| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1a442b37-7a97-86f0-11e3-58d940ecfbc9@linux.intel.com>
Date: Fri, 15 Jun 2018 13:11:46 +0800
From: "Jin, Yao" <yao.jin@...ux.intel.com>
To: Kyle Huey <me@...ehuey.com>
Cc: acme@...nel.org, jolsa@...nel.org,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
open list <Linux-kernel@...r.kernel.org>,
Vince Weaver <vincent.weaver@...ne.edu>,
Will Deacon <will.deacon@....com>,
Stephane Eranian <eranian@...gle.com>,
Namhyung Kim <namhyung@...nel.org>, ak@...ux.intel.com,
kan.liang@...el.com, yao.jin@...el.com,
Robert O'Callahan <robert@...llahan.org>
Subject: Re: [PATCH v1 0/2] perf: Drop leaked kernel samples
On 6/15/2018 11:35 AM, Kyle Huey wrote:
> I strongly object to this patch as written. As I said when I
> originally reported[0] the regression introduced by the previous
> version of this patch a year ago.
>
> "It seems like this change should, at a bare minimum, be limited to
> counters that actually perform sampling of register state when the
> interrupt fires. In our case, with the retired conditional branches
> counter restricted to counting userspace events only, it makes no
> difference that the PMU interrupt happened to be delivered in the
> kernel."
>
> This means identifying which values of `perf_event_attr::sample_type`
> are security concerns (presumably PERF_SAMPLE_IP is, and
> PERF_SAMPLE_TIME is not, and someone needs to go through and decide on
> all of them) and filtering on those values for this new behavior.
>
> And because rr sets its sample_type to 0, once you do that, the sysctl
> will not be necessary.
>
> - Kyle
>
Since rr sets sample_type to 0, the easiest way is to add checking like:
if (event->attr.sample_type) {
if (event->attr.exclude_kernel && !user_mode(regs))
return false;
}
So the rr doesn't need to be changed and for other use cases the leaked
kernel samples will be dropped.
But I don't like this is because:
1. It's too specific for rr case.
2. If we create a new sample_type, e.g. PERF_SAMPLE_ALLOW_LEAKAGE, the
code will be:
if !(event->attr.sample_type & PERF_SAMPLE_ALLOW_LEAKAGE) {
if (event->attr.exclude_kernel && !user_mode(regs))
return false;
}
But rr needs to add PERF_SAMPLE_ALLOW_LEAKAGE to sample_type since by
default the bit is not set.
3. Sysctl is a more flexible way. It provides us with an option when we
want to see if skid is existing, we can use sysctl to turn on that.
Thanks
Jin Yao
Powered by blists - more mailing lists