Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users

[Konstantin Khlebnikov <khlebnikov@yandex-team.ru>]

On 30.11.2015 14:30, Willy Tarreau wrote:
> On Mon, Nov 30, 2015 at 08:01:36AM +0100, Willy Tarreau wrote:
>> >On Mon, Nov 30, 2015 at 01:54:22AM +0000, Ben Hutchings wrote:
>>> > >On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote:
>>> > >This is wrong; see
>>> > ><https://marc.info/?l=linux-api&m=143144321020852&w=2>.
>> >
>> >Damned, and I now remember this discussion. The worst thing is that
>> >I purposely booted a machine to test the fix and was happy with it,
>> >I forgot this point:-(
>> >
>>> > >For 2.6.32 perhaps you could retain the capability check at open time
>>> > >but store the result in private state for use at read time.
>> >
>> >I'll see if it is possible to opencode security_capable() with 2.6.32's
>> >infrastructure, and how far this brings us. Or maybe we should even drop
>> >this one completely and leave pagemap readable only for superuser on
>> >2.6.32, it doesn't seem to be that big of a deal either.
> It was easy enough to open-code security_capable() in the end. I've
> tested this version which works fine for me here. If that's OK for you
> I'll emit an -rc2 with the last two patches.
>
> Thanks,
> Willy
>
>
> 0001-pagemap-hide-physical-addresses-from-non-privileged-.patch
>
>
>  From fde24678af1b04712144457512afbc16fd71b252 Mon Sep 17 00:00:00 2001
> From: Konstantin Khlebnikov<khlebnikov@yandex-team.ru>
> Date: Tue, 8 Sep 2015 15:00:07 -0700
> Subject: pagemap: hide physical addresses from non-privileged users
>
> commit 1c90308e7a77af6742a97d1021cca923b23b7f0d upstream.
>
> This patch makes pagemap readable for normal users and hides physical
> addresses from them.  For some use-cases PFN isn't required at all.
>
> Seehttp://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@shutemov.name
>
> Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
> Signed-off-by: Konstantin Khlebnikov<khlebnikov@yandex-team.ru>
> Cc: Naoya Horiguchi<n-horiguchi@ah.jp.nec.com>
> Reviewed-by: Mark Williamson<mwilliamson@undo-software.com>
> Tested-by:  Mark Williamson<mwilliamson@undo-software.com>
> Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
> [bwh: Backported to 3.2:
>   - Add the same check in the places where we look up a PFN
>   - Add struct pagemapread * parameters where necessary
>   - Open-code file_ns_capable()
>   - Delete pagemap_open() entirely, as it would always return 0]
> Signed-off-by: Ben Hutchings<ben@decadent.org.uk>
> (cherry picked from commit b1fb185f26e85f76e3ac6ce557398d78797c9684)
> [wt: adjusted context, no pagemap_hugetlb_range() in 2.6.32, open-coded
>   security_capable(). Tested OK. ]
> Signed-off-by: Willy Tarreau<w@1wt.eu>
> ---
>   fs/proc/task_mmu.c | 21 ++++++++-------------
>   1 file changed, 8 insertions(+), 13 deletions(-)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index 73db5a6..24d3602 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -8,6 +8,7 @@
>   #include <linux/mempolicy.h>
>   #include <linux/swap.h>
>   #include <linux/swapops.h>
> +#include <linux/security.h>
>
>   #include <asm/elf.h>
>   #include <asm/uaccess.h>
> @@ -539,6 +540,7 @@ const struct file_operations proc_clear_refs_operations = {
>
>   struct pagemapread {
>   	u64 __user *out, *end;
> +	bool show_pfn;
>   };
>
>   #define PM_ENTRY_BYTES      sizeof(u64)
> @@ -589,14 +591,14 @@ static u64 swap_pte_to_pagemap_entry(pte_t pte)
>   	return swp_type(e) | (swp_offset(e) << MAX_SWAPFILES_SHIFT);
>   }
>
> -static u64 pte_to_pagemap_entry(pte_t pte)
> +static u64 pte_to_pagemap_entry(struct pagemapread *pm, pte_t pte)
>   {
>   	u64 pme = 0;
>   	if (is_swap_pte(pte))
>   		pme = PM_PFRAME(swap_pte_to_pagemap_entry(pte))
>   			| PM_PSHIFT(PAGE_SHIFT) | PM_SWAP;
>   	else if (pte_present(pte))
> -		pme = PM_PFRAME(pte_pfn(pte))
> +		pme = (pm->show_pfn ? PM_PFRAME(pte_pfn(pte)) : 0)
>   			| PM_PSHIFT(PAGE_SHIFT) | PM_PRESENT;
>   	return pme;
>   }
> @@ -624,7 +626,7 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
>   		if (vma && (vma->vm_start <= addr) &&
>   		    !is_vm_hugetlb_page(vma)) {
>   			pte = pte_offset_map(pmd, addr);
> -			pfn = pte_to_pagemap_entry(*pte);
> +			pfn = pte_to_pagemap_entry(pm, *pte);
>   			/* unmap before userspace copy */
>   			pte_unmap(pte);
>   		}
> @@ -695,6 +697,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
>   	if (!count)
>   		goto out_task;
>
> +	/* do not disclose physical addresses: attack vector */
> +	pm.show_pfn = !cap_capable(current, file->f_cred, CAP_SYS_ADMIN, SECURITY_CAP_AUDIT);
> +

At first sight this is confusing... but correct. It really returns zero
for success, unlike to new file_ns_capable which returns bool true.

The rest looks good too.

>   	mm = get_task_mm(task);
>   	if (!mm)
>   		goto out_task;
> @@ -773,19 +778,9 @@ out:
>   	return ret;
>   }
>
> -static int pagemap_open(struct inode *inode, struct file *file)
> -{
> -	/* do not disclose physical addresses to unprivileged
> -	   userspace (closes a rowhammer attack vector) */
> -	if (!capable(CAP_SYS_ADMIN))
> -		return -EPERM;
> -	return 0;
> -}
> -
>   const struct file_operations proc_pagemap_operations = {
>   	.llseek		= mem_lseek, /* borrow this */
>   	.read		= pagemap_read,
> -	.open		= pagemap_open,
>   };
>   #endif /* CONFIG_PROC_PAGE_MONITOR */
>
> -- 1.7.12.1
>


-- 
Konstantin