On 30.11.2015 14:30, Willy Tarreau wrote:
On Mon, Nov 30, 2015 at 08:01:36AM +0100, Willy Tarreau wrote:
>On Mon, Nov 30, 2015 at 01:54:22AM +0000, Ben Hutchings wrote:
> >On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote:
> >This is wrong; see
> ><https://marc.info/?l=linux-api&m=143144321020852&w=2>.
>
>Damned, and I now remember this discussion. The worst thing is that
>I purposely booted a machine to test the fix and was happy with it,
>I forgot this point:-(
>
> >For 2.6.32 perhaps you could retain the capability check at open time
> >but store the result in private state for use at read time.
>
>I'll see if it is possible to opencode security_capable() with 2.6.32's
>infrastructure, and how far this brings us. Or maybe we should even drop
>this one completely and leave pagemap readable only for superuser on
>2.6.32, it doesn't seem to be that big of a deal either.
It was easy enough to open-code security_capable() in the end. I've
tested this version which works fine for me here. If that's OK for you
I'll emit an -rc2 with the last two patches.
Thanks,
Willy
0001-pagemap-hide-physical-addresses-from-non-privileged-.patch
From fde24678af1b04712144457512afbc16fd71b252 Mon Sep 17 00:00:00 2001
From: Konstantin Khlebnikov<khlebnikov@xxxxxxxxxxxxxx>
Date: Tue, 8 Sep 2015 15:00:07 -0700
Subject: pagemap: hide physical addresses from non-privileged users
commit 1c90308e7a77af6742a97d1021cca923b23b7f0d upstream.
This patch makes pagemap readable for normal users and hides physical
addresses from them. For some use-cases PFN isn't required at all.
Seehttp://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@xxxxxxxxxxxxx
Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
Signed-off-by: Konstantin Khlebnikov<khlebnikov@xxxxxxxxxxxxxx>
Cc: Naoya Horiguchi<n-horiguchi@xxxxxxxxxxxxx>
Reviewed-by: Mark Williamson<mwilliamson@xxxxxxxxxxxxxxxxx>
Tested-by: Mark Williamson<mwilliamson@xxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton<akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds<torvalds@xxxxxxxxxxxxxxxxxxxx>
[bwh: Backported to 3.2:
- Add the same check in the places where we look up a PFN
- Add struct pagemapread * parameters where necessary
- Open-code file_ns_capable()
- Delete pagemap_open() entirely, as it would always return 0]
Signed-off-by: Ben Hutchings<ben@xxxxxxxxxxxxxxx>
(cherry picked from commit b1fb185f26e85f76e3ac6ce557398d78797c9684)
[wt: adjusted context, no pagemap_hugetlb_range() in 2.6.32, open-coded
security_capable(). Tested OK. ]
Signed-off-by: Willy Tarreau<w@xxxxxx>
---
fs/proc/task_mmu.c | 21 ++++++++-------------
1 file changed, 8 insertions(+), 13 deletions(-)
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 73db5a6..24d3602 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -8,6 +8,7 @@
#include <linux/mempolicy.h>
#include <linux/swap.h>
#include <linux/swapops.h>
+#include <linux/security.h>
#include <asm/elf.h>
#include <asm/uaccess.h>
@@ -539,6 +540,7 @@ const struct file_operations proc_clear_refs_operations = {
struct pagemapread {
u64 __user *out, *end;
+ bool show_pfn;
};
#define PM_ENTRY_BYTES sizeof(u64)
@@ -589,14 +591,14 @@ static u64 swap_pte_to_pagemap_entry(pte_t pte)
return swp_type(e) | (swp_offset(e) << MAX_SWAPFILES_SHIFT);
}
-static u64 pte_to_pagemap_entry(pte_t pte)
+static u64 pte_to_pagemap_entry(struct pagemapread *pm, pte_t pte)
{
u64 pme = 0;
if (is_swap_pte(pte))
pme = PM_PFRAME(swap_pte_to_pagemap_entry(pte))
| PM_PSHIFT(PAGE_SHIFT) | PM_SWAP;
else if (pte_present(pte))
- pme = PM_PFRAME(pte_pfn(pte))
+ pme = (pm->show_pfn ? PM_PFRAME(pte_pfn(pte)) : 0)
| PM_PSHIFT(PAGE_SHIFT) | PM_PRESENT;
return pme;
}
@@ -624,7 +626,7 @@ static int pagemap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
if (vma && (vma->vm_start <= addr) &&
!is_vm_hugetlb_page(vma)) {
pte = pte_offset_map(pmd, addr);
- pfn = pte_to_pagemap_entry(*pte);
+ pfn = pte_to_pagemap_entry(pm, *pte);
/* unmap before userspace copy */
pte_unmap(pte);
}
@@ -695,6 +697,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!count)
goto out_task;
+ /* do not disclose physical addresses: attack vector */
+ pm.show_pfn = !cap_capable(current, file->f_cred, CAP_SYS_ADMIN, SECURITY_CAP_AUDIT);
+
At first sight this is confusing... but correct. It really returns zero
for success, unlike to new file_ns_capable which returns bool true.
The rest looks good too.
mm = get_task_mm(task);
if (!mm)
goto out_task;
@@ -773,19 +778,9 @@ out:
return ret;
}
-static int pagemap_open(struct inode *inode, struct file *file)
-{
- /* do not disclose physical addresses to unprivileged
- userspace (closes a rowhammer attack vector) */
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
- return 0;
-}
-
const struct file_operations proc_pagemap_operations = {
.llseek = mem_lseek, /* borrow this */
.read = pagemap_read,
- .open = pagemap_open,
};
#endif /* CONFIG_PROC_PAGE_MONITOR */
-- 1.7.12.1
--
Konstantin
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html