From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752685AbbCJLdI (ORCPT <rfc822;w@1wt.eu>);
	Tue, 10 Mar 2015 07:33:08 -0400
Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:47423 "EHLO
	atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751556AbbCJLdD (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 10 Mar 2015 07:33:03 -0400
Date: Tue, 10 Mar 2015 12:33:01 +0100
From: Pavel Machek <pavel@ucw.cz>
To: Mark Seaborn <mseaborn@chromium.org>
Cc: kernel list <linux-kernel@vger.kernel.org>,
        One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
        luto <luto@amacapital.net>
Subject: DRAM bug exploitable on 50% machines without ECC (was Re: DRAM
 unreliable under specific access patern)
Message-ID: <20150310113301.GA8044@amd>
References: <CAL82V5NN8U4PyiSjLxgpTrgsgkbM7rRCbVF5P-HHyEqphLOy+g@mail.gmail.com>
 <20141224220818.GA17655@amd>
 <20150105192329.5f32c155@lxorguk.ukuu.org.uk>
 <20150106232025.GA32569@amd>
 <CAL82V5PFpDiousg1rgjqyD2nJTotjKqDG=TLraVHqvKv2W5dBQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL82V5PFpDiousg1rgjqyD2nJTotjKqDG=TLraVHqvKv2W5dBQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon 2015-03-09 09:03:18, Mark Seaborn wrote:
> On 6 January 2015 at 15:20, Pavel Machek <pavel@ucw.cz> wrote:
> > On Mon 2015-01-05 19:23:29, One Thousand Gnomes wrote:
> > Actually, I could not get my test code to run; and as code from
> >
> > https://github.com/mseaborn/rowhammer-test
> >
> > reproduces issue for me, I stopped trying. I could not get it to
> > damage memory of other process than itself (but that should be
> > possible), I guess that's next thing to try.
> 
> FYI, rowhammer-induced bit flips do turn out to be exploitable.  Here
> are the results of my research on this:
> http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

The excrement made physical contact with a hydro-electric powered
oscillating air current distribution device.

Thanks a lot for the report. One thing stands out: you ask for more
openness from the hardware vendors, but then you mask the manufacturer
names to make it easier for them to be quiet. Are corporate lawyers
being nasty?

Anyway, in name of full disclosure:

Thinkpad x60: could not reproduce.

2009-era desktop: reproduced.

BIOS Information
Vendor: Intel Corp.
Version: MJG4110H.86A.0006.2009.1223.1155
Release Date: 12/23/2009
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 1024 kB
Characteristics:
...
Handle 0x0001, DMI type 1, 27 bytes
System Information
        Manufacturer:                                  
        Product Name:                                  
        Version:                                  
        Serial Number:                                  
        UUID: 56E3FDCE-66ED-11DF-87C2-001FE20E1E5F
        Wake-up Type: Power Switch
        SKU Number: Not Specified
        Family: Not Specified

Handle 0x0002, DMI type 2, 15 bytes
Base Board Information
        Manufacturer: Intel Corporation
        Product Name: DG41MJ
        Version: AAE54659-206
        Serial Number: AZMJ02200117
        Asset Tag: To be filled by O.E.M.
        Features:
                Board is a hosting board
                Board is replaceable
        Location In Chassis: To be filled by O.E.M.
        Chassis Handle: 0x0003
        Type: Motherboard
        Contained Object Handles: 0

CPU is Intel(R) Core(TM)2 Duo CPU     E7400  @ 2.80GHz .

I guess it makes sense to post to bugtraq@securityfocus.com and get
CVE number?

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html