Thread (15 messages) 15 messages, 10 authors, 2015-03-23

rowhammer and pagemap (was Re: [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace)

From: Pavel Machek <hidden>
Date: 2015-03-17 11:16:57
Also in: lkml

quoted
Given that, I think it would still be worthwhile to disable /proc/PID/pagemap.
Having slept on this further, I think that unprivileged pagemap access
is awful and we should disable it with no option to re-enable.  If we
absolutely must, we could allow programs to read all zeros or to read
addresses that are severely scrambled (e.g. ECB-encrypted by a key
generated once per open of pagemap).
 - It could easily leak direct-map addresses, and there's a nice paper
detailing a SMAP bypass using that technique.
Do you have a pointer?
Can we just try getting rid of it except with global CAP_SYS_ADMIN.

(Hmm.  Rowhammer attacks targeting SMRAM could be interesting.)
:-).
quoted
quoted
Can we do anything about that? Disabling cache flushes from userland
should make it no longer exploitable.
Unfortunately there's no way to disable userland code's use of
CLFLUSH, as far as I know.

Maybe Intel or AMD could disable CLFLUSH via a microcode update, but
they have not said whether that would be possible.
The Intel people I asked last week weren't confident.  For one thing,
I fully expect that rowhammer can be exploited using only reads and
writes with some clever tricks involving cache associativity.  I don't
think there are any fully-associative caches, although the cache
replacement algorithm could make the attacks interesting.
We should definitely get Intel/AMD to disable CLFLUSH, then.

Because if it can be exploited using reads, it is _extremely_
important to know. As it probably means rowhammer can be exploited
using Javascript / Java... and affected machines are unsafe even
without remote users.
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help