On Thu, Jul 26, 2007 at 09:36:50PM -0700, Bill Stouder-Studenmund wrote:
> On Thu, Jul 26, 2007 at 03:05:06PM -0500, Eric Haszlakiewicz wrote:
> > On Wed, Jul 25, 2007 at 10:57:53PM -0700, Bill Stouder-Studenmund wrote:
> > > We should check, but I doubt there is a security issue here. All you'=
re=20
> > > going to find is anything extra you scribbled while the page was in c=
ache.=20
> > > And you have to have write access to do that, so you could have writt=
en=20
> > > the file anyway.
> >=20
> > Sure, but anyone with read access can see that data.  You don't need wr=
ite
> > access for that.  You can even do it with cp:
>=20
> I'm sorry, but I still don't see how this is a security issue. You're=20
> playing with mmap and bytes past the end of the file. "Don't do that."

I agree.  I can't think of a reasonable way that this could be considered
a security issue either.  It is, however, rather non-obvious behavior,
and could use a better explanation in the man page if nothing else:

=2E.. Any such extension beyond
the end of the mapped object will be zero-filled.  However, depending on
how the VM system caches data, if the object is currently mapped in another
process (or was recently mapped), and that process wrote bytes beyond the
end of the object, that data may still be present.

eric