On Wed, Nov 30, 2022 at 05:13:18PM +0100, Arnd Bergmann wrote: > On Wed, Nov 30, 2022, at 16:47, Jason A. Donenfeld wrote: > > >> > There's padding at the end of the structure, yes. But both > >> > `generation` and `is_ready` will be at the same offset. If the > >> > structure grows, then sure, that'll have to be taken into account. But > >> > that's not a problem because this is a private implementation detail > >> > between the vdso code and the kernel. > >> > >> I was not concerned about incompatibility here, but rather about > >> possibly leaking kernel data to the vdso page. > > > > The vvar page starts out zeroed, no? > > The typical problem is someone doing a copy_to_user() of an in-kernel > structure into the userspace side, which would then copy the > padding as well. If the source is on the stack, a malicious caller > can trick the another syscall into leaving sensitive data at this > exact stack location. I'm quite aware of this infoleak, having made use of it countless times over the years. It just doesn't seem relevant to the vvar page. Jason
