From: Khalid Aziz <khalid.aziz@oracle.com>
To: Rob Gardner <rob.gardner@oracle.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
davem@davemloft.net, corbet@lwn.net, arnd@arndb.de,
akpm@linux-foundation.org
Cc: hpa@zytor.com, viro@zeniv.linux.org.uk, nitin.m.gupta@oracle.com,
chris.hyser@oracle.com, tushar.n.dave@oracle.com,
sowmini.varadhan@oracle.com, mike.kravetz@oracle.com,
adam.buchbinder@gmail.com, minchan@kernel.org, hughd@google.com,
kirill.shutemov@linux.intel.com, keescook@chromium.org,
allen.pais@oracle.com, aryabinin@virtuozzo.com,
atish.patra@oracle.com, joe@perches.com, pmladek@suse.com,
jslaby@suse.cz, cmetcalf@mellanox.com,
paul.gortmaker@windriver.com, mhocko@suse.com,
jmarchan@redhat.com, lstoakes@gmail.com, 0x7f454c46@gmail.com,
vbabka@suse.cz, tglx@linutronix.de, mingo@redhat.com,
dan.j.williams@intel.com, iamjoonsoo.kim@lge.com,
mgorman@techsingularity.net, vdavydov.dev@gmail.com,
hannes@cmpxchg.org, namit@vmware.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, sparclinux@vger.kernel.org,
linux-arch@vger.kernel.org, x86@kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH v4 0/4] Application Data Integrity feature introduced by SPARC M7
Date: Fri, 13 Jan 2017 07:48:42 -0700 [thread overview]
Message-ID: <9aa6d94d-0a80-7397-5cd2-c04a39cbaf82@oracle.com> (raw)
In-Reply-To: <ee959bf4-73db-f9bb-c697-20b47dd8d55f@oracle.com>
On 01/12/2017 06:31 PM, Rob Gardner wrote:
> On 01/12/2017 05:22 PM, Khalid Aziz wrote:
>> On 01/12/2017 10:53 AM, Dave Hansen wrote:
>>> On 01/12/2017 08:50 AM, Khalid Aziz wrote:
>>>> 2. Any shared page that has ADI protection enabled on it, must stay ADI
>>>> protected across all processes sharing it.
>>>
>>> Is that true?
>>>
>>> What happens if a page with ADI tags set is accessed via a PTE without
>>> the ADI enablement bit set?
>>
>> ADI protection applies across all processes in terms of all of them
>> must use the same tag to access the shared memory, but if a process
>> accesses a shared page with TTE.mcde bit cleared, access will be granted.
>>
>>>
>>>> COW creates an intersection of the two. It creates a new copy of the
>>>> shared data. It is a new data page and hence the process creating it
>>>> must be the one responsible for enabling ADI protection on it.
>>>
>>> Do you mean that the application must be responsible? Or the kernel
>>> running in the context of the new process must be responsible?
>>>
>>>> It is also a copy of what was ADI protected data, so should it
>>>> inherit the protection instead?
>>>
>>> I think the COW'd copy must inherit the VMA bit, the PTE bits, and the
>>> tags on the cachelines.
>>>
>>>> I misspoke earlier. I had misinterpreted the results of test I ran.
>>>> Changing the tag on shared memory is allowed by memory controller. The
>>>> requirement is every one sharing the page must switch to the new tag or
>>>> else they get SIGSEGV.
>>>
>>> I asked this in the last mail, but I guess I'll ask it again. Please
>>> answer this directly.
>>>
>>> If we require that everyone coordinate their tags on the backing
>>> physical memory, and we allow a lower-privileged program to access the
>>> same data as a more-privileged one, then the lower-privilege app can
>>> cause arbitrary crashes in the privileged application.
>>>
>>> For instance, say sudo mmap()'s /etc/passwd and uses ADI tags to protect
>>> the mapping. Couldn't any other app in the system prevent sudo from
>>> working?
>>>
>>> How can we *EVER* allow tags to be set on non-writable mappings?
>
> I don't think you can write a tag to memory if you don't have write
> access in the TTE. Writing a tag requires a store instruction, and if
> the machine is at all sane, this will fault if you don't have write access.
>
But could you have mmap'd the file writable, set the tags and then
changed the protection on memory to read-only? That would be the logical
way to ADI protect a memory being used to mmap a file. Right?
--
Khalid
> Rob
>
>
>
>>
>> I understand your quetion better now. That is a very valid concern.
