[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87pn8glwd2.fsf@x220.int.ebiederm.org>
Date: Mon, 27 Jul 2020 12:07:53 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Anthony Yznaga <anthony.yznaga@...cle.com>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-mm@...ck.org, linux-arch@...r.kernel.org, mhocko@...nel.org,
tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, x86@...nel.org,
hpa@...or.com, viro@...iv.linux.org.uk, akpm@...ux-foundation.org,
arnd@...db.de, keescook@...omium.org, gerg@...ux-m68k.org,
ktkhai@...tuozzo.com, christian.brauner@...ntu.com,
peterz@...radead.org, esyr@...hat.com, jgg@...pe.ca,
christian@...lner.me, areber@...hat.com, cyphar@...har.com,
steven.sistare@...cle.com
Subject: Re: [RFC PATCH 0/5] madvise MADV_DOEXEC
Anthony Yznaga <anthony.yznaga@...cle.com> writes:
> This patchset adds support for preserving an anonymous memory range across
> exec(3) using a new madvise MADV_DOEXEC argument. The primary benefit for
> sharing memory in this manner, as opposed to re-attaching to a named shared
> memory segment, is to ensure it is mapped at the same virtual address in
> the new process as it was in the old one. An intended use for this is to
> preserve guest memory for guests using vfio while qemu exec's an updated
> version of itself. By ensuring the memory is preserved at a fixed address,
> vfio mappings and their associated kernel data structures can remain valid.
> In addition, for the qemu use case, qemu instances that back guest RAM with
> anonymous memory can be updated.
What is wrong with using a file descriptor to a possibly deleted file
and re-mmaping it?
There is already MAP_FIXED that allows you to ensure you have the same
address.
I think all it would take would be a small protocol from one version
to the next to say map file descriptor #N and address #A. Something
easily passed on the command line.
There is just enough complexity in exec currently that our
implementation of exec is already teetering. So if we could use
existing mechanisms it would be good.
And I don't see why this version of sharing a mmap area would be
particularly general. I do imagine that being able to force a
mmap area into a setuid executable would be a fun attack vector.
Perhaps I missed this in my skim of these patches but I did not see
anything that guarded this feature against an exec that changes an
applications privileges.
Eric
> Patches 1 and 2 ensure that loading of ELF load segments does not silently
> clobber existing VMAS, and remove assumptions that the stack is the only
> VMA in the mm when the stack is set up. Patch 1 re-introduces the use of
> MAP_FIXED_NOREPLACE to load ELF binaries that addresses the previous issues
> and could be considered on its own.
>
> Patches 3, 4, and 5 introduce the feature and an opt-in method for its use
> using an ELF note.
>
> Anthony Yznaga (5):
> elf: reintroduce using MAP_FIXED_NOREPLACE for elf executable mappings
> mm: do not assume only the stack vma exists in setup_arg_pages()
> mm: introduce VM_EXEC_KEEP
> exec, elf: require opt-in for accepting preserved mem
> mm: introduce MADV_DOEXEC
>
> arch/x86/Kconfig | 1 +
> fs/binfmt_elf.c | 196 +++++++++++++++++++++++++--------
> fs/exec.c | 33 +++++-
> include/linux/binfmts.h | 7 +-
> include/linux/mm.h | 5 +
> include/uapi/asm-generic/mman-common.h | 3 +
> kernel/fork.c | 2 +-
> mm/madvise.c | 25 +++++
> mm/mmap.c | 47 ++++++++
> 9 files changed, 266 insertions(+), 53 deletions(-)
Powered by blists - more mailing lists