| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Feb 2019 07:36:43 +0100
From: Michal Hocko <mhocko@...nel.org>
To: Jiri Kosina <jikos@...nel.org>
Cc: Vlastimil Babka <vbabka@...e.cz>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-kernel@...r.kernel.org, linux-mm@...ck.org,
linux-api@...r.kernel.org, Peter Zijlstra <peterz@...radead.org>,
Greg KH <gregkh@...uxfoundation.org>,
Jann Horn <jannh@...gle.com>,
Dominique Martinet <asmadeus@...ewreck.org>,
Andy Lutomirski <luto@...capital.net>,
Dave Chinner <david@...morbit.com>,
Kevin Easton <kevin@...rana.org>,
Matthew Wilcox <willy@...radead.org>,
Cyril Hrubis <chrubis@...e.cz>, Tejun Heo <tj@...nel.org>,
"Kirill A . Shutemov" <kirill@...temov.name>,
Daniel Gruss <daniel@...ss.cc>, Josh Snyder <joshs@...flix.com>
Subject: Re: [PATCH 3/3] mm/mincore: provide mapped status when cached status
is not allowed
On Tue 12-02-19 04:44:30, Jiri Kosina wrote:
> On Fri, 1 Feb 2019, Vlastimil Babka wrote:
>
> > >> After "mm/mincore: make mincore() more conservative" we sometimes restrict the
> > >> information about page cache residency, which we have to do without breaking
> > >> existing userspace, if possible. We thus fake the resulting values as 1, which
> > >> should be safer than faking them as 0, as there might theoretically exist code
> > >> that would try to fault in the page(s) until mincore() returns 1.
> > >>
> > >> Faking 1 however means that such code would not fault in a page even if it was
> > >> not in page cache, with unwanted performance implications. We can improve the
> > >> situation by revisting the approach of 574823bfab82 ("Change mincore() to count
> > >> "mapped" pages rather than "cached" pages") but only applying it to cases where
> > >> page cache residency check is restricted. Thus mincore() will return 0 for an
> > >> unmapped page (which may or may not be resident in a pagecache), and 1 after
> > >> the process faults it in.
> > >>
> > >> One potential downside is that mincore() will be again able to recognize when a
> > >> previously mapped page was reclaimed. While that might be useful for some
> > >> attack scenarios, it's not as crucial as recognizing that somebody else faulted
> > >> the page in, and there are also other ways to recognize reclaimed pages anyway.
> > >
> > > Is this really worth it? Do we know about any specific usecase that
> > > would benefit from this change? TBH I would rather wait for the report
> > > than add a hard to evaluate side channel.
> >
> > Well it's not that complicated IMHO. Linus said it's worth trying, so
> > let's see how he likes the result. The side channel exists anyway as
> > long as process can e.g. check if its rss shrinked, and I doubt we are
> > going to remove that possibility.
>
> So, where do we go from here?
>
> Either Linus and Andrew like the mincore() return value tweak, or this
> could be further discussed (*). But in either of the cases, I think
> patches 1 and 2 should be at least queued for 5.1.
I would go with patch 1 for 5.1. Patches 2 still sounds controversial or
incomplete to me. And patch 3, well I will leave the decision to
Andrew/Linus.
> (*) I'd personally include it as well, as I don't see how it would break
> anything, it's pretty straightforward, and brings back some sanity to
> mincore() return value.
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists