Thanks! I see. So it seems like the program basically has to capture sensitive data while it is in I/O transfer (and hence in kernel memory) just at the right time, right? Which is annoying and might need a bit of luck, but still possible.
Incidentally, this seems to indicate that zero-copy I/O is actually a security improvement as well, not just a performance improvement?
I am not really sure how/if zero copy may/may not solve this problem.
If this bug only allows reading kernel pages, zero copy may actually help if the unprivileged user can't read your pages, but from the small amount of available description it looks like it can read any page, but kernel pages are more interesting because thats a ring lower and which is why all the focus is on that.
I am fairly certain there is more protection against being able to read memory owned by process on a lower ring level so zero copy may be a bad idea for security critical data.
And based on the disclosure that google published, looks like any memory can be read
Incidentally, this seems to indicate that zero-copy I/O is actually a security improvement as well, not just a performance improvement?