From: "Luck, Tony" <tony.luck@intel.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andi Kleen <ak@linux.intel.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Joe Konno <joe.konno@linux.intel.com>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Jeremy Kerr <jk@ozlabs.org>, Matthew Garrett <mjg59@google.com>,
Peter Jones <pjones@redhat.com>,
Andy Lutomirski <luto@kernel.org>,
James Bottomley <james.bottomley@hansenpartnership.com>
Subject: [PATCH] efivarfs: Limit the rate for non-root to read files
Date: Wed, 21 Feb 2018 17:45:06 -0800 [thread overview]
Message-ID: <20180222014505.2l76ccrrs36y3b26@agluck-desk> (raw)
In-Reply-To: <CA+55aFx3WKAL7e3TAs-2okggW6Z+DHANdmcsr+WTDh3N-Mx+Xw@mail.gmail.com>
Each read from a file in efivarfs results in two calls to EFI
(one to get the file size, another to get the actual data).
On X86 these EFI calls result in broadcast system management
interrupts (SMI) which affect performance of the whole system.
A malicious user can loop performing reads from efivarfs bringing
the system to its knees.
Linus suggested per-user rate limit to solve this.
So we add a ratelimit structure to "user_struct" and initialize
it for the root user for no limit. When allocating user_struct for
other users we set the limit to 100 per second. This could be used
for other places that want to limit the rate of some detrimental
user action.
In efivarfs if the limit is exceeded when reading, we sleep for 10ms.
Signed-off-by: Tony Luck <tony.luck@intel.com>
---
fs/efivarfs/file.c | 4 ++++
include/linux/sched/user.h | 4 ++++
kernel/user.c | 3 +++
3 files changed, 11 insertions(+)
diff --git a/fs/efivarfs/file.c b/fs/efivarfs/file.c
index 5f22e74bbade..7bcf5b041028 100644
--- a/fs/efivarfs/file.c
+++ b/fs/efivarfs/file.c
@@ -8,6 +8,7 @@
*/
#include <linux/efi.h>
+#include <linux/delay.h>
#include <linux/fs.h>
#include <linux/slab.h>
#include <linux/mount.h>
@@ -74,6 +75,9 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf,
ssize_t size = 0;
int err;
+ if (!__ratelimit(&file->f_cred->user->ratelimit))
+ usleep_range(10000, 10000);
+
err = efivar_entry_size(var, &datasize);
/*
diff --git a/include/linux/sched/user.h b/include/linux/sched/user.h
index 0dcf4e480ef7..96fe289c4c6e 100644
--- a/include/linux/sched/user.h
+++ b/include/linux/sched/user.h
@@ -4,6 +4,7 @@
#include <linux/uidgid.h>
#include <linux/atomic.h>
+#include <linux/ratelimit.h>
struct key;
@@ -41,6 +42,9 @@ struct user_struct {
defined(CONFIG_NET)
atomic_long_t locked_vm;
#endif
+
+ /* Miscellaneous per-user rate limit */
+ struct ratelimit_state ratelimit;
};
extern int uids_sysfs_init(void);
diff --git a/kernel/user.c b/kernel/user.c
index 9a20acce460d..36288d840675 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -101,6 +101,7 @@ struct user_struct root_user = {
.sigpending = ATOMIC_INIT(0),
.locked_shm = 0,
.uid = GLOBAL_ROOT_UID,
+ .ratelimit = RATELIMIT_STATE_INIT(root_user.ratelimit, 0, 0),
};
/*
@@ -191,6 +192,8 @@ struct user_struct *alloc_uid(kuid_t uid)
new->uid = uid;
atomic_set(&new->__count, 1);
+ ratelimit_state_init(&new->ratelimit, HZ, 100);
+ ratelimit_set_flags(&new->ratelimit, RATELIMIT_MSG_ON_RELEASE);
/*
* Before adding this, check whether we raced
--
2.14.1
