From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
To: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>,
Mark Williamson <mwilliamson@undo-software.com>,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org
Subject: [PATCH v4 4/5] pagemap: hide physical addresses from non-privileged users
Date: Tue, 14 Jul 2015 18:37:47 +0300 [thread overview]
Message-ID: <20150714153747.29844.13543.stgit@buzz> (raw)
In-Reply-To: <20150714152516.29844.69929.stgit@buzz>
This patch makes pagemap readable for normal users and hides physical
addresses from them. For some use-cases PFN isn't required at all.
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
Link: http://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@shutemov.name
---
fs/proc/task_mmu.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 040721fa405a..3a5d338ea219 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -937,6 +937,7 @@ typedef struct {
struct pagemapread {
int pos, len; /* units: PM_ENTRY_BYTES, not bytes */
pagemap_entry_t *buffer;
+ bool show_pfn;
};
#define PAGEMAP_WALK_SIZE (PMD_SIZE)
@@ -1013,7 +1014,8 @@ static pagemap_entry_t pte_to_pagemap_entry(struct pagemapread *pm,
struct page *page = NULL;
if (pte_present(pte)) {
- frame = pte_pfn(pte);
+ if (pm->show_pfn)
+ frame = pte_pfn(pte);
flags |= PM_PRESENT;
page = vm_normal_page(vma, addr, pte);
if (pte_soft_dirty(pte))
@@ -1063,8 +1065,9 @@ static int pagemap_pmd_range(pmd_t *pmdp, unsigned long addr, unsigned long end,
*/
if (pmd_present(pmd)) {
flags |= PM_PRESENT;
- frame = pmd_pfn(pmd) +
- ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+ if (pm->show_pfn)
+ frame = pmd_pfn(pmd) +
+ ((addr & ~PMD_MASK) >> PAGE_SHIFT);
}
for (; addr != end; addr += PAGE_SIZE) {
@@ -1073,7 +1076,7 @@ static int pagemap_pmd_range(pmd_t *pmdp, unsigned long addr, unsigned long end,
err = add_to_pagemap(addr, &pme, pm);
if (err)
break;
- if (flags & PM_PRESENT)
+ if (pm->show_pfn && (flags & PM_PRESENT))
frame++;
}
spin_unlock(ptl);
@@ -1127,8 +1130,9 @@ static int pagemap_hugetlb_range(pte_t *ptep, unsigned long hmask,
flags |= PM_FILE;
flags |= PM_PRESENT;
- frame = pte_pfn(pte) +
- ((addr & ~hmask) >> PAGE_SHIFT);
+ if (pm->show_pfn)
+ frame = pte_pfn(pte) +
+ ((addr & ~hmask) >> PAGE_SHIFT);
}
for (; addr != end; addr += PAGE_SIZE) {
@@ -1137,7 +1141,7 @@ static int pagemap_hugetlb_range(pte_t *ptep, unsigned long hmask,
err = add_to_pagemap(addr, &pme, pm);
if (err)
return err;
- if (flags & PM_PRESENT)
+ if (pm->show_pfn && (flags & PM_PRESENT))
frame++;
}
@@ -1196,6 +1200,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!count)
goto out_mm;
+ /* do not disclose physical addresses: attack vector */
+ pm.show_pfn = file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN);
+
pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
ret = -ENOMEM;
@@ -1265,10 +1272,6 @@ static int pagemap_open(struct inode *inode, struct file *file)
{
struct mm_struct *mm;
- /* do not disclose physical addresses: attack vector */
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
mm = proc_mem_open(inode, PTRACE_MODE_READ);
if (IS_ERR(mm))
return PTR_ERR(mm);
WARNING: multiple messages have this Message-ID (diff)
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
To: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>,
Mark Williamson <mwilliamson@undo-software.com>,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org
Subject: [PATCH v4 4/5] pagemap: hide physical addresses from non-privileged users
Date: Tue, 14 Jul 2015 18:37:47 +0300 [thread overview]
Message-ID: <20150714153747.29844.13543.stgit@buzz> (raw)
In-Reply-To: <20150714152516.29844.69929.stgit@buzz>
This patch makes pagemap readable for normal users and hides physical
addresses from them. For some use-cases PFN isn't required at all.
