On Thu, Mar 15, 2018 at 05:27:09PM +0200, Boaz Harrosh wrote: > Not really there is already an high trust between the APP and the > filesystem Server owning the all of the APP's data. A compromised > Server can do lots and lots of bad things before a bug trashes the > unaligned tails of a buffer. > (And at that the Server only has access to IO buffers in the short window > of the IO execution. Once on IO return this access is disconnected) Without a TLB shootdown, you can't guarantee that. Here's how it works: CPU A is notified of a new page, starts accessing the page. CPU B decides to access the same page CPU A notifies the kernel Kernel withdraws the PTE mapping, but doesn't zap it. CPU B can still access the page until whatever CPU magic happens to discard the PTE from the TLB. Kernel decides to recycle the page Kernel allocates it to some kernel data structure CPU B writes to it, can probably escalate to kernel privileges. Now, you're going to argue that the process is trusted and should be considered to be part of the kernel from a trust point of view. In that case it needs to be distributed as part of the kernel and not be an independent user process.
