Java heap file on daxfs should be more secure

Florian Weimer fweimer at
Wed Jan 8 12:46:25 UTC 2020

* Yasumasa Suenaga:

> Hi Florian,
> On 2019/12/19 18:08, Florian Weimer wrote:
>> * Yasumasa Suenaga:
>>> HotSpot allocates Java heap on daxfs if we pass -XX:AllocateHeapAt.
>>> It performs open(2) and unlink(2) on daxfs, and it is used via mmap'ed
>>> address.
>>> mmap(2) would be called with MAP_SHARED, and it is not atomically
>>> between open(2) and unlink(2). If malicious user open Java heap file
>>> before unlink(2), it might be exposed.
>> The existing code uses mkstemp, so the content is not exposed to other
>> users.  The same user can still access the file through /proc, with and
>> without O_TMPFILE.
> Same user cannot access through procfs after unlink(2) call because the file is deleted.
> Symlink in /proc/<pid>/fd is dead link.

Oh, that one isn't really a symbolic link.  You can still open the file:

#define _GNU_SOURCE
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

main (void)
  int fd = open ("/tmp", O_TMPFILE | O_RDWR, 0777);
  if (fd < 0)
    err (1, "open");

  const char *message = "message\n";
  if (write (fd, message, strlen (message)) != strlen (message))
    errx (1, "write");

  char *command;
  if (asprintf (&command, "ls -l /proc/%d/fd/%d", (int) getpid(), fd) < 0)
    err (1, "asprintf");
  system (command);
  free (command);
  if (asprintf (&command, "cat /proc/%d/fd/%d", (int) getpid(), fd) < 0)
    err (1, "asprintf");
  system (command);
  free (command);

  if (close (fd) != 0)
    err (1, "close");

Prints this for me (assuming that the file system at /tmp actually
supports O_TMPFILE):

lrwx------. 1 fweimer fweimer 64 Jan  8 13:45 /proc/153704/fd/3 -> '/tmp/#2188223 (deleted)'


More information about the hotspot-runtime-dev mailing list