Re: null_handle_cmd() doesn't initialize data when reading

[Damien Le Moal <Damien.LeMoal@wdc.com>]

On 2020/05/12 11:43, Bart Van Assche wrote:
> On 2020-05-11 18:42, Damien Le Moal wrote:
>> The patch looks good to me. However, I have one concern regarding the
>> performance impact of this. When nullblk is used to benchmark the block IO stack
>> overhead, doing this zeroing unconditionally will likely significantly impact
>> measured performance. So may be this zeroing feature should be driven by a
>> modprobe/configfs option ? Doing so, we can keep it off by default, preserving
>> performance, and turn it on when needed as in Alexander use case.
>>
>> Thoughts ?
> 
> Hi Damien,
> 
> Does the current implementation of null_blk allow one process to access
> data that was generated by another process? If so, does that behavior
> count as a security bug?

null_blk not changing in any way the buffer pages for reads may have
implications in this area. I am not sure, I would need to go back read through
the page cache read path to see. There is page zeroing going on at that level
(e.g. reading a file hole, reading after eof) but not sure if that data leak
protection applies to nullblk or raw block device file accesses in general.
Likely not. Raw block device file accesses are normally reserved to root user
only for a reason...

> I am aware of the performance impact of the patch attached to my
> previous email. I have not made the zeroing behavior optional because
> I'm concerned about the security implications of doing that.

Understood. But since null_blk is essentially a test tool, I wonder if security
should be a concern. Personally, I definitely would privilege performance
aspects over security for null_blk, but I am not running it in a sensitive
environment either...

I think it may be good to involve Jens and ask him about his thoughts on the
subject.

-- 
Damien Le Moal
Western Digital Research