Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp309199imu; Tue, 8 Jan 2019 20:41:39 -0800 (PST) X-Google-Smtp-Source: ALg8bN6vrgx/lfoDn9nSNO7MBTO7F30SHJ/o6v6uiCpybD2c/cf/E4rEihIERwgJmBZhunH9LUIh X-Received: by 2002:a62:c101:: with SMTP id i1mr4519179pfg.80.1547008899682; Tue, 08 Jan 2019 20:41:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547008899; cv=none; d=google.com; s=arc-20160816; b=vl5qkp6uclzuVIb/Sc/AhyFNeDWj6K+p+7qVtjms0dBQERoIPVmQwRit/acQrJh35Z P1c6TLWakzDzQjDvlz37jXthEJqsacdDp/9nSqq6gZiH9QD/NUlvdG+rh0RgrPfS1hOs BLFM0SDdZ57KTWeqn1O3HG/X1QLhK6RGDS6cF+hGFyX1XKDbITBu/V8dQXK6YAAYM9js cr/mk7zD/nT6HyRx+q5KGDN+4/zHI8rLS3RDNeZsDPf6B281JJn24EN9iBKF3X+qK2/A eqytDfqG9VQaEiUNG/rTQFAMr+1RQyA7qFsm0QK1GR4we9sfWz8QGlHWH9XHn/EIZfHw FNkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=urac/c6e53XiOX2+T7tdfVfP/j0NOL6st1Kq0zlXMTQ=; b=GNJp9yu3nU2NzT+eS4wS+kNes6Ig/BcvehQj+vovmVwAp34MpsUyty0qDsMDsj/437 iHkYQSUUhVwTpLxfulb5ZXpyM+zk+ZSOgSCIckuiKJt7eqAsryHgeHLR3g5Kbibkb4ds cCjkECQk5BmQ1TXcdmR9uqRp9hTeov06YWNw5t2GN0t/5aPlvLxwgrn/k5G0iC65W6rl hcKlHMAOdgjk5E8s/QNXCEcyVQOFe3amsDwTY2RfiHX+mAoUgd3r90lqQ/3gtU81R4fU JeBemLBNSiF0ISWXzyvgN5vlf7EiUc/rnyI7VGnTzeugv4My7yDpl7pdDKQ3rC4zNRwV Z5WA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f13si67533676plm.393.2019.01.08.20.41.23; Tue, 08 Jan 2019 20:41:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729371AbfAIEjN (ORCPT + 99 others); Tue, 8 Jan 2019 23:39:13 -0500 Received: from ipmail07.adl2.internode.on.net ([150.101.137.131]:41034 "EHLO ipmail07.adl2.internode.on.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728112AbfAIEjN (ORCPT ); Tue, 8 Jan 2019 23:39:13 -0500 Received: from ppp59-167-129-252.static.internode.on.net (HELO dastard) ([59.167.129.252]) by ipmail07.adl2.internode.on.net with ESMTP; 09 Jan 2019 15:09:08 +1030 Received: from dave by dastard with local (Exim 4.80) (envelope-from ) id 1gh5dy-0000WO-Sz; Wed, 09 Jan 2019 15:39:06 +1100 Date: Wed, 9 Jan 2019 15:39:06 +1100 From: Dave Chinner To: Jiri Kosina Cc: Linus Torvalds , Matthew Wilcox , Jann Horn , Andrew Morton , Greg KH , Peter Zijlstra , Michal Hocko , Linux-MM , kernel list , Linux API Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged Message-ID: <20190109043906.GF27534@dastard> References: <20190106001138.GW6310@bombadil.infradead.org> <20190108044336.GB27534@dastard> <20190109022430.GE27534@dastard> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 09, 2019 at 03:31:35AM +0100, Jiri Kosina wrote: > On Wed, 9 Jan 2019, Dave Chinner wrote: > > > > But mincore is certainly the easiest interface, and the one that > > > doesn't require much effort or setup. > > > > Off the top of my head, here's a few vectors for reading the page > > cache residency state without perturbing the page cache residency > > pattern: > > - mincore > > - preadv2(RWF_NOWAIT) > > - fadvise(POSIX_FADV_RANDOM); timed read(2) syscalls > > - madvise(MADV_RANDOM); timed read of first byte in each page > > While I obviously agree that all those are creating pagecache sidechannel > in principle, I think we really should mostly focus on the first two (with > mincore() already having been covered). FWIW, I just realised that the easiest, most reliable way to invalidate the page cache over a file range is simply to do a O_DIRECT read on it. IOWs, all three requirements of this information leak - highly specific, reliable cache invalidation control, controlled cache instantiation and 3rd-party detection of cache residency can all be performed with just the read(2) syscall... > Rationale has been provided by Daniel Gruss in this thread -- if the > attacker is left with cache timing as the only available vector, he's > going to be much more successful with mounting hardware cache timing > attack anyway. No, he said: "Restricting mincore() is sufficient to fix the hardware-agnostic part." That's not correct - preadv2(RWF_NOWAIT) is also hardware agnostic and provides exactly the same information about the page cache as mincore. Timed read/mmap access loops for cache observation are also hardware agnostic, and on fast SSD based storage will only be marginally slower bandwidth than preadv2(RWF_NOWAIT). Attackers will pick whatever leak vector we don't fix, so we either fix them all (which I think is probably impossible without removing caching altogether) or we start thinking about how we need to isolate the page cache so that information isn't shared across important security boundaries (e.g. page cache contents are per-mount namespace). Cheers, Dave. -- Dave Chinner david@fromorbit.com