[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAL82V5NrmF_z3WMphR+LvM4iq8GkW4+gev36n=Dx-ommE2xung@mail.gmail.com>
Date: Mon, 9 Mar 2015 14:37:34 -0700
From: Mark Seaborn <mseaborn@...omium.org>
To: Pavel Machek <pavel@....cz>
Cc: Andy Lutomirski <luto@...capital.net>,
kernel list <linux-kernel@...r.kernel.org>,
One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
Subject: Re: DRAM unreliable under specific access patern
On 9 March 2015 at 14:17, Pavel Machek <pavel@....cz> wrote:
> On Mon 2015-03-09 09:30:50, Andy Lutomirski wrote:
>> On Mon, Mar 9, 2015 at 9:03 AM, Mark Seaborn <mseaborn@...omium.org> wrote:
>> > On 6 January 2015 at 15:20, Pavel Machek <pavel@....cz> wrote:
>> >> Actually, I could not get my test code to run; and as code from
>> >>
>> >> https://github.com/mseaborn/rowhammer-test
>> >>
>> >> reproduces issue for me, I stopped trying. I could not get it to
>> >> damage memory of other process than itself (but that should be
>> >> possible), I guess that's next thing to try.
>> >
>> > FYI, rowhammer-induced bit flips do turn out to be exploitable. Here
>> > are the results of my research on this:
>> > http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
>> >
>>
>> IIRC non-temporal writes will force cachelines out to main memory
>> *and* invalidate them. (I wouldn't be shocked if Skylake changes
>> this, but I'm reasonably confident that it's true on all currently
>> available Intel chips.)
>>
>> Have you checked whether read; read; nt store; nt store works?
>>
>> (I can't test myself easily right now -- I think my laptop is too old
>> for this issue.)
>
> Well, if you had laptop with that issue, it would still be tricky to
> test this. It takes a while to reproduce...
Actually, it depends. The time it takes to get a rowhammer-induced
bit flip when picking aggressor addresses at random varies quite a lot
between machines. On some machines, it takes minutes. On others, it
takes hours.
However, once you've found a bad DRAM location, the bit flips do tend
to be repeatable. So it is possible to record the physical addresses
of aggressor and victim locations (using /proc/self/pagemap) and retry
them later, potentially using different methods for attempting to do
row hammering (such as CLFLUSH vs. non-temporal accesses). I have not
actually tried that with methods other than CLFLUSH yet. I tried
using non-temporal accesses early on in my experimentation, but I
didn't try them with known-bad locations.
Cheers,
Mark
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists