On 9 March 2015 at 14:17, Pavel Machek <[email protected]> wrote: > On Mon 2015-03-09 09:30:50, Andy Lutomirski wrote: >> On Mon, Mar 9, 2015 at 9:03 AM, Mark Seaborn <[email protected]> wrote: >> > On 6 January 2015 at 15:20, Pavel Machek <[email protected]> wrote: >> >> Actually, I could not get my test code to run; and as code from >> >> >> >> https://github.com/mseaborn/rowhammer-test >> >> >> >> reproduces issue for me, I stopped trying. I could not get it to >> >> damage memory of other process than itself (but that should be >> >> possible), I guess that's next thing to try. >> > >> > FYI, rowhammer-induced bit flips do turn out to be exploitable. Here >> > are the results of my research on this: >> > http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html >> > >> >> IIRC non-temporal writes will force cachelines out to main memory >> *and* invalidate them. (I wouldn't be shocked if Skylake changes >> this, but I'm reasonably confident that it's true on all currently >> available Intel chips.) >> >> Have you checked whether read; read; nt store; nt store works? >> >> (I can't test myself easily right now -- I think my laptop is too old >> for this issue.) > > Well, if you had laptop with that issue, it would still be tricky to > test this. It takes a while to reproduce...
Actually, it depends. The time it takes to get a rowhammer-induced bit flip when picking aggressor addresses at random varies quite a lot between machines. On some machines, it takes minutes. On others, it takes hours. However, once you've found a bad DRAM location, the bit flips do tend to be repeatable. So it is possible to record the physical addresses of aggressor and victim locations (using /proc/self/pagemap) and retry them later, potentially using different methods for attempting to do row hammering (such as CLFLUSH vs. non-temporal accesses). I have not actually tried that with methods other than CLFLUSH yet. I tried using non-temporal accesses early on in my experimentation, but I didn't try them with known-bad locations. Cheers, Mark -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
