| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Nov 2015 14:49:59 +0300
From: Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
To: Willy Tarreau <w@....eu>, Ben Hutchings <ben@...adent.org.uk>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Naoya Horiguchi <n-horiguchi@...jp.nec.com>,
Mark Williamson <mwilliamson@...o-software.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical
addresses from non-privileged users
On 30.11.2015 14:30, Willy Tarreau wrote:
> On Mon, Nov 30, 2015 at 08:01:36AM +0100, Willy Tarreau wrote:
>> >On Mon, Nov 30, 2015 at 01:54:22AM +0000, Ben Hutchings wrote:
>>> > >On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote:
>>> > >This is wrong; see
>>> > ><https://marc.info/?l=linux-api&m=143144321020852&w=2>.
>> >
>> >Damned, and I now remember this discussion. The worst thing is that
>> >I purposely booted a machine to test the fix and was happy with it,
>> >I forgot this point:-(
>> >
>>> > >For 2.6.32 perhaps you could retain the capability check at open time
>>> > >but store the result in private state for use at read time.
>> >
>> >I'll see if it is possible to opencode security_capable() with 2.6.32's
>> >infrastructure, and how far this brings us. Or maybe we should even drop
>> >this one completely and leave pagemap readable only for superuser on
>> >2.6.32, it doesn't seem to be that big of a deal either.
> It was easy enough to open-code security_capable() in the end. I've
> tested this version which works fine for me here. If that's OK for you
> I'll emit an -rc2 with the last two patches.
>
> Thanks,
> Willy
>
>
> 0001-pagemap-hide-physical-addresses-from-non-privileged-.patch
>
>
> From fde24678af1b04712144457512afbc16fd71b252 Mon Sep 17 00:00:00 2001
> From: Konstantin Khlebnikov<khlebnikov@...dex-team.ru>
> Date: Tue, 8 Sep 2015 15:00:07 -0700
> Subject: pagemap: hide physical addresses from non-privileged users
>
> commit 1c90308e7a77af6742a97d1021cca923b23b7f0d upstream.
>
> This patch makes pagemap readable for normal users and hides physical
> addresses from them. For some use-cases PFN isn't required at all.
>
> Seehttp://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@shutemov.name
>
> Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
> Signed-off-by: Konstantin Khlebnikov<khlebnikov@...dex-team.ru>
> Cc: Naoya Horiguchi<n-horiguchi@...jp.nec.com>
> Reviewed-by: Mark Williamson<mwilliamson@...o-software.com>
> Tested-by: Mark Williamson<mwilliamson@...o-software.com>
> Signed-off-by: Andrew Morton<akpm@...ux-foundation.org>
> Signed-off-by: Linus Torvalds<torvalds@...ux-foundation.org>
> [bwh: Backported to 3.2:
> - Add the same check in the places where we look up a PFN
> - Add struct pagemapread * parameters where necessary
> - Open-code file_ns_capable()
> - Delete pagemap_open() entirely, as it would always return 0]
> Signed-off-by: Ben Hutchings<ben@...adent.org.uk>
> (cherry picked from commit b1fb185f26e85f76e3ac6ce557398d78797c9684)
> [wt: adjusted context, no pagemap_hugetlb_range() in 2.6.32, open-coded
> security_capable(). Tested OK. ]
> Signed-off-by: Willy Tarreau<w@....eu>
> ---
> fs/proc/task_mmu.c | 21 ++++++++-------------
> 1 file changed, 8 insertions(+), 13 deletions(-)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index 73db5a6..24d3602 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -8,6 +8,7 @@
> #include <linux/mempolicy.h>
> #include <linux/swap.h>
> #include <linux/swapops.h>
> +#include <linux/security.h>
>
> #include <asm/elf.h>
> #include <asm/uaccess.h>
> @@ -539,6 +540,7 @@ const struct file_operations proc_clear_refs_operations = {
>
> struct pagemapread {
> u64 __user *out, *end;
> + bool show_pfn;
> };
>
> #define PM_ENTRY_BYTES sizeof(u64)
> @@ -589,14 +591,14 @@ static u64 swap_pte_to_pagemap_entry(pte_t pte)
> return swp_type(e) | (swp_offset(e) << MAX_SWAPFILES_SHIFT);
> }
>
> -static u64 pte_to_pagemap_entry(pte_t pte)
> +static u64 pte_to_pagemap_entry(struct pagemapread *pm, pte_t pte)
> {
> u64 pme = 0;
> if (is_swap_pte(pte))
> pme = PM_PFRAME(swap_pte_to_pagemap_entry(pte))
> | PM_PSHIFT(PAGE_SHIFT) | PM_SWAP;
> else if (pte_present(pte))
> - pme = PM_PFRAME(pte_pfn(pte))
> + pme = (pm->show_pfn ? PM_PFRAME(pte_pfn(pte)) : 0)
> | PM_PSHIFT(PAGE_SHIFT) | PM_PRESENT;
> return pme;
> }
> @@ -624,7 +626,7 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
> if (vma && (vma->vm_start <= addr) &&
> !is_vm_hugetlb_page(vma)) {
> pte = pte_offset_map(pmd, addr);
> - pfn = pte_to_pagemap_entry(*pte);
> + pfn = pte_to_pagemap_entry(pm, *pte);
> /* unmap before userspace copy */
> pte_unmap(pte);
> }
> @@ -695,6 +697,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
> if (!count)
> goto out_task;
>
> + /* do not disclose physical addresses: attack vector */
> + pm.show_pfn = !cap_capable(current, file->f_cred, CAP_SYS_ADMIN, SECURITY_CAP_AUDIT);
> +
At first sight this is confusing... but correct. It really returns zero
for success, unlike to new file_ns_capable which returns bool true.
The rest looks good too.
> mm = get_task_mm(task);
> if (!mm)
> goto out_task;
> @@ -773,19 +778,9 @@ out:
> return ret;
> }
>
> -static int pagemap_open(struct inode *inode, struct file *file)
> -{
> - /* do not disclose physical addresses to unprivileged
> - userspace (closes a rowhammer attack vector) */
> - if (!capable(CAP_SYS_ADMIN))
> - return -EPERM;
> - return 0;
> -}
> -
> const struct file_operations proc_pagemap_operations = {
> .llseek = mem_lseek, /* borrow this */
> .read = pagemap_read,
> - .open = pagemap_open,
> };
> #endif /* CONFIG_PROC_PAGE_MONITOR */
>
> -- 1.7.12.1
>
--
Konstantin
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists