| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z9spTE_M47M4qpCR@google.com> Date: Wed, 19 Mar 2025 13:30:04 -0700 From: Namhyung Kim <namhyung@...nel.org> To: Ravi Bangoria <ravi.bangoria@....com> Cc: Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...nel.org>, Kan Liang <kan.liang@...ux.intel.com>, Mark Rutland <mark.rutland@....com>, Alexander Shishkin <alexander.shishkin@...ux.intel.com>, Arnaldo Carvalho de Melo <acme@...nel.org>, LKML <linux-kernel@...r.kernel.org>, Matteo Rizzo <matteorizzo@...gle.com> Subject: Re: [PATCH v2] perf/x86: Check data address for IBS software filter On Wed, Mar 19, 2025 at 04:24:12PM +0530, Ravi Bangoria wrote: > Hi Namhyung, > > >>> IBS software filter was to filter kernel samples for regular users in > >>> PMI handler. It checks the instruction address in the IBS register to > >>> determine if it was in the kernel more or not. > >>> > >>> But it turns out that it's possible to report a kernel data address even > >>> if the instruction address belongs to the user space. Matteo Rizzo > >>> found that when an instruction raises an exception, IBS can report some > >>> kernel data address like IDT while holding the faulting instruction's > >>> RIP. To prevent an information leak, it should double check if the data > >>> address in PERF_SAMPLE_DATA is in the kernel space as well. > >> > >> PERF_SAMPLE_RAW can also leak kernel data address. How about: > > > > Thanks for your review. > > > > I think RAW is different as it requires perf_event_paranoid == -1. > > IBS allows PERF_SAMPLE_RAW irrespective of perf_event_paranoid. e.g.: > > $ cat /proc/sys/kernel/perf_event_paranoid > 2 > > $ ./perf record -e ibs_op/swfilt=1/u --raw-samples -- make > [ perf record: Woken up 1 times to write data ] > [ perf record: Captured and wrote 1.371 MB perf.data (3957 samples) ] > > $ ./perf script -D | egrep -A2 "LdOp 1.*DcLinAddrValid 1" | egrep "IbsDCLinAd:\s*f" > IbsDCLinAd: fffffe00000000e8 Oh, I thought it was enforced in the core layer but it turns out that it's checked only by tracepoint events. > > We have two options: > 1) Restrict IBS + PERF_SAMPLE_RAW to privilege users. > 2) Remove all sensitive information from raw register dump before > passing it to userspace. (Kernel data addresses and all physical > addresses are the only sensitive info I suppose?). > > 2 is better IMO since it will allow unprivileged user to use IBS > with full potential. wdyt? I'm slightly inclined to #1 for simplicity and safety, but #2 is fine to me as well. Thanks, Namhyung
Powered by blists - more mailing lists