Re: [RFC, PATCH] pagemap: do not leak physical addresses to non-privileged userspace

From: Mark Seaborn
Date: Mon Mar 16 2015 - 20:49:56 EST


On 16 March 2015 at 14:11, Pavel Machek <pavel@xxxxxx> wrote:
> On Mon 2015-03-09 23:11:12, Kirill A. Shutemov wrote:
> > From: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx>
> >
> > As pointed by recent post[1] on exploiting DRAM physical imperfection,
> > /proc/PID/pagemap exposes sensitive information which can be used to do
> > attacks.
> >
> > This is RFC patch which disallow anybody without CAP_SYS_ADMIN to read
> > the pagemap.
> >
> > Any comments?
> >
> > [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
>
> Note that this kind of attack still works without pagemap, it just
> takes longer. Actually the first demo program is not using pagemap.

That depends on the machine -- it depends on how bad the machine's
DRAM is, and whether the machine has the 2x refresh rate mitigation
enabled.

Machines with less-bad DRAM or with a 2x refresh rate might still be
vulnerable to rowhammer, but only if the attacker has access to huge
pages or to /proc/PID/pagemap.

/proc/PID/pagemap also gives an attacker the ability to scan for bad
DRAM locations, save a list of their addresses, and exploit them in
the future.

Given that, I think it would still be worthwhile to disable /proc/PID/pagemap.


> Can we do anything about that? Disabling cache flushes from userland
> should make it no longer exploitable.

Unfortunately there's no way to disable userland code's use of
CLFLUSH, as far as I know.

Maybe Intel or AMD could disable CLFLUSH via a microcode update, but
they have not said whether that would be possible.

Cheers,
Mark
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/