On Fri, Aug 16, 2024 at 07:08:09PM +0200, Jann Horn wrote:
Yeah, having a FOLL_FORCE write in clone3 would be a weakness for userspace CFI and probably make it possible to violate mseal() restrictions that are supposed to enforce that address space regions are read-only.
Note that this will only happen for shadow stack pages (with the new version) and only for a valid token at the specific address. mseal()ing a shadow stack to be read only is hopefully not going to go terribly well for userspace.
Though, did anyone in the thread yet suggest that you could do this before the child process has fully materialized but after the child MM has been set up? Somewhere in copy_process() between copy_mm() and the "/* No more failure paths after this point. */" comment?
Yes, I'e got a version that does that waiting to go pending some discussion on if we even do the check for the token in the child mm.