Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752705AbbDBQok (ORCPT ); Thu, 2 Apr 2015 12:44:40 -0400 Received: from mail-db3on0096.outbound.protection.outlook.com ([157.55.234.96]:46592 "EHLO emea01-db3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752507AbbDBQoc (ORCPT ); Thu, 2 Apr 2015 12:44:32 -0400 X-Greylist: delayed 600 seconds by postgrey-1.27 at vger.kernel.org; Thu, 02 Apr 2015 12:44:31 EDT From: Shachar Raindel To: Yann Droneaud , Haggai Eran CC: Sagi Grimberg , "oss-security@lists.openwall.com" , " (linux-rdma@vger.kernel.org)" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Thread-Topic: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Thread-Index: AQHQbSyEAQwf8AzEREiGaKM63FVWmJ05imaQgAAtooCAAB4uAIAAFWQAgAABBCA= Date: Thu, 2 Apr 2015 16:44:07 +0000 Deferred-Delivery: Thu, 2 Apr 2015 16:43:43 +0000 Message-ID: References: <1427969085.17020.5.camel@opteya.com> <1427981431.22575.21.camel@opteya.com> <551D5DC8.6070909@mellanox.com> <1427992506.22575.80.camel@opteya.com> In-Reply-To: <1427992506.22575.80.camel@opteya.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [193.47.165.251] authentication-results: opteya.com; dkim=none (message not signed) header.d=none; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM2PR05MB1028; x-microsoft-antispam-prvs: x-forefront-antispam-report: BMV:1;SFV:NSPM;SFS:(10009020)(6009001)(51704005)(13464003)(24454002)(51914003)(164054003)(479174004)(377454003)(87936001)(76176999)(86362001)(66066001)(2656002)(15975445007)(2900100001)(230783001)(102836002)(2950100001)(77156002)(92566002)(62966003)(122556002)(19580405001)(19580395003)(106116001)(33656002)(46102003)(76576001)(50986999)(54356999)(93886004)(74316001);DIR:OUT;SFP:1101;SCL:1;SRVR:AM2PR05MB1028;H:AM2PR05MB0929.eurprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(5002010);SRVR:AM2PR05MB1028;BCL:0;PCL:0;RULEID:;SRVR:AM2PR05MB1028; x-forefront-prvs: 0534947130 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 X-OriginatorOrg: Mellanox.com X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2015 16:44:29.0335 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM2PR05MB1028 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id t32GiwcX011401 Content-Length: 4656 Lines: 121 > -----Original Message----- > From: Yann Droneaud [mailto:ydroneaud@opteya.com] > Sent: Thursday, April 02, 2015 7:35 PM > To: Haggai Eran > Cc: Shachar Raindel; Sagi Grimberg; oss-security@lists.openwall.com; > (linux-rdma@vger.kernel.org); linux- > kernel@vger.kernel.org; stable@vger.kernel.org > Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected > physical memory access > > Hi Haggai, > > Le jeudi 02 avril 2015 à 18:18 +0300, Haggai Eran a écrit : > > On 02/04/2015 16:30, Yann Droneaud wrote: > > > Hi, > > > > > > Le jeudi 02 avril 2015 à 10:52 +0000, Shachar Raindel a écrit : > > >>> -----Original Message----- > > >>> From: Yann Droneaud [mailto:ydroneaud@opteya.com] > > >>> Sent: Thursday, April 02, 2015 1:05 PM > > >>> Le mercredi 18 mars 2015 à 17:39 +0000, Shachar Raindel a écrit : > > > > > >>>> + /* > > >>>> + * If the combination of the addr and size requested for this > > >>> memory > > >>>> + * region causes an integer overflow, return error. > > >>>> + */ > > >>>> + if ((PAGE_ALIGN(addr + size) <= size) || > > >>>> + (PAGE_ALIGN(addr + size) <= addr)) > > >>>> + return ERR_PTR(-EINVAL); > > >>>> + > > >>> > > >>> Can access_ok() be used here ? > > >>> > > >>> if (!access_ok(writable ? VERIFY_WRITE : VERIFY_READ, > > >>> addr, size)) > > >>> return ERR_PTR(-EINVAL); > > >>> > > >> > > >> No, this will break the current ODP semantics. > > >> > > >> ODP allows the user to register memory that is not accessible yet. > > >> This is a critical design feature, as it allows avoiding holding > > >> a registration cache. Adding this check will break the behavior, > > >> forcing memory to be all accessible when registering an ODP MR. > > >> > > > > > > Where's the check for the range being in userspace memory space, > > > especially for the ODP case ? > > > > > > For non ODP case (eg. plain old behavior), does get_user_pages() > > > ensure the requested pages fit in userspace region on all > > > architectures ? I think so. > > > > Yes, get_user_pages will return a smaller amount of pages than > requested > > if it encounters an unmapped region (or a region without write > > permissions for write requests). If this happens, the loop in > > ib_umem_get calls get_user_pages again with the next set of pages, and > > this time if it the first page still cannot be mapped an error is > returned. > > > > > > > > In ODP case, I'm not sure such check is ever done ? > > > > In ODP, we also call get_user_pages, but only when a page fault occurs > > (see ib_umem_odp_map_dma_pages()). This allows the user to pre- > register > > a memory region that contains unmapped virtual space, and then mmap > > different files into that area without needing to re-register. > > > > OK, thanks for the description. > > > > (Aside, does it take special mesure to protect shared mapping from > > > being read and/or *written* ?) > > > > I'm not sure I understand the question. Shared mappings that the > process > > is allowed to read or write are also allowed for the HCA > (specifically, > > to local and remote operations the same process performs using the > HCA), > > provided the application has registered their virtual address space as > a > > memory region. > > > > I was refering to description of get_user_pages(): > > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/mm/g > up.c?id=v4.0-rc6#n765 > > * @force: whether to force access even when user mapping is currently > * protected (but never forces write access to shared mapping). > > But since ib_umem_odp_map_dma_pages() use get_user_pages() with force > argument set to 0, it's OK. > > Another related question: as the large memory range could be registered > by user space with ibv_reg_mr(pd, base, size, IB_ACCESS_ON_DEMAND), > what's prevent the kernel to map a file as the result of mmap(0, ...) > in this region, making it available remotely through IBV_WR_RDMA_READ / > IBV_WR_RDMA_WRITE ? > This is not a bug. This is a feature. Exposing a file through RDMA, using ODP, can be done exactly like this. Given that the application explicitly requested this behavior, I don't see why it is a problem. Actually, some of our tests use such flows. The mmu notifiers mechanism allow us to do this safely. When the page is written back to disk, it is removed from the ODP mapping. When it is accessed by the HCA, it is brought back to RAM. Thanks, --Shachar ????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m???? ????????I?