Java heap file on daxfs should be more secure
Florian Weimer
fweimer at redhat.com
Wed Jan 8 12:46:25 UTC 2020
* Yasumasa Suenaga:
> Hi Florian,
>
> On 2019/12/19 18:08, Florian Weimer wrote:
>> * Yasumasa Suenaga:
>>
>>> HotSpot allocates Java heap on daxfs if we pass -XX:AllocateHeapAt.
>>> It performs open(2) and unlink(2) on daxfs, and it is used via mmap'ed
>>> address.
>>>
>>> mmap(2) would be called with MAP_SHARED, and it is not atomically
>>> between open(2) and unlink(2). If malicious user open Java heap file
>>> before unlink(2), it might be exposed.
>>
>> The existing code uses mkstemp, so the content is not exposed to other
>> users. The same user can still access the file through /proc, with and
>> without O_TMPFILE.
>
> Same user cannot access through procfs after unlink(2) call because the file is deleted.
> Symlink in /proc/<pid>/fd is dead link.
Oh, that one isn't really a symbolic link. You can still open the file:
#define _GNU_SOURCE
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int
main (void)
{
int fd = open ("/tmp", O_TMPFILE | O_RDWR, 0777);
if (fd < 0)
err (1, "open");
const char *message = "message\n";
if (write (fd, message, strlen (message)) != strlen (message))
errx (1, "write");
char *command;
if (asprintf (&command, "ls -l /proc/%d/fd/%d", (int) getpid(), fd) < 0)
err (1, "asprintf");
system (command);
free (command);
if (asprintf (&command, "cat /proc/%d/fd/%d", (int) getpid(), fd) < 0)
err (1, "asprintf");
system (command);
free (command);
if (close (fd) != 0)
err (1, "close");
}
Prints this for me (assuming that the file system at /tmp actually
supports O_TMPFILE):
lrwx------. 1 fweimer fweimer 64 Jan 8 13:45 /proc/153704/fd/3 -> '/tmp/#2188223 (deleted)'
message
Thanks,
Florian
More information about the hotspot-runtime-dev
mailing list