lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150310113301.GA8044@amd>
Date:	Tue, 10 Mar 2015 12:33:01 +0100
From:	Pavel Machek <pavel@....cz>
To:	Mark Seaborn <mseaborn@...omium.org>
Cc:	kernel list <linux-kernel@...r.kernel.org>,
	One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>,
	luto <luto@...capital.net>
Subject: DRAM bug exploitable on 50% machines without ECC (was Re: DRAM
 unreliable under specific access patern)

On Mon 2015-03-09 09:03:18, Mark Seaborn wrote:
> On 6 January 2015 at 15:20, Pavel Machek <pavel@....cz> wrote:
> > On Mon 2015-01-05 19:23:29, One Thousand Gnomes wrote:
> > Actually, I could not get my test code to run; and as code from
> >
> > https://github.com/mseaborn/rowhammer-test
> >
> > reproduces issue for me, I stopped trying. I could not get it to
> > damage memory of other process than itself (but that should be
> > possible), I guess that's next thing to try.
> 
> FYI, rowhammer-induced bit flips do turn out to be exploitable.  Here
> are the results of my research on this:
> http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

The excrement made physical contact with a hydro-electric powered
oscillating air current distribution device.

Thanks a lot for the report. One thing stands out: you ask for more
openness from the hardware vendors, but then you mask the manufacturer
names to make it easier for them to be quiet. Are corporate lawyers
being nasty?

Anyway, in name of full disclosure:

Thinkpad x60: could not reproduce.

2009-era desktop: reproduced.

BIOS Information
Vendor: Intel Corp.
Version: MJG4110H.86A.0006.2009.1223.1155
Release Date: 12/23/2009
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 1024 kB
Characteristics:
...
Handle 0x0001, DMI type 1, 27 bytes
System Information
        Manufacturer:                                  
        Product Name:                                  
        Version:                                  
        Serial Number:                                  
        UUID: 56E3FDCE-66ED-11DF-87C2-001FE20E1E5F
        Wake-up Type: Power Switch
        SKU Number: Not Specified
        Family: Not Specified

Handle 0x0002, DMI type 2, 15 bytes
Base Board Information
        Manufacturer: Intel Corporation
        Product Name: DG41MJ
        Version: AAE54659-206
        Serial Number: AZMJ02200117
        Asset Tag: To be filled by O.E.M.
        Features:
                Board is a hosting board
                Board is replaceable
        Location In Chassis: To be filled by O.E.M.
        Chassis Handle: 0x0003
        Type: Motherboard
        Contained Object Handles: 0

CPU is Intel(R) Core(TM)2 Duo CPU     E7400  @ 2.80GHz .

I guess it makes sense to post to bugtraq@...urityfocus.com and get
CVE number?

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