> On Jul 27, 2020, at 10:02 AM, Anthony Yznaga <[email protected]>
> wrote:
>
> This patchset adds support for preserving an anonymous memory range across
> exec(3) using a new madvise MADV_DOEXEC argument. The primary benefit for
> sharing memory in this manner, as opposed to re-attaching to a named shared
> memory segment, is to ensure it is mapped at the same virtual address in
> the new process as it was in the old one. An intended use for this is to
> preserve guest memory for guests using vfio while qemu exec's an updated
> version of itself. By ensuring the memory is preserved at a fixed address,
> vfio mappings and their associated kernel data structures can remain valid.
> In addition, for the qemu use case, qemu instances that back guest RAM with
> anonymous memory can be updated.
This will be an amazing attack surface. Perhaps use of this flag should require
no_new_privs? Arguably it should also require a special flag to execve() to
honor it. Otherwise library helpers that do vfork()+exec() or posix_spawn()
could be quite surprised.
