Re: [PATCH v7 0/8] iov_iter: Improve page extraction (ref, pin or just list)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23.01.23 18:25, Jan Kara wrote:
On Mon 23-01-23 16:42:56, Matthew Wilcox wrote:
On Mon, Jan 23, 2023 at 04:38:47PM +0000, David Howells wrote:
Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
Also you only mention DIO read - but what about "start DIO write; fork(); touch
buffer" in the parent - now the write buffer belongs to the child and they can
affect the parent's write.

I'm struggling to see the problem here.  If the child hasn't exec'd, the
parent and child are still in the same security domain.  The parent
could have modified the buffer before calling fork().

Sadly they are not. Android in particular starts applications by forking
one big binary (zygote) that has multiple apps linked together and relies
on the fact the child cannot influence the parent after the fork. We've
already had CVEs with GUP & COW & fork due to this. David Hildebrand has a
lot of memories regarding this I believe ;)

:)

Once FOLL_PIN is used most of the issues go away and we don't have to play any games with VM flags or similar ...

With FOLL_PIN, I consider anon a solved problem and not worth any new fancy ideas.

--
Thanks,

David / dhildenb




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux