Re: [PATCH V8 5/7] io_uring: support leased group buffer with REQ_F_GROUP_KBUF

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/4/24 13:08, Ming Lei wrote:

On Mon, Nov 04, 2024 at 12:23:04PM +0000, Pavel Begunkov wrote:

On 11/4/24 01:21, Ming Lei wrote:

...>>>> 3. The lease ends, and we copy full 4K back to user space with the

unitialised chunk.

You can correct me on ublk specifics, I assume 3. is not a copy and
the user in 3 is the one using a ublk block device, but the point I'm
making is that if something similar is possible, then just zeroing is not
enough, the user can skip the step filling the buffer. If it can't leak


Can you explain how user skips the step given read IO is member of one group?


(2) Illustrates it, it can also be a nop with no read/recv


As I explained before, the application has to be trusted, and it must
have the permission to open the device & call into the buffer lease
uring_cmd.


It might be trusted to read some data of the process using the
device, but obviously it can't be trusted to read random kernel data.
I'm trying to understand which one is that.


It is in same situation with any user emulated storage, such as qemu,
fuse, and the application has to do things right.




any private data, then the buffer should've already been initialised by
the time it was lease. Initialised is in the sense that it contains no


For block IO the practice is to zero the remainder after short read, please
see example of loop, lo_complete_rq() & lo_read_simple().


It's more important for me to understand what it tries to fix, whether
we can leak kernel data without the patch, and whether it can be exploited
even with the change. We can then decide if it's nicer to zero or not.

I can also ask it in a different way, can you tell is there some security
concern if there is no zeroing? And if so, can you describe what's the exact
way it can be triggered?


Firstly the zeroing follows loop's handling for short read



Secondly, if the remainder part of one page cache buffer isn't zeroed, it might
be leaked to userspace via another read() or mmap() on same page.


What kind of data this leaked buffer can contain? Is it uninitialised
kernel memory like a freshly kmalloc'ed chunk would have? Or is it private
data of some user process?

--
Pavel Begunkov
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux