Patching until the COWs come home (part 1)

https://lwn.net/Articles/849638/

  • Copy on write is simple in theory, but the edge cases are voluminous
  • project Zero found this vuln:
    • A process allocates a page and writes to it
    • It forks, the parent sleeps
    • The child creates a pipe, puts a ref (using vmsplice/get_user_page) to this page on the pipe. It then unmaps the page so it isn’t part of the child’s page table any more
    • The parent wakes up and writes secret data to the page. This doesn’t trigger a fault because the child has unmapped the page at this point(page_mapcount)
    • The child wakes up, reads the ref from the pipe and can now read the secret data
Edit