> On Jan 8, 2021, at 3:34 PM, Andrea Arcangeli <aarcange@xxxxxxxxxx> wrote:
>
> On Fri, Jan 08, 2021 at 10:31:24AM -0800, Andy Lutomirski wrote:
>> Can we just remove vmsplice() support? We could make it do a normal
>
>> copy, thereby getting rid of a fair amount of nastiness and potential
>> attacks. Even ignoring issues relating to the length of time that the
>> vmsplice reference is alive, we also have whatever problems could be
>> caused by a malicious or misguided user vmsplice()ing some memory and
>> then modifying it.
>
> Sorry to ask but I'm curious, what also goes wrong if the user
> modifies memory under GUP pin from vmsplice? That's not obvious to
> see.
It breaks the otherwise true rule that the data in pipe buffers is
immutable. Even just quoting the manpage:
SPLICE_F_GIFT
The user pages are a gift to the kernel. The application may
not modify this memory ever, otherwise the page cache and on-
disk data may differ.
That's no good.
I can also imagine use cases in which modified vmsplice() pages that
end up in various parts of the network stack could be problematic.
For example, if you can arrange for TCP or, worse, TLS to transmit
data and then retransmit modified data, you might get odd results. In
the latter case, some security properties of TLS might be broken.
--Andy
