Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2114074imu; Sat, 5 Jan 2019 15:09:55 -0800 (PST) X-Google-Smtp-Source: AFSGD/UF+VAaIswJXDBhP2oGakdBfs0Y7SRexqr2tg+yvY/EB+Vo5NMsIHxlYVmACNr31gnDJKN4 X-Received: by 2002:aa7:83c6:: with SMTP id j6mr57730773pfn.91.1546729795001; Sat, 05 Jan 2019 15:09:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546729794; cv=none; d=google.com; s=arc-20160816; b=B8ktj0eA3wryq8mc2MbPjNx8XUr/BhLsq4GDHcgwrbC381nVkik9YbaOizxRJHTcgG 4/1k0sfxoAFOPMomWYB8QWwIADmEx6Ny4arX3bsYMkGeNpDO3xdfp5vOBWtOU7kB8/Uv P1jQyrn1vAexnxY8zk3tKT08iMakUuQk6hWNoFbZwiqN8ZfsaBXt3J2IZ1HJ1d/Si5yy o+hsXaifREkyufZPaKoHxcLCChC4aQAtUJZPYWyiN13vxccXpjmL9CaZ//GsaVal/56l yHekeKgucpNKvNZSmb5IzPJSZ7Q0rWkOW6qEQMHSDKMfcEH8NlZXE/pla0id0BsXA7Vx ceRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3XKfJS3aCUI5VPJ2OoPQz6I8Q3GqY3FZEmK8PJlfXZo=; b=Ov4h07eAGavYJkLa1j1YAgSflRzPfuZSs0tV+4u7pMT74Q3XTMEfEvEuVaNBf9QHA+ MnEkDKE8IkFFh6FyKN32ukJbUyw8NPAhUPlacZrxWOgmACkx3VMdyi1WfhcEax3hd6CW iLRDeHdKFfkixi4KiYNDfMmoy9/yjoUZs4cjyc5orzErA1H+hwzRfBdW7Uz5y+Z+aSJU 80phqbVmf339mIt0+lIjJfIsvDEW+NG4SZE0Y4xy5sPSovNsoc36Scw1tBgPaJZbpJbe ARyCh6ii732/IDNdRJ5PdJe+311HJLl8DDc6ymLiPBIE+S9OZ4yVN/Lpbk37EAQNBK1p 4Rog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="B/cv29R5"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e1si61335435pln.55.2019.01.05.15.09.23; Sat, 05 Jan 2019 15:09:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="B/cv29R5"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726403AbfAEXGE (ORCPT + 99 others); Sat, 5 Jan 2019 18:06:04 -0500 Received: from mail-lf1-f68.google.com ([209.85.167.68]:38232 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726357AbfAEXGD (ORCPT ); Sat, 5 Jan 2019 18:06:03 -0500 Received: by mail-lf1-f68.google.com with SMTP id a8so2707997lfk.5 for ; Sat, 05 Jan 2019 15:06:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3XKfJS3aCUI5VPJ2OoPQz6I8Q3GqY3FZEmK8PJlfXZo=; b=B/cv29R5CnnR4cucX2UAJjOuhWykhQuhG+v+Oo2bw14iZUUk6FsYndgTSKJpoaicZ9 zcGzc4h+DmkLxbm9wLZ8q++rbDh/1i1GjjM8RqoPJguvj7kh22AS5Tx7b/s0D/QAEnZY 1EePYo9mzlT65j9NUQsGsLfB0eQtm16Ik0+aE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3XKfJS3aCUI5VPJ2OoPQz6I8Q3GqY3FZEmK8PJlfXZo=; b=PxdixLKAeqKjhI6nDhNFZPRuDRbUe1J96Rdcay59VpBOe84yzQNa82R7bSXeFkD9Sf VcNkDzzIvdJvHstmQ6OTMhE/DNnemwxRkKc9pOpE3EjWKjffdyQd1bKuzelwYxwDerJr nz5WdtG0WbQXOkgPrQdiL1gpyvgEcqKQqT3IKLqtdexJty3vqqPMCtUpZVDKrIwj4tGA x0NHE5xY+lzWmM0I65anw7pRQd3vk2JFMxllccJmV8t7GSCb/gk+igJ0+KJ2E4UyPPev J8iFe9yb5M58J+MzTup+y4SV/BfYw1q2EcRM8KPV6ucmMzmzQyAvyX6uTeJ40cLxWPE7 v1Mw== X-Gm-Message-State: AJcUukdvJUmrtTv0RaRiVuDMGfefDIo+WgFhcxk8KfbqP7hZSugU2cd2 4xCLKUQ97FkQO/b9GUD3sUTJmywBmAg= X-Received: by 2002:a19:d619:: with SMTP id n25mr17974107lfg.91.1546729561214; Sat, 05 Jan 2019 15:06:01 -0800 (PST) Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com. [209.85.167.45]) by smtp.gmail.com with ESMTPSA id y24-v6sm13038023ljd.20.2019.01.05.15.05.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 05 Jan 2019 15:06:00 -0800 (PST) Received: by mail-lf1-f45.google.com with SMTP id i26so27779901lfc.0 for ; Sat, 05 Jan 2019 15:05:59 -0800 (PST) X-Received: by 2002:a19:3fcf:: with SMTP id m198mr26764036lfa.106.1546729559515; Sat, 05 Jan 2019 15:05:59 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Linus Torvalds Date: Sat, 5 Jan 2019 15:05:43 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged To: Jann Horn Cc: Jiri Kosina , Andrew Morton , Greg KH , Peter Zijlstra , Michal Hocko , Linux-MM , kernel list , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 5, 2019 at 2:55 PM Jann Horn wrote: > > Just checking: I guess /proc/$pid/pagemap (iow, the pagemap_read() > handler) is less problematic because it only returns data about the > state of page tables, and doesn't query the address_space? In other > words, it permits monitoring evictions, but non-intrusively detecting > that something has been loaded into memory by another process is > harder? Yes. I think it was brought up during the original report, but to use the pagemap for this, you'd basically need to first populate all the pages, and then wait for pageout. So pagemap *does* leak very similar data, but it's much harder to use as an attack vector. That said, I think "mincore()" is just the simple one. You *can* (and this was also discussed on the security list) do things like - fault in a single page - the kernel will opportunistically fault in pages that it already has available _around_ that page. - then use pagemap (or just _timing_ - no real kernel support needed) to see if those pages are now mapped in your address space so honestly, mincore is just the "big hammer" and easy way to get at some of this data. But it's probably worth closing exactly because it's easy. There are other ways to get at the "are these pages mapped" information, but they are a lot more combersome to use. Side note: maybe we could just remove the "__mincore_unmapped_range()" thing entirely, and basically make mincore() do what pagemap does, which is to say "are the pages mapped in this VM". That would be nicer than my patch, simply because removing code is always nice. And arguably it's a better semantic anyway. Linus