From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934001AbbCROMB (ORCPT ); Wed, 18 Mar 2015 10:12:01 -0400 Received: from mga14.intel.com ([192.55.52.115]:5896 "EHLO mga14.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932878AbbCROMA (ORCPT ); Wed, 18 Mar 2015 10:12:00 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.11,422,1422950400"; d="scan'208";a="666967979" Message-ID: <550987AD.8020409@intel.com> Date: Wed, 18 Mar 2015 07:11:57 -0700 From: Dave Hansen User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Konstantin Khlebnikov , linux-mm@kvack.org, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" CC: Andrew Morton , Linus Torvalds , Andy Lutomirski Subject: Re: [PATCH RFC] mm: protect suid binaries against rowhammer with copy-on-read mappings References: <20150318083040.7838.76933.stgit@zurg> In-Reply-To: <20150318083040.7838.76933.stgit@zurg> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/18/2015 01:30 AM, Konstantin Khlebnikov wrote: > + /* > + * Read-only SUID/SGID binares are mapped as copy-on-read > + * this protects them against exploiting with Rowhammer. > + */ > + if (!(file->f_mode & FMODE_WRITE) && > + ((inode->i_mode & S_ISUID) || ((inode->i_mode & S_ISGID) && > + (inode->i_mode & S_IXGRP)))) { > + vm_flags &= ~(VM_SHARED | VM_MAYSHARE); > + vm_flags |= VM_COR; > + } I think we probably need to come to _some_ sort of understanding in the kernel of how much we are willing to do to thwart these kinds of attacks. I suspect it's a very deep rabbit hole. For this particular case, I don't see how this would be effective. The existing exploit which you reference attacks PTE pages which are unmapped in to the user address space. I'm confused how avoiding mapping a page in to an attacker's process can keep it from being exploited. Right now, there's a relatively small number of pages that will get COW'd for a SUID binary. This greatly increases the number which could allow spraying of these (valuable) copy-on-read pages.