Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp686442yba; Fri, 26 Apr 2019 07:10:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqxdyDZCl/6uDM7quT+nk1jDDqbCZfziQP0PRu+HK4urbpuVzSVY3hOM7bHCiHLAwuR5NhX8 X-Received: by 2002:a17:902:784d:: with SMTP id e13mr46892639pln.152.1556287804349; Fri, 26 Apr 2019 07:10:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556287804; cv=none; d=google.com; s=arc-20160816; b=SARBHtFdVvaVs3udTHZC5HazGZ5cgUQ080AfK/VVAKvIs0qaEmJenzNv8gRNchnCAz iulk5NL2b1+lIhs+EjAloO3bS1vucisYkT2XL6RTWZ1ZY2sz59qbYONwKJZYzjWMAR8O mHilxOiB+i6LPvIEh5tMVfWWN+MqvFasRd4q4vPM88soy6KZVlWo8aqT6v8J6/wim5wF wAf+HmeUb0Mm64hEQ7hN7w/4pdSNBITypH7fk/JkZCSAveucRweBIwAtQN4CAVYXVmbj rFBr67vbv/Ogieww+OeOCtcJ6XkXOJUQ06ffmzKV4bANG3TUSdStWqhLaZiQAL5jOsTD mCQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Gl4pDgsoTjXGZqZThKkrLaFex7Lx0Ph2eAdPNhjxdlM=; b=C5j7zVp1rAAJI7ZBL3JhcSlkDSWjhcAEMPYl3tCJDqSAlg8tQCOqSRji3K+fity/0+ cfUruVMUPcXHOHiycK5kSns3emJNOGaIBwM9gif6kSzJf5xQxiAUxrHslR5gJ3BxZun9 6f1OJMQ+IerUfvkj9/7NUPkukYlMnXVmuUTF79MNM8LJlcthnmg2V0nTQ0xHsbl8DZH1 A5odGNDIQwMsqnNC5qQAjgcyp23Uju+cAoqkAeNooqE0KOEQY2tnM2GbAxjE+F3VPQjr +kDh7rvZHcMoQzyzHaCnvsWVOxKTaUSf4BVvJC95e4Am9Ls2cHCi1l88y4Y77E7a17FB KwQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i8si7499496pgq.468.2019.04.26.07.09.47; Fri, 26 Apr 2019 07:10:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726173AbfDZOIo (ORCPT + 99 others); Fri, 26 Apr 2019 10:08:44 -0400 Received: from mx2.suse.de ([195.135.220.15]:51808 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726039AbfDZOIo (ORCPT ); Fri, 26 Apr 2019 10:08:44 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 725D0AFFB; Fri, 26 Apr 2019 14:08:42 +0000 (UTC) Date: Fri, 26 Apr 2019 16:08:41 +0200 From: Michal Hocko To: Jann Horn Cc: Matthew Garrett , Linux-MM , kernel list , Matthew Garrett , Linux API Subject: Re: [PATCH V2] mm: Allow userland to request that the kernel clear memory on release Message-ID: <20190426140841.GK22245@dhcp22.suse.cz> References: <20190424211038.204001-1-matthewgarrett@google.com> <20190425121410.GC1144@dhcp22.suse.cz> <20190426053135.GC12337@dhcp22.suse.cz> <20190426134722.GH22245@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri 26-04-19 16:03:26, Jann Horn wrote: > On Fri, Apr 26, 2019 at 3:47 PM Michal Hocko wrote: > > On Fri 26-04-19 15:33:25, Jann Horn wrote: > > > On Fri, Apr 26, 2019 at 7:31 AM Michal Hocko wrote: > > > > On Thu 25-04-19 14:42:52, Jann Horn wrote: > > > > > On Thu, Apr 25, 2019 at 2:14 PM Michal Hocko wrote: > > > > > [...] > > > > > > On Wed 24-04-19 14:10:39, Matthew Garrett wrote: > > > > > > > From: Matthew Garrett > > > > > > > > > > > > > > Applications that hold secrets and wish to avoid them leaking can use > > > > > > > mlock() to prevent the page from being pushed out to swap and > > > > > > > MADV_DONTDUMP to prevent it from being included in core dumps. Applications > > > > > > > can also use atexit() handlers to overwrite secrets on application exit. > > > > > > > However, if an attacker can reboot the system into another OS, they can > > > > > > > dump the contents of RAM and extract secrets. We can avoid this by setting > > > > > > > CONFIG_RESET_ATTACK_MITIGATION on UEFI systems in order to