From owner-freebsd-security@FreeBSD.ORG Wed Mar 11 08:11:33 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 17525640 for ; Wed, 11 Mar 2015 08:11:33 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E56671CD for ; Wed, 11 Mar 2015 08:11:32 +0000 (UTC) Received: from Julian-MBP3.local (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t2B8BUfF014357 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 11 Mar 2015 01:11:31 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <54FFF8AD.90507@freebsd.org> Date: Wed, 11 Mar 2015 01:11:25 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: DRAM Rowhammer exploits References: In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 08:11:33 -0000 On 3/9/15 12:49 PM, Dmitry Morozovsky wrote: > Dear colleagues, > > any thoughts we're vulnerable to this? > > http://googleprojectzero.blogspot.ch/2015/03/exploiting-dram-rowhammer-bug-to-gain.html > one important part of this exploit is the following part: ---quote--- How can we pick pairs of addresses that satisfy the “different row, same bank” requirements? One possibility is to use knowledge of how the CPU’s memory controller maps physical addresses to DRAM’s row, column and bank numbers, along with knowledge of either: * The absolute physical addresses of memory we have access to. Linux allows this via /proc//PID//pagemap. * The relative physical addresses of memory we have access to. Linux can allow this via its support for “huge pages”, which cover 2MB of contiguous physical address space per page. Whereas a normal 4k page is smaller than a typical DRAM row, a 2MB page will typically cover multiple rows, some of which will be in the same bank. ---end quote--- I don't know of a similar source of that information in FreeBSD, though near the start of operation one might be able to make a good guess about memory allocation, until ram got too scrambled.. the "superpages" point would be true in freeBSD as well, tough I 'm not sure how you;d know you had a superpage, but you might be able to do something (file size?) that might make it likely. Of course in their first attack it's the location of the data but the location of the page table entry that's important. that might be more easily worked out if you allocated a large enough chunk of memory while memory is still predictable.