From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Andy Lutomirski <luto@amacapital.net>
Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
Pavel Machek <pavel@ucw.cz>, Mark Seaborn <mseaborn@chromium.org>,
kernel list <linux-kernel@vger.kernel.org>
Subject: Re: DRAM unreliable under specific access patern
Date: Tue, 6 Jan 2015 04:18:36 +0200 [thread overview]
Message-ID: <20150106021836.GA24121@node.dhcp.inet.fi> (raw)
In-Reply-To: <CALCETrV1O1MFJeY6WacF+QHdBGG7HoHdVQy=n951=Y+=g+h7mQ@mail.gmail.com>
On Mon, Jan 05, 2015 at 05:57:24PM -0800, Andy Lutomirski wrote:
> On Mon, Jan 5, 2015 at 5:47 PM, Kirill A. Shutemov <kirill@shutemov.name> wrote:
> > On Mon, Jan 05, 2015 at 11:50:04AM -0800, Andy Lutomirski wrote:
> >> On Mon, Jan 5, 2015 at 11:23 AM, One Thousand Gnomes
> >> <gnomes@lxorguk.ukuu.org.uk> wrote:
> >> >> In the meantime, I created test that actually uses physical memory,
> >> >> 8MB apart, as described in some footnote. It is attached. It should
> >> >> work, but it needs boot with specific config options and specific
> >> >> kernel parameters.
> >> >
> >> > Why not just use hugepages. You know the alignment guarantees for 1GB
> >> > pages and that means you don't even need to be root
> >> >
> >> > In fact - should we be disabling 1GB huge page support by default at this
> >> > point, at least on non ECC boxes ?
> >>
> >> Can you actually damage anyone else's data using a 1 GB hugepage?
> >
> > hugetlbfs is a filesystem: the answer is yes. Although I don't see the
> > issue as a big attach vector.
>
> What I mean is: if I map a 1 GB hugepage and rowhammer it, is it
> likely that the corruption will be confined to the same 1 GB?
I don't know for sure, but it looks likely to me according to claim in the
paper (8MB). But it still can be sombody else's data: 644 file on
hugetlbfs mmap()ed r/o by anyone.
When I read the paper I thought that vdso would be interesting target for
the attack, but having all these constrains in place, it's hard aim the
attack anything widely used.
--
Kirill A. Shutemov
next prev parent reply other threads:[~2015-01-06 2:18 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAL82V5NN8U4PyiSjLxgpTrgsgkbM7rRCbVF5P-HHyEqphLOy+g@mail.gmail.com>
2014-12-24 22:08 ` DRAM unreliable under specific access patern Pavel Machek
2015-01-05 19:23 ` One Thousand Gnomes
2015-01-05 19:50 ` Andy Lutomirski
2015-01-06 1:47 ` Kirill A. Shutemov
2015-01-06 1:57 ` Andy Lutomirski
2015-01-06 2:18 ` Kirill A. Shutemov [this message]
2015-01-06 2:26 ` Andy Lutomirski
2015-01-08 13:03 ` One Thousand Gnomes
2015-01-08 16:52 ` Pavel Machek
2015-01-09 15:50 ` Vlastimil Babka
2015-01-09 16:31 ` Pavel Machek
2015-01-06 23:20 ` Pavel Machek
2015-03-09 16:03 ` Mark Seaborn
2015-03-09 16:30 ` Andy Lutomirski
2015-03-09 21:17 ` Pavel Machek
2015-03-09 21:37 ` Mark Seaborn
2015-03-10 11:33 ` DRAM bug exploitable on 50% machines without ECC (was Re: DRAM unreliable under specific access patern) Pavel Machek
2014-12-24 22:27 ` DRAM unreliable under specific access patern Pavel Machek
2014-12-24 23:41 ` Pavel Machek
[not found] ` <CAE2SPAa-tBFk0gnOhEZiriQA7bv6MmL9HGqAMSceUKKqujBDPQ@mail.gmail.com>
2014-12-25 9:23 ` Pavel Machek
2014-12-28 22:48 ` Mark Seaborn
2014-12-24 16:38 Pavel Machek
2014-12-24 16:46 ` Pavel Machek
2014-12-24 17:13 ` Andy Lutomirski
2014-12-24 17:25 ` Pavel Machek
2014-12-24 17:38 ` Andy Lutomirski
2014-12-24 17:50 ` Pavel Machek
2014-12-29 12:13 ` Jiri Kosina
2014-12-29 17:09 ` Pavel Machek
2014-12-28 9:18 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150106021836.GA24121@node.dhcp.inet.fi \
--to=kirill@shutemov.name \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mseaborn@chromium.org \
--cc=pavel@ucw.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).