| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrU_3FS6B7LtkAwdC3e8xfiwdhPjkVWPgxP1Vy2uPeqMtA@mail.gmail.com>
Date: Mon, 9 Mar 2015 17:19:41 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Kees Cook <keescook@...omium.org>
Cc: "Kirill A. Shutemov" <kirill@...temov.name>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Linux-MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Pavel Emelyanov <xemul@...allels.com>,
Konstantin Khlebnikov <khlebnikov@...nvz.org>,
Mark Seaborn <mseaborn@...omium.org>
Subject: Re: [RFC, PATCH] pagemap: do not leak physical addresses to
non-privileged userspace
On Mon, Mar 9, 2015 at 5:11 PM, Kees Cook <keescook@...omium.org> wrote:
> On Mon, Mar 9, 2015 at 2:11 PM, Kirill A. Shutemov <kirill@...temov.name> wrote:
>> From: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
>>
>> As pointed by recent post[1] on exploiting DRAM physical imperfection,
>> /proc/PID/pagemap exposes sensitive information which can be used to do
>> attacks.
>>
>> This is RFC patch which disallow anybody without CAP_SYS_ADMIN to read
>> the pagemap.
>>
>> Any comments?
>
> I prefer Dave Hansen's approach:
>
> http://www.spinics.net/lists/kernel/msg1941939.html
>
> This gives finer grained control without globally dropping the ability
> of a non-root process to examine pagemap details (which is the whole
> point of the interface).
per-pidns like this is no good. You shouldn't be able to create a
non-paranoid pidns if your parent is paranoid.
Also, at some point we need actual per-ns controls. This mount option
stuff is hideous.
--Andy
>
> -Kees
>
>>
>> [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
>>
>> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
>> Cc: Pavel Emelyanov <xemul@...allels.com>
>> Cc: Konstantin Khlebnikov <khlebnikov@...nvz.org>
>> Cc: Andrew Morton <akpm@...ux-foundation.org>
>> Cc: Linus Torvalds <torvalds@...ux-foundation.org>
>> Cc: Mark Seaborn <mseaborn@...omium.org>
>> Cc: Andy Lutomirski <luto@...capital.net>
>> ---
>> fs/proc/task_mmu.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
>> index 246eae84b13b..b72b36e64286 100644
>> --- a/fs/proc/task_mmu.c
>> +++ b/fs/proc/task_mmu.c
>> @@ -1322,6 +1322,9 @@ out:
>>
>> static int pagemap_open(struct inode *inode, struct file *file)
>> {
>> + /* do not disclose physical addresses: attack vector */
>> + if (!capable(CAP_SYS_ADMIN))
>> + return -EPERM;
>> pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
>> "to stop being page-shift some time soon. See the "
>> "linux/Documentation/vm/pagemap.txt for details.\n");
>> --
>> 2.3.1
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@...r.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
>
>
>
> --
> Kees Cook
> Chrome OS Security
--
Andy Lutomirski
AMA Capital Management, LLC
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists