Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 30.11.2015 14:30, Willy Tarreau wrote:

On Mon, Nov 30, 2015 at 08:01:36AM +0100, Willy Tarreau wrote:

>On Mon, Nov 30, 2015 at 01:54:22AM +0000, Ben Hutchings wrote:

> >On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote:
> >This is wrong; see
> ><https://marc.info/?l=linux-api&m=143144321020852&w=2>.

>
>Damned, and I now remember this discussion. The worst thing is that
>I purposely booted a machine to test the fix and was happy with it,
>I forgot this point:-(
>

> >For 2.6.32 perhaps you could retain the capability check at open time
> >but store the result in private state for use at read time.

>
>I'll see if it is possible to opencode security_capable() with 2.6.32's
>infrastructure, and how far this brings us. Or maybe we should even drop
>this one completely and leave pagemap readable only for superuser on
>2.6.32, it doesn't seem to be that big of a deal either.

It was easy enough to open-code security_capable() in the end. I've
tested this version which works fine for me here. If that's OK for you
I'll emit an -rc2 with the last two patches.

Thanks,
Willy


0001-pagemap-hide-physical-addresses-from-non-privileged-.patch


 From fde24678af1b04712144457512afbc16fd71b252 Mon Sep 17 00:00:00 2001
From: Konstantin Khlebnikov<khlebnikov@xxxxxxxxxxxxxx>
Date: Tue, 8 Sep 2015 15:00:07 -0700
Subject: pagemap: hide physical addresses from non-privileged users

commit 1c90308e7a77af6742a97d1021cca923b23b7f0d upstream.

This patch makes pagemap readable for normal users and hides physical
addresses from them.  For some use-cases PFN isn't required at all.

Seehttp://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@xxxxxxxxxxxxx

Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
Signed-off-by: Konstantin Khlebnikov<khlebnikov@xxxxxxxxxxxxxx>
Cc: Naoya Horiguchi<n-horiguchi@xxxxxxxxxxxxx>
Reviewed-by: Mark Williamson<mwilliamson@xxxxxxxxxxxxxxxxx>
Tested-by:  Mark Williamson<mwilliamson@xxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton<akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds<torvalds@xxxxxxxxxxxxxxxxxxxx>
[bwh: Backported to 3.2:
  - Add the same check in the places where we look up a PFN
  - Add struct pagemapread * parameters where necessary
  - Open-code file_ns_capable()
  - Delete pagemap_open() entirely, as it would always return 0]
Signed-off-by: Ben Hutchings<ben@xxxxxxxxxxxxxxx>
(cherry picked from commit b1fb185f26e85f76e3ac6ce557398d78797c9684)
[wt: adjusted context, no pagemap_hugetlb_range() in 2.6.32, open-coded
  security_capable(). Tested OK. ]
Signed-off-by: Willy Tarreau<w@xxxxxx>
---
  fs/proc/task_mmu.c | 21 ++++++++-------------
  1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 73db5a6..24d3602 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -8,6 +8,7 @@
  #include <linux/mempolicy.h>
  #include <linux/swap.h>
  #include <linux/swapops.h>
+#include <linux/security.h>

  #include <asm/elf.h>
  #include <asm/uaccess.h>
@@ -539,6 +540,7 @@ const struct file_operations proc_clear_refs_operations = {

  struct pagemapread {
  	u64 __user *out, *end;
+	bool show_pfn;
  };

  #define PM_ENTRY_BYTES      sizeof(u64)
@@ -589,14 +591,14 @@ static u64 swap_pte_to_pagemap_entry(pte_t pte)
  	return swp_type(e) | (swp_offset(e) << MAX_SWAPFILES_SHIFT);
  }

-static u64 pte_to_pagemap_entry(pte_t pte)
+static u64 pte_to_pagemap_entry(struct pagemapread *pm, pte_t pte)
  {
  	u64 pme = 0;
  	if (is_swap_pte(pte))
  		pme = PM_PFRAME(swap_pte_to_pagemap_entry(pte))
  			| PM_PSHIFT(PAGE_SHIFT) | PM_SWAP;
  	else if (pte_present(pte))
-		pme = PM_PFRAME(pte_pfn(pte))
+		pme = (pm->show_pfn ? PM_PFRAME(pte_pfn(pte)) : 0)
  			| PM_PSHIFT(PAGE_SHIFT) | PM_PRESENT;
  	return pme;
  }
@@ -624,7 +626,7 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
  		if (vma && (vma->vm_start <= addr) &&
  		    !is_vm_hugetlb_page(vma)) {
  			pte = pte_offset_map(pmd, addr);
-			pfn = pte_to_pagemap_entry(*pte);
+			pfn = pte_to_pagemap_entry(pm, *pte);
  			/* unmap before userspace copy */
  			pte_unmap(pte);
  		}
@@ -695,6 +697,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
  	if (!count)
  		goto out_task;

+	/* do not disclose physical addresses: attack vector */
+	pm.show_pfn = !cap_capable(current, file->f_cred, CAP_SYS_ADMIN, SECURITY_CAP_AUDIT);
+


At first sight this is confusing... but correct. It really returns zero
for success, unlike to new file_ns_capable which returns bool true.

The rest looks good too.


  	mm = get_task_mm(task);
  	if (!mm)
  		goto out_task;
@@ -773,19 +778,9 @@ out:
  	return ret;
  }

-static int pagemap_open(struct inode *inode, struct file *file)
-{
-	/* do not disclose physical addresses to unprivileged
-	   userspace (closes a rowhammer attack vector) */
-	if (!capable(CAP_SYS_ADMIN))
-		return -EPERM;
-	return 0;
-}
-
  const struct file_operations proc_pagemap_operations = {
  	.llseek		= mem_lseek, /* borrow this */
  	.read		= pagemap_read,
-	.open		= pagemap_open,
  };
  #endif /* CONFIG_PROC_PAGE_MONITOR */

-- 1.7.12.1




--
Konstantin
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]