On Tue 10-03-20 19:08:28, Jann Horn wrote: > Hi! > > >From looking at the source code, it looks to me as if using > MADV_PAGEOUT on a CoW anonymous mapping will page out the page if > possible, even if other processes still have the same page mapped. Is > that correct? > > If so, that's probably bad in environments where many processes (with > different privileges) are forked from a single zygote process (like > Android and Chrome), I think? If you accidentally call it on a CoW > anonymous mapping with shared pages, you'll degrade the performance of > other processes. And if an attacker does it intentionally, they could > use that to aid with exploiting race conditions or weird > microarchitectural stuff (e.g. the new https://lviattack.eu/lvi.pdf > talks about "the assumption that attackers can provoke page faults or > microcode assists for (arbitrary) load operations in the victim > domain"). > > Should madvise_cold_or_pageout_pte_range() maybe refuse to operate on > pages with mapcount>1, or something like that? Or does it already do > that, and I just missed the check? I have brought up side channel attacks earlier [1] but only in the context of shared page cache pages. I didn't really consider shared anonymous pages to be a real problem. I was under impression that CoW pages shouldn't be a real problem because any security sensible applications shouldn't allow untrusted code to be forked and CoW anything really important. I believe we have made this assumption in other places - IIRC on gup with FOLL_FORCE but I admit I have very happily forgot most details. [1] http://lkml.kernel.org/r/20190619132450.GQ2968@xxxxxxxxxxxxxx -- Michal Hocko SUSE Labs
