All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andi Kleen <ak@linux.intel.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: [PATCH 1/6] Patch 1
Date: Wed, 25 Apr 2018 16:12:38 -0700	[thread overview]
Message-ID: <20180425231238.GO14273@tassilo.jf.intel.com> (raw)
In-Reply-To: <alpine.LFD.2.21.999.1804251518570.31078@i7.lan>

> So first off, split that up, and do the TRIVIAL TWO-LINER that was already 
> posted (by Hocko?) for swap entry mitigation. Nothing else. 

I haven't see Hocko's patch, but I assume it just inverts the complete 
swap entry except P while it is stored.

Two more corner cases:

- How about the case when you have more than MAX_PA/2 physical
memory? For this case we would need a flag to disable the
invert (and clear the reporting), otherwise it will be attackable.

Frankly this is fairly unlikely because usually systems have
far more MAX_PA than DIMM slots, except possibly for SGI UV.
It would be still better to handle it for that case.

- And how about someone adding a swap file that is larger than
MAX_PA/2? This would be also attackable with the invert approach.
I can readd a check to swapon for that.

My patch kit also made sure that swapon() with a too large file
gets rejected, otherwise it would be attackable if inverted. 
This also needs to be readded. This will require checking phys_bits again. 
Is that ok for you?

> 
> Then, start looking at PROT_NONE. There are two cases:
> 
>  - actual real file mappings
> 
>    We can use the same trick for PROT_NONE as we did for swap entries: 
>    just invert all the high bits. None of this "how many bits do I have".

Ok.

> 
>  - the /dev/mem kind of mappings (not necessarily through /dev/mem, they 
>    may well be remap_pfn_range() other ways
> 
>    These are always shared. It's not entirely clear that anybody even uses 
>    PROT_NONE on them. We may be able to just disallow PROT_NONE entirely, 
>    or we can just zap the mapping instead of trying to "save" it, since 
>    there really isn't anythign to save.

Ok. So disallow PROT_NONE until someone complains.

I assume we want to disallow PROT_NONE for any VM_PFNMAP vma. 

I don't think it makes sense for any other shared mapping?

BTW there's also the case that if you have a device driver that
does not use lazy faulting, but remap_pfn_range in the ->mmap function
and the mmap is called with PROT_NONE, and it remaps memory, not MMIO.
I still need to audit the tree to see if that can happen. It may
be safer to forbid that case somewhere in the VM also.

-Andi

  reply	other threads:[~2018-04-25 23:12 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-25  3:29 [MODERATED] [PATCH 1/6] Patch 1 Andi Kleen
2018-04-25 15:51 ` [MODERATED] " Linus Torvalds
2018-04-25 16:06   ` Andi Kleen
2018-04-25 17:25     ` Linus Torvalds
2018-04-25 17:36       ` Andi Kleen
2018-04-25 18:00         ` Linus Torvalds
2018-04-25 18:11           ` Andi Kleen
2018-04-25 18:26             ` Thomas Gleixner
2018-04-25 18:30             ` [MODERATED] " Linus Torvalds
2018-04-25 18:51               ` Andi Kleen
2018-04-25 20:15                 ` Linus Torvalds
2018-04-25 21:19                   ` Andi Kleen
2018-04-25 22:35                     ` Linus Torvalds
2018-04-25 23:12                       ` Andi Kleen [this message]
2018-04-25 23:21                         ` Linus Torvalds
2018-04-25 23:39                           ` Andi Kleen
2018-04-26  3:22                             ` Linus Torvalds
2018-04-26  3:39                               ` Jon Masters
2018-04-26 13:59                           ` Michal Hocko
2018-04-26 17:14                             ` Linus Torvalds
2018-04-27  0:05                               ` Andi Kleen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180425231238.GO14273@tassilo.jf.intel.com \
    --to=ak@linux.intel.com \
    --cc=speck@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.