Re: [RFC PATCH 0/5] madvise MADV_DOEXEC

From: Andy Lutomirski
Date: Tue Jul 28 2020 - 10:23:09 EST

> On Jul 27, 2020, at 10:02 AM, Anthony Yznaga <anthony.yznaga@xxxxxxxxxx> wrote:
> ïThis patchset adds support for preserving an anonymous memory range across
> exec(3) using a new madvise MADV_DOEXEC argument. The primary benefit for
> sharing memory in this manner, as opposed to re-attaching to a named shared
> memory segment, is to ensure it is mapped at the same virtual address in
> the new process as it was in the old one. An intended use for this is to
> preserve guest memory for guests using vfio while qemu exec's an updated
> version of itself. By ensuring the memory is preserved at a fixed address,
> vfio mappings and their associated kernel data structures can remain valid.
> In addition, for the qemu use case, qemu instances that back guest RAM with
> anonymous memory can be updated.

This will be an amazing attack surface. Perhaps use of this flag should require no_new_privs? Arguably it should also require a special flag to execve() to honor it. Otherwise library helpers that do vfork()+exec() or posix_spawn() could be quite surprised.