Received: by 10.223.185.116 with SMTP id b49csp1369628wrg; Wed, 21 Feb 2018 17:46:11 -0800 (PST) X-Google-Smtp-Source: AH8x224yRF7yk3RgDEQONb+fP2HufaDPRDfdnlCJd/XJ6tIyV5l1uG5dlBojwK5twrApFba1haa0 X-Received: by 2002:a17:902:27:: with SMTP id 36-v6mr4935274pla.128.1519263971617; Wed, 21 Feb 2018 17:46:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519263971; cv=none; d=google.com; s=arc-20160816; b=mhTbeuGO8EzrAYekNXoBXblrUPmEl6Q/gHyDvMa6ZYyW7QjpF6lUNt7DNDGQTyTil5 P0+DS9q/B4wHfJcX//SBCNM3r74TQYZZP+hgXUL7sbABKH04UmMpzq9Z+tQFq140qlh0 tvXrWlAoZTg4AOmKms4m/gSDvlk7ywZ+u4hRa1q3XuNUP7XgikWjU5cHVT40NMHPAvKe Ny7UwgfixlYusP0CRSmGCQZTsvaY+BYTeqOe5I0C3qMV6hXE9YLeDWFXu2EqCs0ccOVL kA8Q/pTMQHpztVbF6cRlzUDdS7Dkv8J5nOZ6ee6iTmNym4iQY93cNw4f/G6z2+04X9yU UBiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=mixb56yvFNfXxFP/mMLXmPMDxUkt22FfNinYukX7WZs=; b=GKTIJt9ng79QQBVbaR+bzqiWAQCIKT8GAn53s/nX0RBJb7QZxccEB76Wkvydfueq7S zSFARAT/HOtRM9S+XT/oqpLv2nm9ODdNuFZlx1lICrV9ATzAHM6QfziAX7KxFt54+BzX h2S9QzhaOE/5oRjh08nH2caNNVoIjWxNdR6ruXSM0r0M9SxyhcOB1eiiqvE6fJmsfemV +OAdAwEnl6rXdm3LC9mmTD8TOwQIYdVQ4HqdaW/3eQ/7sffQ0wOH1/h6V07ZWNW5J7Wq rT5wNKfYK2OxM6hRj47qZ7ujwJjIIyijfoMMUWA2rJW1bdNDv8NnI+8JXfzFD1qWi56d iNgw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b124si675026pfa.194.2018.02.21.17.45.54; Wed, 21 Feb 2018 17:46:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751786AbeBVBpM (ORCPT + 99 others); Wed, 21 Feb 2018 20:45:12 -0500 Received: from mga05.intel.com ([192.55.52.43]:35851 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751732AbeBVBpK (ORCPT ); Wed, 21 Feb 2018 20:45:10 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Feb 2018 17:45:10 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,376,1515484800"; d="scan'208";a="19499276" Received: from agluck-desk.sc.intel.com (HELO agluck-desk) ([10.3.52.160]) by fmsmga008.fm.intel.com with ESMTP; 21 Feb 2018 17:45:09 -0800 Date: Wed, 21 Feb 2018 17:45:06 -0800 From: "Luck, Tony" To: Linus Torvalds Cc: Andi Kleen , Ard Biesheuvel , Joe Konno , "linux-efi@vger.kernel.org" , Linux Kernel Mailing List , Jeremy Kerr , Matthew Garrett , Peter Jones , Andy Lutomirski , James Bottomley Subject: [PATCH] efivarfs: Limit the rate for non-root to read files Message-ID: <20180222014505.2l76ccrrs36y3b26@agluck-desk> References: <3908561D78D1C84285E8C5FCA982C28F7B37DE1B@ORSMSX110.amr.corp.intel.com> <20180221182104.GI3231@tassilo.jf.intel.com> <20180221194731.t7jowrmicvaggu3x@agluck-desk> <3908561D78D1C84285E8C5FCA982C28F7B37F130@ORSMSX110.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Each read from a file in efivarfs results in two calls to EFI (one to get the file size, another to get the actual data). On X86 these EFI calls result in broadcast system management interrupts (SMI) which affect performance of the whole system. A malicious user can loop performing reads from efivarfs bringing the system to its knees. Linus suggested per-user rate limit to solve this. So we add a ratelimit structure to "user_struct" and initialize it for the root user for no limit. When allocating user_struct for other users we set the limit to 100 per second. This could be used for other places that want to limit the rate of some detrimental user action. In efivarfs if the limit is exceeded when reading, we sleep for 10ms. Signed-off-by: Tony Luck --- fs/efivarfs/file.c | 4 ++++ include/linux/sched/user.h | 4 ++++ kernel/user.c | 3 +++ 3 files changed, 11 insertions(+) diff --git a/fs/efivarfs/file.c b/fs/efivarfs/file.c index 5f22e74bbade..7bcf5b041028 100644 --- a/fs/efivarfs/file.c +++ b/fs/efivarfs/file.c @@ -8,6 +8,7 @@ */ #include +#include #include #include #include @@ -74,6 +75,9 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf, ssize_t size = 0; int err; + if (!__ratelimit(&file->f_cred->user->ratelimit)) + usleep_range(10000, 10000); + err = efivar_entry_size(var, &datasize); /* diff --git a/include/linux/sched/user.h b/include/linux/sched/user.h index 0dcf4e480ef7..96fe289c4c6e 100644 --- a/include/linux/sched/user.h +++ b/include/linux/sched/user.h @@ -4,6 +4,7 @@ #include #include +#include struct key; @@ -41,6 +42,9 @@ struct user_struct { defined(CONFIG_NET) atomic_long_t locked_vm; #endif + + /* Miscellaneous per-user rate limit */ + struct ratelimit_state ratelimit; }; extern int uids_sysfs_init(void); diff --git a/kernel/user.c b/kernel/user.c index 9a20acce460d..36288d840675 100644 --- a/kernel/user.c +++ b/kernel/user.c @@ -101,6 +101,7 @@ struct user_struct root_user = { .sigpending = ATOMIC_INIT(0), .locked_shm = 0, .uid = GLOBAL_ROOT_UID, + .ratelimit = RATELIMIT_STATE_INIT(root_user.ratelimit, 0, 0), }; /* @@ -191,6 +192,8 @@ struct user_struct *alloc_uid(kuid_t uid) new->uid = uid; atomic_set(&new->__count, 1); + ratelimit_state_init(&new->ratelimit, HZ, 100); + ratelimit_set_flags(&new->ratelimit, RATELIMIT_MSG_ON_RELEASE); /* * Before adding this, check whether we raced -- 2.14.1