On Tue, Mar 19, 2019 at 06:28:23PM +0000, Dr. David Alan Gilbert wrote: > * Andrew Morton (akpm@xxxxxxxxxxxxxxxxxxxx) wrote: > > On Tue, 19 Mar 2019 11:07:22 +0800 Peter Xu <peterx@xxxxxxxxxx> wrote: > > > > > Add a global sysctl knob "vm.unprivileged_userfaultfd" to control > > > whether userfaultfd is allowed by unprivileged users. When this is > > > set to zero, only privileged users (root user, or users with the > > > CAP_SYS_PTRACE capability) will be able to use the userfaultfd > > > syscalls. > > > > Please send along a full description of why you believe Linux needs > > this feature, for me to add to the changelog. What is the benefit to > > our users? How will it be used? > > > > etcetera. As it was presented I'm seeing no justification for adding > > the patch! > > How about: > > --- > Userfaultfd can be misued to make it easier to exploit existing use-after-free > (and similar) bugs that might otherwise only make a short window > or race condition available. By using userfaultfd to stall a kernel > thread, a malicious program can keep some state, that it wrote, stable > for an extended period, which it can then access using an existing > exploit. While it doesn't cause the exploit itself, and while it's not > the only thing that can stall a kernel thread when accessing a memory location, > it's one of the few that never needs priviledge. > > Add a flag, allowing userfaultfd to be restricted, so that in general > it won't be useable by arbitrary user programs, but in environments that > require userfaultfd it can be turned back on. Thanks for the quick write up, Dave! I definitely should have some justification in the cover letter and carry it until the last version. Sorry to be unclear at the first glance. -- Peter Xu