> On Mar 8, 2018, at 7:06 PM, Linus Torvalds <torva...@linux-foundation.org>
> wrote:
>
>
> Honestly, that "read twice" thing may be what scuttles this.
> Initially, I thought it was a non-issue, because anybody who controls
> the module subdirectory enough to rewrite files would be in a position
> to just execute the file itself directly instead.
>
On further consideration, I think there’s another showstopper. This patch is a
potentially severe ABI break. Right now, loading a module *copies* it into
memory and does not hold a reference to the underlying fs. With the patch
applied, all kinds of use cases can break in gnarly ways. Initramfs is maybe
okay, but initrd may be screwed. If you load an ET_EXEC module from initrd,
then umount it, then clear the ramdisk, something will go horribly wrong.
Exactly what goes wrong depends on whether userspace notices that umount()
failed. Similarly, if you load one of these modules over a network and then
lose your connection, you have a problem.
The “read twice” thing is also bad for another reason: containers. Suppose I
have a setup where a container can load a signed module blob. With the read
twice code, the container can race and run an entirely different blob outside
the container.
