Re: [patch] Performance Counters for Linux, v4

From: Ingo Molnar
Date: Tue Dec 16 2008 - 07:51:06 EST

Next message: Li Zefan: "Re: [PATCH] sched: fix another race when reading /proc/sched_debug"
Previous message: Paul Menage: "Re: [PATCH] sched: fix another race when reading /proc/sched_debug"
In reply to: Pavel Machek: "Re: [patch] Performance Counters for Linux, v4"
Next in thread: Pavel Machek: "Re: [patch] Performance Counters for Linux, v4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Pavel Machek <pavel@xxxxxxx> wrote:

> Hmm, if I timec some setuid program, what happens?

yes, i already had a quick look at that a few days ago when i implemented
counter inheritance (for different reasons) and couldnt find the cleanest
place to put the exec() flushing into so i procrastinated that a bit :)

> Performance counters seem like great tool to pull secret keys out of
> other processes :-).

if you worry about _that_ angle you also have to:

- turn off the cycle counter

- turn off precise utimes

- plus you have to forbid SMT CPUs as well. On HT a task could
co-schedule with your setuid task and observe its timing
characteristics via its _own_ behavior. (which is impacted by whatever
is running on another SMT/HT thread.)

the real exec() worry are: active, IRQ driven samples/events. Not possible
yet via the current iteration of counter inheritance (hence my
procrastination) - but it makes sense and that's why i was looking at the
exec() angle.

and that will flush simple counters too, removing your theoretical attack
angle as well.

So how about the patch below?

Ingo

--------------->
Subject: perfcounters: flush on setuid exec
From: Ingo Molnar <mingo@xxxxxxx>
Date: Tue Dec 16 13:40:44 CET 2008

Pavel Machek pointed out that performance counters should be flushed
when crossing protection domains on setuid execution.

Reported-by: Pavel Machek <pavel@xxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
---
fs/exec.c | 8 ++++++++
1 file changed, 8 insertions(+)

Index: linux/fs/exec.c
===================================================================
--- linux.orig/fs/exec.c
+++ linux/fs/exec.c
@@ -33,6 +33,7 @@
#include <linux/string.h>
#include <linux/init.h>
#include <linux/pagemap.h>
+#include <linux/perf_counter.h>
#include <linux/highmem.h>
#include <linux/spinlock.h>
#include <linux/key.h>
@@ -1015,6 +1016,13 @@ int flush_old_exec(struct linux_binprm *
set_dumpable(current->mm, suid_dumpable);
}

+ /*
+ * Flush performance counters when crossing a
+ * security domain:
+ */
+ if (!get_dumpable(current->mm))
+ perf_counter_exit_task(current);
+
/* An exec changes our domain. We are no longer part of the thread
group */

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Li Zefan: "Re: [PATCH] sched: fix another race when reading /proc/sched_debug"
Previous message: Paul Menage: "Re: [PATCH] sched: fix another race when reading /proc/sched_debug"
In reply to: Pavel Machek: "Re: [patch] Performance Counters for Linux, v4"
Next in thread: Pavel Machek: "Re: [patch] Performance Counters for Linux, v4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]