From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <1448848462.1990.44.camel@decadent.org.uk> Subject: Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users From: Ben Hutchings To: Willy Tarreau , linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Konstantin Khlebnikov , Naoya Horiguchi , Mark Williamson , Andrew Morton , Linus Torvalds Date: Mon, 30 Nov 2015 01:54:22 +0000 In-Reply-To: <20151129214703.685445143@1wt.eu> References: <20151129214703.685445143@1wt.eu> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-fLeV6xewhmgDPIcdujHX" Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: --=-fLeV6xewhmgDPIcdujHX Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote: > 2.6.32-longterm review patch.=C2=A0=C2=A0If anyone has any objections, pl= ease let me know. >=20 > ------------------ >=20 > commit 1c90308e7a77af6742a97d1021cca923b23b7f0d upstream. >=20 > This patch makes pagemap readable for normal users and hides physical > addresses from them.=C2=A0=C2=A0For some use-cases PFN isn't required at = all. >=20 > See http://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@shu= temov.name >=20 > Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-priv= ileged userspace") > Signed-off-by: Konstantin Khlebnikov > Cc: Naoya Horiguchi > Reviewed-by: Mark Williamson > Tested-by:=C2=A0=C2=A0Mark Williamson > Signed-off-by: Andrew Morton > Signed-off-by: Linus Torvalds > [bwh: Backported to 3.2: > =C2=A0- Add the same check in the places where we look up a PFN > =C2=A0- Add struct pagemapread * parameters where necessary > =C2=A0- Open-code file_ns_capable() > =C2=A0- Delete pagemap_open() entirely, as it would always return 0] > Signed-off-by: Ben Hutchings > (cherry picked from commit b1fb185f26e85f76e3ac6ce557398d78797c9684) > [wt: adjusted context, no pagemap_hugetlb_range() in 2.6.32, and > =C2=A0security_capable() only takes a capability. Tested OK. ] [...] > + /* do not disclose physical addresses: attack vector */ > + pm.show_pfn =3D !security_capable(CAP_SYS_ADMIN); [...] This is wrong; see . For 2.6.32 perhaps you could retain the capability check at open time but store the result in private state for use at read time. The ptrace check presumably should also be done at open time, as was implemented upstream in: commit a06db751c321546e5563041956a57613259c6720 Author: Konstantin Khlebnikov Date:=C2=A0=C2=A0=C2=A0Tue Sep 8 14:59:59 2015 -0700 =C2=A0=C2=A0=C2=A0=C2=A0pagemap: check permissions and capabilities at open= time But that wasn't cc'd to stable and hasn't been applied to any stable branch (yet). Ben. --=20 Ben Hutchings Who are all these weirdos? - David Bowie, reading IRC for the first time --=-fLeV6xewhmgDPIcdujHX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUAVlusTue/yOyVhhEJAQqizA/9GcLK4zTHeZVqru05oqiBg5zGCIFzTGtp Je/5qiakEHhnDccanSB7mP2zDx4aaAetvf5nPUhz8OzFwOsx8ssM7qmOrnSFUKa7 gpTppRX0Rfzd49pVW26GuWdBc/rVdrBFrOlbSqhde4hW7FncfBaTVqx4iV/QFFwF 8vENgZOgd2dqEbmuOiIdBgcXIOIehFlyiZNp8UByvp7SflGYLMGjPaoiMBut7peO N4HNBv5ipfxLuR/eTwV37aqjGEcqs1G0o8GGifi0nR/YO1nn8BorcyVyhdYOKeEL 1PoZHCsCHyMVL75bWzJBJViLzXJK2Bn0Ld/mYmfooNjx5Gx3hGZFnKaPUGBl/atr GS/M7wGsJOcCaf9cCbI+ItdN2IA7oshGtnDtnK426zWhGZM0j5A2swU8Expej98A N+0IqG+oNlzaP3dIw1flanh5pt5Dmgr89NXM+osOwRpJeJm9BLU1M7zwyMt78Ozc vDF73gEKq9N5z2u+h0i9iblQx0/zOaxWFRAH1ASlS5OhjLrkq1G9mG9IEqE4btMH MdORpSIBEvfjgtwdTXEMMCVmSvukBPSmjZQ+qKwpMW555NSFd27UNyWXBhb5e+Rp gymW2OUgqi9qwdvB23bvKUZsDdP18RR7MW518UNuo0cxbsyPtVq2MXZrOSG7f85b yYZzUCh0CA8= =2m6M -----END PGP SIGNATURE----- --=-fLeV6xewhmgDPIcdujHX--