request that the > > > > > > > firmware wipe the contents of RAM before booting another OS, but this means > > > > > > > rebooting takes a *long* time - the expected behaviour is for a clean > > > > > > > shutdown to remove the request after scrubbing secrets from RAM in order to > > > > > > > avoid this. > > > > > > > > > > > > > > Unfortunately, if an application exits uncleanly, its secrets may still be > > > > > > > present in RAM. This can't be easily fixed in userland (eg, if the OOM > > > > > > > killer decides to kill a process holding secrets, we're not going to be able > > > > > > > to avoid that), so this patch adds a new flag to madvise() to allow userland > > > > > > > to request that the kernel clear the covered pages whenever the page > > > > > > > reference count hits zero. Since vm_flags is already full on 32-bit, it > > > > > > > will only work on 64-bit systems. > > > > > [...] > > > > > > > diff --git a/mm/madvise.c b/mm/madvise.c > > > > > > > index 21a7881a2db4..989c2fde15cf 100644 > > > > > > > --- a/mm/madvise.c > > > > > > > +++ b/mm/madvise.c > > > > > > > @@ -92,6 +92,22 @@ static long madvise_behavior(struct vm_area_struct *vma, > > > > > > > case MADV_KEEPONFORK: > > > > > > > new_flags &= ~VM_WIPEONFORK; > > > > > > > break; > > > > > > > + case MADV_WIPEONRELEASE: > > > > > > > + /* MADV_WIPEONRELEASE is only supported on anonymous memory. */ > > > > > > > + if (VM_WIPEONRELEASE == 0 || vma->vm_file || > > > > > > > + vma->vm_flags & VM_SHARED) { > > > > > > > + error = -EINVAL; > > > > > > > + goto out; > > > > > > > + } > > > > > > > + new_flags |= VM_WIPEONRELEASE; > > > > > > > + break; > > > > > > > > > > An interesting effect of this is that it will be possible to set this > > > > > on a CoW anon VMA in a fork() child, and then the semantics in the > > > > > parent will be subtly different - e.g. if the parent vmsplice()d a > > > > > CoWed page into a pipe, then forked an unprivileged child, the child > > > > > > > > Maybe a stupid question. How do you fork an unprivileged child (without > > > > exec)? Child would have to drop priviledges on its own, no? > > > > > > Sorry, yes, that's what I meant. > > > > But then the VMA is gone along with the flag so why does it matter? > > But in theory, the page might still be used somewhere, e.g. as data in > a pipe (into which the parent wrote it) or whatever. Parent > vmsplice()s a page into a pipe, parent exits, child marks the VMA as > WIPEONRELEASE and exits, page gets wiped, someone else reads the page > from the pipe. > > Yes, this is very theoretical, and you'd have to write some pretty > weird software for this to matter. But it doesn't seem clean to me to > allow a child to affect the data in e.g. a pipe that it isn't supposed > to have access to like this. > > Then again, this could probably already happen, since do_wp_page() > reuses pages depending on only the mapcount, without looking at the > refcount. OK, now I see your point. I was confused about the unprivileged child. You are right that this looks weird but we have traditionally trusted child processes to not do a harm. I guess this falls down to the same bucket. An early CoW on these mapping should solve the problem AFAICS. -- Michal Hocko SUSE Labs