Date: Thu, 02 Apr 2015 22:40:08 +0200 From: Yann Droneaud <ydroneaud@...eya.com> To: Shachar Raindel <raindel@...lanox.com> Cc: Haggai Eran <haggaie@...lanox.com>, Sagi Grimberg <sagig@...lanox.com>, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "<linux-rdma@...r.kernel.org> (linux-rdma@...r.kernel.org)" <linux-rdma@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "stable@...r.kernel.org" <stable@...r.kernel.org> Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Hi, Le jeudi 02 avril 2015 à 16:44 +0000, Shachar Raindel a écrit : > > -----Original Message----- > > From: Yann Droneaud [mailto:ydroneaud@...eya.com] > > Sent: Thursday, April 02, 2015 7:35 PM > > Another related question: as the large memory range could be registered > > by user space with ibv_reg_mr(pd, base, size, IB_ACCESS_ON_DEMAND), > > what's prevent the kernel to map a file as the result of mmap(0, ...) > > in this region, making it available remotely through IBV_WR_RDMA_READ / > > IBV_WR_RDMA_WRITE ? > > > > This is not a bug. This is a feature. > > Exposing a file through RDMA, using ODP, can be done exactly like this. > Given that the application explicitly requested this behavior, I don't > see why it is a problem. If the application cannot choose what will end up in the region it has registered, it's an issue ! What might happen if one library in a program call mmap(0, size, ...) to load a file storing a secret (a private key), and that file ends up being mapped in an registered but otherwise free region (afaict, the kernel is allowed to do it) ? What might happen if one library in a program call call mmap(0, size, ..., MAP_ANONYMOUS,...) to allocate memory, call mlock(), then write in this location a secret (a passphrase), and that area ends up in the memory region registered for on demand paging ? The application haven't choose to disclose these confidential piece of information, but they are available for reading/writing by remote through RDMA given it knows the rkey of the memory region (which is a 32bits value). I hope I'm missing something, because I'm not feeling confident such behavor is a feature. > Actually, some of our tests use such flows. > The mmu notifiers mechanism allow us to do this safely. When the page is > written back to disk, it is removed from the ODP mapping. When it is > accessed by the HCA, it is brought back to RAM. > I'm not discussing about the benefit of On Demand Paging and why it's a very good feature to expose files through RDMA. I'm trying to understand how the application can choose what is exposed through RDMA if it registers a very large memory region for later use (but do not actually explicitly map something there yet): what's the consequences ? void *start = sbrk(0); size_t size = ULONG_MAX - (unsigned long)start; ibv_reg_mr(pd, start, size, IB_ACCESS_ON_DEMAND) Regards. -- Yann Droneaud OPTEYA
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.