~VM_WIPEONFORK;
> > > > > break;
> > > > > + case MADV_WIPEONRELEASE:
> > > > > + /* MADV_WIPEONRELEASE is only supported on anonymous memory. */
> > > > > + if (VM_WIPEONRELEASE == 0 || vma->vm_file ||
> > > > > + vma->vm_flags & VM_SHARED) {
> > > > > + error = -EINVAL;
> > > > > + goto out;
> > > > > + }
> > > > > + new_flags |= VM_WIPEONRELEASE;
> > > > > + break;
> > >
> > > An interesting effect of this is that it will be possible to set this
> > > on a CoW anon VMA in a fork() child, and then the semantics in the
> > > parent will be subtly different - e.g. if the parent vmsplice()d a
> > > CoWed page into a pipe, then forked an unprivileged child, the child
> >
> > Maybe a stupid question. How do you fork an unprivileged child (without
> > exec)? Child would have to drop priviledges on its own, no?
>
> Sorry, yes, that's what I meant.
But then the VMA is gone along with the flag so why does it matter?
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2019-04-26 13:47 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CACdnJuup-y1xAO93wr+nr6ARacxJ9YXgaceQK9TLktE7shab1w@mail.gmail.com>
[not found] ` <20190424211038.204001-1-matthewgarrett@google.com>
2019-04-25 12:14 ` [PATCH V2] mm: Allow userland to request that the kernel clear memory on release Michal Hocko
2019-04-25 12:37 ` Michal Hocko
2019-04-25 20:39 ` Matthew Garrett
2019-04-26 5:25 ` Michal Hocko
2019-04-26 18:08 ` Matthew Garrett
2019-04-29 21:44 ` Michal Hocko
2019-04-25 12:40 ` Vlastimil Babka
2019-04-25 20:45 ` Matthew Garrett
2019-04-25 12:42 ` Jann Horn
2019-04-25 20:43 ` Matthew Garrett
2019-04-26 5:31 ` Michal Hocko
2019-04-26 13:33 ` Jann Horn
2019-04-26 13:47 ` Michal Hocko [this message]
2019-04-26 14:03 ` Jann Horn
2019-04-26 14:08 ` Michal Hocko
2019-04-25 22:58 ` [PATCH V3] " Matthew Garrett
2019-04-26 7:45 ` Vlastimil Babka
2019-04-26 18:10 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190426134722.GH22245@dhcp22.suse.cz \
--to=mhocko@kernel.org \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=matthewgarrett@google.com \
--cc=mjg59@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).