Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753026AbbDCIjx (ORCPT ); Fri, 3 Apr 2015 04:39:53 -0400 Received: from mail-db3on0070.outbound.protection.outlook.com ([157.55.234.70]:39936 "EHLO emea01-db3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751338AbbDCIjt convert rfc822-to-8bit (ORCPT ); Fri, 3 Apr 2015 04:39:49 -0400 From: Haggai Eran To: Yann Droneaud , Shachar Raindel CC: Sagi Grimberg , " (linux-rdma@vger.kernel.org)" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Thread-Topic: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Thread-Index: AQHQbSyKnw+yq2pMTUy5fjpX6HQ0b505i/wAgAAsDICAAFB4AP//4xoAgAAChYCAAEHxAIAAs1rH Date: Fri, 3 Apr 2015 08:39:44 +0000 Message-ID: <1428050408201.35668@mellanox.com> References: <1427969085.17020.5.camel@opteya.com> <1427981431.22575.21.camel@opteya.com> <551D5DC8.6070909@mellanox.com> <1427992506.22575.80.camel@opteya.com> ,<1428007208.22575.104.camel@opteya.com> In-Reply-To: <1428007208.22575.104.camel@opteya.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [46.121.82.195] authentication-results: mellanox.com; dkim=none (message not signed) header.d=none; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB3PR05MB0939;UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB3PR05MB0780; x-microsoft-antispam-prvs: x-forefront-antispam-report: BMV:1;SFV:NSPM;SFS:(10009020)(6009001)(377454003)(24454002)(13464003)(51704005)(93886004)(2950100001)(77156002)(62966003)(92566002)(54356999)(86362001)(77096005)(102836002)(50986999)(66066001)(106116001)(46102003)(76176999)(36756003)(117636001)(2656002)(19580405001)(19580395003)(40100003)(87936001)(2900100001)(230783001);DIR:OUT;SFP:1101;SCL:1;SRVR:DB3PR05MB0939;H:AMSPR05MB482.eurprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(5002010);SRVR:DB3PR05MB0939;BCL:0;PCL:0;RULEID:;SRVR:DB3PR05MB0939; x-forefront-prvs: 05352A48BE Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2015 08:39:44.5987 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR05MB0939 X-OriginatorOrg: Mellanox.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3068 Lines: 66 On Thursday, April 2, 2015 11:40 PM, Yann Droneaud wrote: > Le jeudi 02 avril 2015 ? 16:44 +0000, Shachar Raindel a ?crit : >> > -----Original Message----- >> > From: Yann Droneaud [mailto:ydroneaud@opteya.com] >> > Sent: Thursday, April 02, 2015 7:35 PM > >> > Another related question: as the large memory range could be registered >> > by user space with ibv_reg_mr(pd, base, size, IB_ACCESS_ON_DEMAND), >> > what's prevent the kernel to map a file as the result of mmap(0, ...) >> > in this region, making it available remotely through IBV_WR_RDMA_READ / >> > IBV_WR_RDMA_WRITE ? >> > >> >> This is not a bug. This is a feature. >> >> Exposing a file through RDMA, using ODP, can be done exactly like this. >> Given that the application explicitly requested this behavior, I don't >> see why it is a problem. > > If the application cannot choose what will end up in the region it has > registered, it's an issue ! > > What might happen if one library in a program call mmap(0, size, ...) to > load a file storing a secret (a private key), and that file ends up > being mapped in an registered but otherwise free region (afaict, the > kernel is allowed to do it) ? > What might happen if one library in a program call call mmap(0, > size, ..., MAP_ANONYMOUS,...) to allocate memory, call mlock(), then > write in this location a secret (a passphrase), and that area ends up > in the memory region registered for on demand paging ? > > The application haven't choose to disclose these confidential piece of > information, but they are available for reading/writing by remote > through RDMA given it knows the rkey of the memory region (which is a > 32bits value). > > I hope I'm missing something, because I'm not feeling confident such > behavor is a feature. What we are aiming for is the possibility to register the entire process' address space for RDMA operations (if the process chooses to use this feature). This is similar to multiple threads accessing the same address space. I'm sure you wouldn't be complaining about the ability of one thread to access the secret passphrase mmapped by another thread in your example. > I'm trying to understand how the application can choose what is exposed > through RDMA if it registers a very large memory region for later use > (but do not actually explicitly map something there yet): what's the > consequences ? > > void *start = sbrk(0); > size_t size = ULONG_MAX - (unsigned long)start; > > ibv_reg_mr(pd, start, size, IB_ACCESS_ON_DEMAND) The consequences are exactly as you wrote. Just as giving a non-ODP rkey to a remote node allows the node to access the registered memory behind that rkey, giving an ODP rkey to a remote node allows that node to access the virtual address space behind that rkey. Regards, Haggai-- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/