Patching until the COWs come home (part 1)
https://lwn.net/Articles/849638/
- Copy on write is simple in theory, but the edge cases are voluminous
- project Zero found this vuln:
- A process allocates a page and writes to it
- It forks, the parent sleeps
- The child creates a pipe, puts a ref (using vmsplice/get_user_page) to this page on the pipe. It then unmaps the page so it isn’t part of the child’s page table any more
- The parent wakes up and writes secret data to the page. This doesn’t trigger a fault because the child has unmapped the page at this point(page_mapcount)
- The child wakes up, reads the ref from the pipe and can now read the secret data