lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YLjf1Hmrkfwc5xUW@casper.infradead.org>
Date:   Thu, 3 Jun 2021 14:57:40 +0100
From:   Matthew Wilcox <willy@...radead.org>
To:     Simon Ser <contact@...rsion.fr>
Cc:     Hugh Dickins <hughd@...gle.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        "Lin, Ming" <minggr@...il.com>, Peter Xu <peterx@...hat.com>,
        "Kirill A. Shutemov" <kirill@...temov.name>,
        Dan Williams <dan.j.williams@...el.com>,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Will Deacon <will@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        David Herrmann <dh.herrmann@...il.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        Greg Kroah-Hartman <greg@...ah.com>,
        "tytso@....edu" <tytso@....edu>
Subject: Re: Sealed memfd & no-fault mmap

On Thu, Jun 03, 2021 at 01:14:47PM +0000, Simon Ser wrote:
> On Saturday, May 29th, 2021 at 10:15 PM, Hugh Dickins <hughd@...gle.com> wrote:
> 
> > And IIUC it would have to be the recipient (Wayland compositor) doing
> > the NOFAULT business, because (going back to the original mail) we are
> > only considering this so that Wayland might satisfy clients who predate
> > or refuse Linux-only APIs.  So, an ioctl (or fcntl, as sealing chose)
> > at the client end cannot be expected; and could not be relied on anyway.
> 
> Yes, that is correct.
> 
> > NOFAULT? Does BSD use "fault" differently, and in Linux terms we
> > would say NOSIGBUS to mean the same?
> >
> > Can someone point to a specification of BSD's __MAP_NOFAULT?
> > Searching just found me references to bugs.
> 
> __MAP_NOFAULT isn't documented, sadly. The commit that introduces the
> flag [1] is the best we're going to get, I think.
> 
> > What mainly worries me about the suggestion is: what happens to the
> > zero page inserted into NOFAULT mappings, when later a page for that
> > offset is created and added to page cache?
> 
> Not 100% sure exactly this means what I think it means, but from my PoV,
> it's fine if the contents of an expanded shm file aren't visible from the
> process that has mapped it with MAP_NOFAULT/MAP_NOSIGBUS. In other words,
> it's fine if:
> 
> - The client sets up a 1KiB shm file and sends it to the compositor.
> - The compositor maps it with MAP_NOFAULT/MAP_NOSIGBUS.
> - The client expands the file to 2KiB and writes interesting data in it.
> - The compositor still sees zeros past the 1KiB mark. The compositor needs
>   to unmap and re-map the file to see the data past the 1KiB mark.
> 
> If the MAP_NOFAULT/MAP_NOSIGBUS flag only affects the mapping itself and
> nothing else, this should be fine?

This is going to operate at a page boundary, so the example you gave
will work.  How about this:

 - The client sets up a 1KiB shm file and sends it to the compositor.
 - The client expands the file to 5KiB
 - The compositor sees the new data up to 4KiB but zeroes past the 4KiB
   mark.

Does that still make userspace happy?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