Hi!
commit 134fca9063ad4851de767d1768180e5dede9a881 upstream.
The semantics of what mincore() considers to be resident is not completely clear, but Linux has always (since 2.3.52, which is when mincore() was initially done) treated it as "page is available in page cache".
That's potentially a problem, as that [in]directly exposes meta-information about pagecache / memory mapping state even about memory not strictly belonging to the process executing the syscall, opening possibilities for sidechannel attacks.
Change the semantics of mincore() so that it only reveals pagecache information for non-anonymous mappings that belog to files that the calling process could (if it tried to) successfully open for writing; otherwise we'd be including shared non-exclusive mappings, which
is the sidechannel
is not the usecase for mincore(), as that's primarily used for data, not (shared) text
...
@@ -189,8 +205,13 @@ static long do_mincore(unsigned long add vma = find_vma(current->mm, addr); if (!vma || addr < vma->vm_start) return -ENOMEM;
- mincore_walk.mm = vma->vm_mm; end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
- if (!can_do_mincore(vma)) {
unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE);memset(vec, 1, pages);return pages;- }
- mincore_walk.mm = vma->vm_mm; err = walk_page_range(addr, end, &mincore_walk);
We normally return errors when we deny permissions; but this one just returns success and wrong data.
Could we return -EPERM there? If not, should it at least get a comment?
Thanks, Pavel