On Tue, Sep 03, 2019 at 09:14:46AM -0700, Matthew Wilcox wrote: > On Tue, Sep 03, 2019 at 03:03:27PM +0200, Christoph Hellwig wrote: > > Add a new iomap_dio_ops structure that for now just contains the end_io > > handler. This avoid storing the function pointer in a mutable structure, > > which is a possible exploit vector for kernel code execution, and prepares > > for adding a submit_io handler that btrfs needs. > > Is it really a security win? If I can overwrite dio->end_io, I can as > well overwrite dio->dops. Which you'd then need to point to another place where you can stuff function pointer. Not impossible, but just another hoop to jump through. At least until we add run-time checks that ops structures are in read-only memory, which sounds more sensible than some of the other security hardening patches floating around.
