Description
Hi - I believe that there is a potential issue with the current read/write allow buffer sharing implementation. I believe that you can achieve the same affect as #1141 by deliberately crashing a process whose fault policy is restart. Here is a scenario that describes the problem:
- There is a process (let's call it process
s) that exposes some service to other apps. - There is another (let's call it process
c) process that uses said service. - Then, process
cuses a read write allow syscall to give processsaccess to a read/write buffer. - Then, process
ccrashes. If the fault policy for the app is to restart, it seems a problematic case arises.
Looking at try_restart, it calls reset which resets the app break AND the high water mark to their initial values. Unfortunately, at this point there will be a read/write buffer that is unguarded by the high water mark, and the grant region might grow into this buffer. This would allow process s, the server, to access kernel memory.
From reading the docs on restart policies, I understand that not every app may be given a restart fault policy but I think this is still problematic and should be protected against.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status