lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20081216125000.GC25019@elte.hu>
Date:	Tue, 16 Dec 2008 13:50:00 +0100
From:	Ingo Molnar <mingo@...e.hu>
To:	Pavel Machek <pavel@...e.cz>
Cc:	linux-kernel@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Stephane Eranian <eranian@...glemail.com>,
	Eric Dumazet <dada1@...mosbay.com>,
	Robert Richter <robert.richter@....com>,
	Arjan van de Ven <arjan@...radead.org>,
	Peter Anvin <hpa@...or.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Paul Mackerras <paulus@...ba.org>,
	"David S. Miller" <davem@...emloft.net>,
	perfctr-devel@...ts.sourceforge.net
Subject: Re: [patch] Performance Counters for Linux, v4


* Pavel Machek <pavel@...e.cz> wrote:

> Hmm, if I timec some setuid program, what happens?

yes, i already had a quick look at that a few days ago when i implemented 
counter inheritance (for different reasons) and couldnt find the cleanest 
place to put the exec() flushing into so i procrastinated that a bit :)

> Performance counters seem like great tool to pull secret keys out of 
> other processes :-).

if you worry about _that_ angle you also have to:

 - turn off the cycle counter

 - turn off precise utimes

 - plus you have to forbid SMT CPUs as well. On HT a task could
   co-schedule with your setuid task and observe its timing
   characteristics via its _own_ behavior. (which is impacted by whatever
   is running on another SMT/HT thread.)

the real exec() worry are: active, IRQ driven samples/events. Not possible 
yet via the current iteration of counter inheritance (hence my 
procrastination) - but it makes sense and that's why i was looking at the 
exec() angle.

and that will flush simple counters too, removing your theoretical attack 
angle as well.

So how about the patch below?

	Ingo

--------------->
Subject: perfcounters: flush on setuid exec
From: Ingo Molnar <mingo@...e.hu>
Date: Tue Dec 16 13:40:44 CET 2008

Pavel Machek pointed out that performance counters should be flushed
when crossing protection domains on setuid execution.

Reported-by: Pavel Machek <pavel@...e.cz>
Signed-off-by: Ingo Molnar <mingo@...e.hu>
---
 fs/exec.c |    8 ++++++++
 1 file changed, 8 insertions(+)

Index: linux/fs/exec.c
===================================================================
--- linux.orig/fs/exec.c
+++ linux/fs/exec.c
@@ -33,6 +33,7 @@
 #include <linux/string.h>
 #include <linux/init.h>
 #include <linux/pagemap.h>
+#include <linux/perf_counter.h>
 #include <linux/highmem.h>
 #include <linux/spinlock.h>
 #include <linux/key.h>
@@ -1015,6 +1016,13 @@ int flush_old_exec(struct linux_binprm *
 		set_dumpable(current->mm, suid_dumpable);
 	}
 
+	/*
+	 * Flush performance counters when crossing a
+	 * security domain:
+	 */
+	if (!get_dumpable(current->mm))
+		perf_counter_exit_task(current);
+
 	/* An exec changes our domain. We are no longer part of the thread
 	   group */
 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