From: Helge Hafting <helge.hafting@hist.no>
To: Andrea Arcangeli <andrea@novell.com>
Cc: William Lee Irwin III <wli@holomorphy.com>,
Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org, an.li.wang@intel.com
Subject: Re: truncate shows non zero data beyond the end of the inode with MAP_SHARED
Date: Fri, 17 Sep 2004 15:49:18 +0200 [thread overview]
Message-ID: <414AEB5E.30803@hist.no> (raw)
In-Reply-To: <20040916142638.GW15426@dualathlon.random>
Andrea Arcangeli wrote:
>On Thu, Sep 16, 2004 at 10:49:33AM +0200, Helge Hafting wrote:
>
>
>>Could this "garbage" possibly be confidential data?
>>
>>
>
>I don't buy much in this theory.
>
>
>
>>I.e. one user repeatedly makes and mmaps a 1-byte file,
>>extends it to 4k, and looks at the 4095 bytes of "garbage".
>>Maybe he finds some "interesting stuff" when someone else's
>>confidential file just got dropped from pagecache
>>so he could mmap this 1-byte file?
>>
>>
>
>the old data got flushed below the i_size anyways, it sounds very
>strange that confidential data is present only over the i_size and not
>below the i_size, and if this guy has confidential data below the i_size
>then it'd better memset the whole page. And in theory nobody should touch
>the data over the i_size even if mmap allows to map it.
>
>
I am not talking about someone accidentally stumbling onto
something. I was worried about someone deliberately
trying to exploit this - such people look at data above i_size
_because they can_, hoping to find something interesting there.
Something they cannot get at normally.
I am assuming that the "garbage" between i_size and the
page boundary is stuff left over from whatever that
memory page was used for earlier? If so, it could be
4095 bytes out of the 4096 that was used to cache some
other file earlier. Possibly someone else's confidential file.
Or a piece of some network package that was processed a while ago.
Helge Hafting
next prev parent reply other threads:[~2004-09-17 13:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-15 12:29 truncate shows non zero data beyond the end of the inode with MAP_SHARED Andrea Arcangeli
2004-09-15 12:46 ` Alan Cox
2004-09-15 21:01 ` William Lee Irwin III
2004-09-15 21:55 ` Andrew Morton
2004-09-15 22:00 ` William Lee Irwin III
2004-09-15 22:08 ` Andrea Arcangeli
2004-09-16 8:49 ` Helge Hafting
2004-09-16 14:26 ` Andrea Arcangeli
2004-09-17 13:49 ` Helge Hafting [this message]
2004-09-17 13:52 ` Andrea Arcangeli
2004-09-17 13:54 ` William Lee Irwin III
2004-09-15 22:04 ` Andrea Arcangeli
2004-09-15 21:58 ` Andrea Arcangeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=414AEB5E.30803@hist.no \
--to=helge.hafting@hist.no \
--cc=akpm@osdl.org \
--cc=an.li.wang@intel.com \
--cc=andrea@novell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=wli@holomorphy.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox