splice() and the ghost of set_fs()
splice() and the ghost of set_fs()
Posted May 28, 2022 3:56 UTC (Sat) by willy (subscriber, #9762)In reply to: splice() and the ghost of set_fs() by SLi
Parent article: splice() and the ghost of set_fs()
The problem is twofold. One is that while set_fs() is active, various security measures (like SMEP and SMAP) are defeated. The other is that (on some architectures and eg on a 4GB/4GB split x86-32), you may not actually be able to access userspace because accessing userspace actually accesses kernel space. On x86-64, you can tell from the high bits of the pointer whether it's userspace or kernel space, but that's not true eg on SPARC or PARISC.
Posted Jun 9, 2022 17:06 UTC (Thu)
by stem (guest, #83810)
[Link]
splice() and the ghost of set_fs()
Are you sure?
afaik, set_fs() has nothing to do with SM*P, it was abused wrt access_ok() - copy_*_user().