>> Using ADI tags to prevent an unauthorized process from just reading
>> data in memory, say an in-memory copy of database, is one of the use
>> cases for ADI. This means there is a reasonable case to allow enabling
>> ADI and setting tags even on non-writable mappings. On the other hand,
>> if an unauthorized process manages to map the right memory pages in
>> its address space, it can read them any way by not setting TTE.mcd.
>>
>> Userspace app can set tag on any memory it has mapped in without
>> requiring assistance from kernel. Can this problem be solved by not
>> allowing setting TTE.mcd on non-writable mappings? Doesn't the same
>> problem occur on writable mappings? If a privileged process mmap()'s a
>> writable file with MAP_SHARED, enables ADI and sets tag on the mmap'd
>> memory region, then another lower privilege process mmap's the same
>> file writable (assuming file permissions allow it to), enables ADI and
>> sets a different tag on it, the privileged process would get SIGSEGV
>> when it tries to access the mmap'd file. Right?
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe sparclinux" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-01-13 14:49 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-11 16:12 [PATCH v4 0/4] Application Data Integrity feature introduced by SPARC M7 Khalid Aziz
2017-01-11 16:12 ` [PATCH v4 1/4] signals, sparc: Add signal codes for ADI violations Khalid Aziz
2017-01-11 16:12 ` [PATCH v4 2/4] mm: Add function to support extra actions on swap in/out Khalid Aziz
2017-01-11 16:56 ` Dave Hansen
2017-01-11 17:15 ` Khalid Aziz
2017-01-11 16:12 ` [PATCH v4 3/4] sparc64: Add support for ADI register fields, ASIs and traps Khalid Aziz
2017-01-17 4:23 ` David Miller
2017-01-17 15:55 ` Khalid Aziz
2017-01-11 16:12 ` [PATCH v4 4/4] sparc64: Add support for ADI (Application Data Integrity) Khalid Aziz
2017-01-17 4:39 ` David Miller
2017-01-17 19:32 ` Khalid Aziz
2017-01-17 19:42 ` David Miller
2017-01-17 20:12 ` Khalid Aziz
2017-01-18 0:14 ` Khalid Aziz
2017-01-11 16:33 ` [PATCH v4 0/4] Application Data Integrity feature introduced by SPARC M7 Dave Hansen
2017-01-11 16:56 ` Khalid Aziz
2017-01-11 18:13 ` Dave Hansen
2017-01-11 18:50 ` Khalid Aziz
2017-01-11 19:11 ` Dave Hansen
2017-01-12 0:22 ` Khalid Aziz
2017-01-12 0:49 ` Dave Hansen
2017-01-12 16:50 ` Khalid Aziz
2017-01-12 17:53 ` Dave Hansen
2017-01-13 0:22 ` Khalid Aziz
2017-01-13 1:31 ` Rob Gardner
2017-01-13 14:48 ` Khalid Aziz [this message]
2017-01-13 15:29 ` Rob Gardner
2017-01-13 15:59 ` Khalid Aziz
2017-01-13 16:08 ` Dave Hansen
2017-01-13 17:36 ` Rob Gardner
2017-01-17 4:47 ` David Miller
2017-01-17 21:43 ` Khalid Aziz
2017-01-17 4:42 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9aa6d94d-0a80-7397-5cd2-c04a39cbaf82@oracle.com \
--to=khalid.aziz@oracle.com \
--cc=0x7f454c46@gmail.com \
--cc=adam.buchbinder@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=allen.pais@oracle.com \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=atish.patra@oracle.com \
--cc=chris.hyser@oracle.com \
--cc=cmetcalf@mellanox.com \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=hannes@cmpxchg.org \
--cc=hpa@zytor.com \
--cc=hughd@google.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jmarchan@redhat.com \
--cc=joe@perches.com \
--cc=jslaby@suse.cz \
--cc=keescook@chromium.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lstoakes@gmail.com \
--cc=mgorman@techsingularity.net \
--cc=mhocko@suse.com \
--cc=mike.kravetz@oracle.com \
--cc=minchan@kernel.org \
--cc=mingo@redhat.com \
--cc=namit@vmware.com \
--cc=nitin.m.gupta@oracle.com \
--cc=paul.gortmaker@windriver.com \
--cc=pmladek@suse.com \
--cc=rob.gardner@oracle.com \
--cc=sowmini.varadhan@oracle.com \
--cc=sparclinux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tushar.n.dave@oracle.com \
--cc=vbabka@suse.cz \
--cc=vdavydov.dev@gmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).