Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users

From: Ben Hutchings
Date: Sun Nov 29 2015 - 20:55:06 EST

Next message: Andrew Lunn: "Re: [PATCH] net: fec: fix enet_out clock handling"
Previous message: Yoshihiro Shimoda: "[PATCH v6 2/4] phy: rcar-gen3-usb2: change the mode to OTG on the combined channel"
In reply to: Willy Tarreau: "[PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users"
Next in thread: Willy Tarreau: "Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote:
> 2.6.32-longterm review patch.ÂÂIf anyone has any objections, please let me know.
>
> ------------------
>
> commit 1c90308e7a77af6742a97d1021cca923b23b7f0d upstream.
>
> This patch makes pagemap readable for normal users and hides physical
> addresses from them.ÂÂFor some use-cases PFN isn't required at all.
>
> See http://lkml.kernel.org/r/1425935472-17949-1-git-send-email-kirill@xxxxxxxxxxxxx
>
> Fixes: ab676b7d6fbf ("pagemap: do not leak physical addresses to non-privileged userspace")
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx>
> Cc: Naoya Horiguchi <n-horiguchi@xxxxxxxxxxxxx>
> Reviewed-by: Mark Williamson <mwilliamson@xxxxxxxxxxxxxxxxx>
> Tested-by:ÂÂMark Williamson <mwilliamson@xxxxxxxxxxxxxxxxx>
> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> [bwh: Backported to 3.2:
> Â- Add the same check in the places where we look up a PFN
> Â- Add struct pagemapread * parameters where necessary
> Â- Open-code file_ns_capable()
> Â- Delete pagemap_open() entirely, as it would always return 0]
> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> (cherry picked from commit b1fb185f26e85f76e3ac6ce557398d78797c9684)
> [wt: adjusted context, no pagemap_hugetlb_range() in 2.6.32, and
> Âsecurity_capable() only takes a capability. Tested OK. ]
[...]
> + /* do not disclose physical addresses: attack vector */
> + pm.show_pfn = !security_capable(CAP_SYS_ADMIN);
[...]

This is wrong; see
<https://marc.info/?l=linux-api&m=143144321020852&w=2>.

For 2.6.32 perhaps you could retain the capability check at open time
but store the result in private state for use at read time.

The ptrace check presumably should also be done at open time, as was
implemented upstream in:

commit a06db751c321546e5563041956a57613259c6720
Author: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx>
Date:ÂÂÂTue Sep 8 14:59:59 2015 -0700

ÂÂÂÂpagemap: check permissions and capabilities at open time

But that wasn't cc'd to stable and hasn't been applied to any stable
branch (yet).

Ben.

--
Ben Hutchings
Who are all these weirdos? - David Bowie, reading IRC for the first time

Attachment: signature.asc
Description: This is a digitally signed message part

Next message: Andrew Lunn: "Re: [PATCH] net: fec: fix enet_out clock handling"
Previous message: Yoshihiro Shimoda: "[PATCH v6 2/4] phy: rcar-gen3-usb2: change the mode to OTG on the combined channel"
In reply to: Willy Tarreau: "[PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users"
Next in thread: Willy Tarreau: "Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]