[Bug 1875702] [NEW] madvise reports success, but doesn't implement WIPEO

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1875702] [NEW] madvise reports success, but doesn't implement WIPEO

From:	agl
Subject:	[Bug 1875702] [NEW] madvise reports success, but doesn't implement WIPEONFORK.
Date:	Tue, 28 Apr 2020 17:22:45 -0000

Public bug reported:

The implementation of madvise (linux-user/syscall.c:11331, tag
v5.0.0-rc4) always returns zero (i.e. success). However, an application
requesting (at least) MADV_WIPEONFORK may need to know whether the call
was actually successful. If not (because the kernel doesn't support
WIPEONFORK) then it will need to take other measures to provide fork-
safety (such as drawing entropy from the kernel in every case). But, if
the application believes that WIPEONFORK is supported (because madvise
returned zero), but it actually isn't (as in qemu), then it may forego
those protections on the assumption that WIPEONFORK will provide fork-
safety.

Roughly, the comment in qemu that says "This is a hint, so ignoring and
returning success is ok." is no longer accurate in the presence of
MADV_WIPEONFORK.

(This is not purely academic: BoringSSL is planning on acting in this
way. We found the qemu behaviour in pre-release testing and are planning
on making an madvise call with advice=-1 first to test whether unknown
advice values actually produce EINVAL.)

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1875702

Title:
  madvise reports success, but doesn't implement WIPEONFORK.

Status in QEMU:
  New

Bug description:
  The implementation of madvise (linux-user/syscall.c:11331, tag
  v5.0.0-rc4) always returns zero (i.e. success). However, an
  application requesting (at least) MADV_WIPEONFORK may need to know
  whether the call was actually successful. If not (because the kernel
  doesn't support WIPEONFORK) then it will need to take other measures
  to provide fork-safety (such as drawing entropy from the kernel in
  every case). But, if the application believes that WIPEONFORK is
  supported (because madvise returned zero), but it actually isn't (as
  in qemu), then it may forego those protections on the assumption that
  WIPEONFORK will provide fork-safety.

  Roughly, the comment in qemu that says "This is a hint, so ignoring
  and returning success is ok." is no longer accurate in the presence of
  MADV_WIPEONFORK.

  (This is not purely academic: BoringSSL is planning on acting in this
  way. We found the qemu behaviour in pre-release testing and are
  planning on making an madvise call with advice=-1 first to test
  whether unknown advice values actually produce EINVAL.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1875702/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug 1875702] [NEW] madvise reports success, but doesn't implement WIPEONFORK., agl <=
- [Bug 1875702] Re: madvise reports success, but doesn't implement WIPEONFORK., Laurent Vivier, 2020/04/30

Prev by Date: Re: [PATCH RESEND v6 00/36] Initial support for multi-process qemu
Next by Date: Re: [PATCH V2] Add a new PIIX option to control PCI hot unplugging of devices on non-root buses
Previous by thread: [PATCH v3] target/arm: Use correct variable for setting 'max' cpu's MIDR_EL1
Next by thread: [Bug 1875702] Re: madvise reports success, but doesn't implement WIPEONFORK.
Index(es):
- Date
- Thread