On 23.01.23 18:25, Jan Kara wrote:
On Mon 23-01-23 16:42:56, Matthew Wilcox wrote:
On Mon, Jan 23, 2023 at 04:38:47PM +0000, David Howells wrote:
Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
Also you only mention DIO read - but what about "start DIO write; fork(); touch
buffer" in the parent - now the write buffer belongs to the child and they can
affect the parent's write.
I'm struggling to see the problem here. If the child hasn't exec'd, the
parent and child are still in the same security domain. The parent
could have modified the buffer before calling fork().
Sadly they are not. Android in particular starts applications by forking
one big binary (zygote) that has multiple apps linked together and relies
on the fact the child cannot influence the parent after the fork. We've
already had CVEs with GUP & COW & fork due to this. David Hildebrand has a
lot of memories regarding this I believe ;)
:)
Once FOLL_PIN is used most of the issues go away and we don't have to
play any games with VM flags or similar ...
With FOLL_PIN, I consider anon a solved problem and not worth any new
fancy ideas.
--
Thanks,
David / dhildenb