next prev parent reply other threads:[~2018-02-22 1:45 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-15 18:22 [PATCH 0/2] efivars: reading variables can generate SMIs Joe Konno
2018-02-15 18:22 ` [PATCH 1/2] fs/efivarfs: restrict inode permissions Joe Konno
2018-02-20 19:18 ` Andy Lutomirski
2018-02-20 21:18 ` Luck, Tony
2018-02-20 21:22 ` Matthew Garrett
2018-02-20 21:32 ` Luck, Tony
2018-02-20 21:35 ` Matthew Garrett
2018-02-20 22:01 ` Linus Torvalds
2018-02-20 23:30 ` Luck, Tony
2018-02-20 23:39 ` Matthew Garrett
2018-02-20 23:50 ` Luck, Tony
2018-02-21 0:49 ` Linus Torvalds
2018-02-21 1:05 ` Luck, Tony
2018-02-21 2:16 ` Linus Torvalds
2018-02-21 9:03 ` Ard Biesheuvel
2018-02-21 18:02 ` Linus Torvalds
2018-02-21 18:21 ` Andi Kleen
2018-02-21 19:47 ` Luck, Tony
2018-02-21 19:50 ` Linus Torvalds
2018-02-21 19:58 ` Luck, Tony
2018-02-21 20:40 ` Linus Torvalds
2018-02-22 1:45 ` Luck, Tony [this message]
2018-02-22 1:58 ` [PATCH] efivarfs: Limit the rate for non-root to read files Linus Torvalds
2018-02-22 5:34 ` Luck, Tony
2018-02-22 17:10 ` Eric W. Biederman
[not found] ` <CA+55aFy0hRexJkLbN7t31LjfGr4Ae0W5g6sBMqHHJi8aYuGKeA@mail.gmail.com>
[not found] ` <612E894E-62C8-4155-AED8-D53702EDC8DC@intel.com>
[not found] ` <CA+55aFxeBaTbwvbWqx1MKYjKKzLUs=1O43Bx2=JaO8qrnY-8HA@mail.gmail.com>
2018-02-22 17:15 ` [PATCH v2] " Luck, Tony
2018-02-22 17:39 ` Linus Torvalds
2018-02-22 17:54 ` Luck, Tony
2018-02-22 18:07 ` Linus Torvalds
2018-02-22 18:08 ` Ard Biesheuvel
2018-02-23 20:34 ` Andy Lutomirski
2018-02-23 19:47 ` [PATCH] " Peter Jones
2018-02-21 19:52 ` [PATCH 1/2] fs/efivarfs: restrict inode permissions Linus Torvalds
2018-02-24 20:06 ` Alan Cox
2018-02-25 10:56 ` Ard Biesheuvel
2018-02-21 0:49 ` Peter Jones
2018-02-20 23:19 ` Andy Lutomirski
2018-02-15 18:22 ` [PATCH 2/2] efi: restrict top-level attribute permissions Joe Konno
2018-02-15 18:22 ` Joe Konno
2018-02-16 10:41 ` [PATCH 0/2] efivars: reading variables can generate SMIs Ard Biesheuvel
2018-02-16 10:55 ` Borislav Petkov
2018-02-16 10:58 ` Ard Biesheuvel
2018-02-16 11:08 ` Borislav Petkov
2018-02-16 11:18 ` Ard Biesheuvel
2018-02-16 11:18 ` Ard Biesheuvel
2018-02-16 18:48 ` Joe Konno
2018-02-16 18:48 ` Joe Konno
2018-02-16 18:58 ` Borislav Petkov
2018-02-16 19:22 ` Peter Jones
2018-02-16 19:31 ` Ard Biesheuvel
2018-02-16 19:51 ` Matthew Garrett
2018-02-16 19:51 ` Matthew Garrett
2018-02-16 19:32 ` Luck, Tony
2018-02-16 19:54 ` Peter Jones
2018-02-16 20:51 ` James Bottomley
2018-02-16 20:51 ` James Bottomley
2018-02-16 21:09 ` Luck, Tony
2018-02-16 21:09 ` Luck, Tony
2018-02-16 21:45 ` Andy Lutomirski
2018-02-16 21:58 ` Matthew Garrett
2018-02-16 22:02 ` Luck, Tony
2018-02-16 22:02 ` Luck, Tony
2018-02-16 22:03 ` Matthew Garrett
2018-02-16 22:03 ` Matthew Garrett
2018-02-17 18:12 ` Andy Lutomirski
2018-02-17 18:12 ` Andy Lutomirski
2018-02-16 22:05 ` Peter Jones
2018-02-17 9:36 ` Ard Biesheuvel
2018-02-17 9:36 ` Ard Biesheuvel
2018-02-17 16:17 ` Andi Kleen
2018-02-17 16:17 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180222014505.2l76ccrrs36y3b26@agluck-desk \
--to=tony.luck@intel.com \
--cc=ak@linux.intel.com \
--cc=ard.biesheuvel@linaro.org \
--cc=james.bottomley@hansenpartnership.com \
--cc=jk@ozlabs.org \
--cc=joe.konno@linux.intel.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mjg59@google.com \
--cc=pjones@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.