[CRIU] [PATCH 07/10] vdso: Don't fail if pagemap is not accessbile

Pavel Emelyanov xemul at parallels.com
Mon Sep 28 12:22:25 PDT 2015


On 09/28/2015 10:15 PM, Pavel Emelyanov wrote:
> On 09/28/2015 10:01 PM, Cyrill Gorcunov wrote:
>> We use page frame number to detect vDSO which has been remapped
>> in-place from runtime vDSO during restore. In such case if the
>> kernel is younger than 3.16 the "[vdso]" mark won't be reported
>> in procfs output.
>>
>> Still to address recently reported CVEs and be able to run CRIU
>> in unprivileged mode we need to handle vDSO without pagemap access
>> and here is the deal -- when we find VMA which "looks like" vDSO
>> we try to scan it for vDSO symbols and if it matches we restore
>> its status without PFN access.
>>
>> The good news are that since commit 1c90308e7a77af pfn read no
>> longer requires CAP_SYS_ADMIN, so kernel 4.3 wont need this hack.
> 
> Can you make some archaeology here? Which kernel disabled opening
> of pagemap for non-root at all and which enabled it back with non-zero
> PFN-s?

BTW, it looks like recent kernels just show flags here, the pfn part
is filled with zeroes :\ So we have three eras here:

- kernel allowed everything
- kernel didn't allow to open pagemap
- kernel allowed to open pagemap, but showed zeros in pfns

Which kernels are these?



More information about the CRIU mailing list