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
Link: http://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@shutemov.name
---
fs/proc/task_mmu.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 040721fa405a..3a5d338ea219 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -937,6 +937,7 @@ typedef struct {
struct pagemapread {
int pos, len; /* units: PM_ENTRY_BYTES, not bytes */
pagemap_entry_t *buffer;
+ bool show_pfn;
};
#define PAGEMAP_WALK_SIZE (PMD_SIZE)
@@ -1013,7 +1014,8 @@ static pagemap_entry_t pte_to_pagemap_entry(struct pagemapread *pm,
struct page *page = NULL;
if (pte_present(pte)) {
- frame = pte_pfn(pte);
+ if (pm->show_pfn)
+ frame = pte_pfn(pte);
flags |= PM_PRESENT;
page = vm_normal_page(vma, addr, pte);
if (pte_soft_dirty(pte))
@@ -1063,8 +1065,9 @@ static int pagemap_pmd_range(pmd_t *pmdp, unsigned long addr, unsigned long end,
*/
if (pmd_present(pmd)) {
flags |= PM_PRESENT;
- frame = pmd_pfn(pmd) +
- ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+ if (pm->show_pfn)
+ frame = pmd_pfn(pmd) +
+ ((addr & ~PMD_MASK) >> PAGE_SHIFT);
}
for (; addr != end; addr += PAGE_SIZE) {
@@ -1073,7 +1076,7 @@ static int pagemap_pmd_range(pmd_t *pmdp, unsigned long addr, unsigned long end,
err = add_to_pagemap(addr, &pme, pm);
if (err)
break;
- if (flags & PM_PRESENT)
+ if (pm->show_pfn && (flags & PM_PRESENT))
frame++;
}
spin_unlock(ptl);
@@ -1127,8 +1130,9 @@ static int pagemap_hugetlb_range(pte_t *ptep, unsigned long hmask,
flags |= PM_FILE;
flags |= PM_PRESENT;
- frame = pte_pfn(pte) +
- ((addr & ~hmask) >> PAGE_SHIFT);
+ if (pm->show_pfn)
+ frame = pte_pfn(pte) +
+ ((addr & ~hmask) >> PAGE_SHIFT);
}
for (; addr != end; addr += PAGE_SIZE) {
@@ -1137,7 +1141,7 @@ static int pagemap_hugetlb_range(pte_t *ptep, unsigned long hmask,
err = add_to_pagemap(addr, &pme, pm);
if (err)
return err;
- if (flags & PM_PRESENT)
+ if (pm->show_pfn && (flags & PM_PRESENT))
frame++;
}
@@ -1196,6 +1200,9 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!count)
goto out_mm;
+ /* do not disclose physical addresses: attack vector */
+ pm.show_pfn = file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN);
+
pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
ret = -ENOMEM;
@@ -1265,10 +1272,6 @@ static int pagemap_open(struct inode *inode, struct file *file)
{
struct mm_struct *mm;
- /* do not disclose physical addresses: attack vector */
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
mm = proc_mem_open(inode, PTRACE_MODE_READ);
if (IS_ERR(mm))
return PTR_ERR(mm);
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-07-14 15:38 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-14 15:37 [PATCHSET v4 0/5] pagemap: make useable for non-privilege users Konstantin Khlebnikov
2015-07-14 15:37 ` Konstantin Khlebnikov
2015-07-14 15:37 ` [PATCH v4 1/5] pagemap: check permissions and capabilities at open time Konstantin Khlebnikov
2015-07-14 15:37 ` Konstantin Khlebnikov
2015-07-21 8:06 ` Naoya Horiguchi
2015-07-21 8:06 ` Naoya Horiguchi
2015-07-24 18:16 ` Mark Williamson
2015-07-24 18:16 ` Mark Williamson
2015-07-24 18:16 ` Mark Williamson
2015-07-14 15:37 ` [PATCH v4 2/5] pagemap: switch to the new format and do some cleanup Konstantin Khlebnikov
2015-07-14 15:37 ` Konstantin Khlebnikov
2015-07-21 7:44 ` Naoya Horiguchi
2015-07-21 7:44 ` Naoya Horiguchi
2015-07-14 15:37 ` [PATCH v4 3/5] pagemap: rework hugetlb and thp report Konstantin Khlebnikov
2015-07-14 15:37 ` Konstantin Khlebnikov
2015-07-19 11:10 ` Kirill A. Shutemov
2015-07-19 11:10 ` Kirill A. Shutemov
2015-07-21 8:00 ` Naoya Horiguchi
2015-07-21 8:00 ` Naoya Horiguchi
2015-07-21 8:43 ` Konstantin Khlebnikov
2015-07-21 8:43 ` Konstantin Khlebnikov
2015-07-24 18:17 ` Mark Williamson
2015-07-24 18:17 ` Mark Williamson
2015-07-24 18:17 ` Mark Williamson
2015-07-24 18:19 ` Mark Williamson
2015-07-24 18:19 ` Mark Williamson
2015-07-14 15:37 ` Konstantin Khlebnikov [this message]
2015-07-14 15:37 ` [PATCH v4 4/5] pagemap: hide physical addresses from non-privileged users Konstantin Khlebnikov
2015-07-21 8:11 ` Naoya Horiguchi
2015-07-21 8:11 ` Naoya Horiguchi
2015-07-21 8:39 ` Konstantin Khlebnikov
2015-07-21 8:39 ` Konstantin Khlebnikov
2015-07-24 18:18 ` Mark Williamson
2015-07-24 18:18 ` Mark Williamson
2015-07-14 15:37 ` [PATCH v4 5/5] pagemap: add mmap-exclusive bit for marking pages mapped only here Konstantin Khlebnikov
2015-07-14 15:37 ` Konstantin Khlebnikov
2015-07-21 8:17 ` Naoya Horiguchi
2015-07-21 8:17 ` Naoya Horiguchi
2015-07-21 8:17 ` Naoya Horiguchi
2015-07-24 18:18 ` Mark Williamson
2015-07-24 18:18 ` Mark Williamson
2015-07-14 18:52 ` [PATCHSET v4 0/5] pagemap: make useable for non-privilege users Andrew Morton
2015-07-14 18:52 ` Andrew Morton
2015-07-14 18:52 ` Andrew Morton
2015-07-14 20:15 ` Konstantin Khlebnikov
2015-07-14 20:15 ` Konstantin Khlebnikov
2015-07-14 20:15 ` Konstantin Khlebnikov
2015-07-16 18:47 ` [PATCH] pagemap: update documentation Konstantin Khlebnikov
2015-07-16 18:47 ` Konstantin Khlebnikov
2015-07-16 18:47 ` Konstantin Khlebnikov
2015-07-21 8:35 ` Naoya Horiguchi
2015-07-21 8:35 ` Naoya Horiguchi
2015-07-24 17:34 ` [PATCHSET v4 0/5] pagemap: make useable for non-privilege users Mark Williamson
2015-07-24 17:34 ` Mark Williamson
2015-07-24 17:34 ` Mark Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150714153747.29844.13543.stgit@buzz \
--to=khlebnikov@yandex-team.ru \
--cc=akpm@linux-foundation.org \
--cc=kirill@shutemov.name \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mwilliamson@undo-software.com \
--cc=n-horiguchi@ah.jp.nec.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.