From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE918C4338F for ; Fri, 20 Aug 2021 16:38:45 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 487CF61130 for ; Fri, 20 Aug 2021 16:38:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 487CF61130 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=pwning.systems Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id AADD46B0071; Fri, 20 Aug 2021 12:38:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A5DE96B0072; Fri, 20 Aug 2021 12:38:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 94CE18D0001; Fri, 20 Aug 2021 12:38:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 7800C6B0071 for ; Fri, 20 Aug 2021 12:38:44 -0400 (EDT) Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 02D3F1803281C for ; Fri, 20 Aug 2021 16:38:44 +0000 (UTC) X-FDA: 78496017768.28.8393640 Received: from MTA-07-4.privateemail.com (mta-07-4.privateemail.com [68.65.122.27]) by imf03.hostedemail.com (Postfix) with ESMTP id 6DC8630000AB for ; Fri, 20 Aug 2021 16:38:42 +0000 (UTC) Received: from mta-07.privateemail.com (localhost [127.0.0.1]) by mta-07.privateemail.com (Postfix) with ESMTP id 9C5391800236; Fri, 20 Aug 2021 12:38:40 -0400 (EDT) Received: from APP-04 (unknown [10.50.14.154]) by mta-07.privateemail.com (Postfix) with ESMTPA id 5980D180022D; Fri, 20 Aug 2021 12:38:40 -0400 (EDT) Date: Fri, 20 Aug 2021 12:38:40 -0400 (EDT) From: Jordy Zomer To: Kees Cook , James Bottomley Cc: linux-kernel@vger.kernel.org, Andrew Morton , linux-mm@kvack.org, Mike Rapoport Message-ID: <209705133.1285234.1629477520318@privateemail.com> In-Reply-To: <202108200904.81ED4AA52@keescook> References: <20210820043339.2151352-1-jordy@pwning.systems> <0874a50b61cfaf7c817cab7344c49c1641c1fd10.camel@HansenPartnership.com> <202108200904.81ED4AA52@keescook> Subject: Re: [PATCH] mm/secretmem: use refcount_t instead of atomic_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.5-Rev17 X-Originating-Client: open-xchange-appsuite X-Virus-Scanned: ClamAV using ClamSMTP X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 6DC8630000AB X-Stat-Signature: a8xxnp37xqc1rnddudb4wjfbdehy3jwp Authentication-Results: imf03.hostedemail.com; dkim=none; dmarc=none; spf=none (imf03.hostedemail.com: domain of jordy@pwning.systems has no SPF policy when checking 68.65.122.27) smtp.mailfrom=jordy@pwning.systems X-HE-Tag: 1629477522-879614 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi There! Because this is a global variable, it appears to be exploitable. Either we = generate a sufficient number of processes to achieve this counter, or you i= ncrease the open file limit with ulimit or sysctl. Unless the kernel has a = hard restriction on the number of potential file descriptors that I'm not a= ware of. In any case, it's probably a good idea to patch this to make it explicitly = secure. If you discover a hard-limit in the kernel for open file descriptor= s, please let me know. I'm genuinely =E2=80=8Binterested :D! Best Regards, Jordy > On 08/20/2021 12:05 PM Kees Cook wrote: >=20 > =20 > On Fri, Aug 20, 2021 at 07:57:25AM -0700, James Bottomley wrote: > > On Fri, 2021-08-20 at 06:33 +0200, Jordy Zomer wrote: > > > As you can see there's an `atomic_inc` for each `memfd` that is > > > opened in the `memfd_secret` syscall. If a local attacker succeeds to > > > open 2^32 memfd's, the counter will wrap around to 0. This implies > > > that you may hibernate again, even though there are still regions of > > > this secret memory, thereby bypassing the security check. > >=20 > > This isn't a possible attack, is it? secret memory is per process and > > each process usually has an open fd limit of 1024. That's not to say > > we shouldn't have overflow protection just in case, but I think today > > we don't have a problem. >=20 > But it's a _global_ setting, so it's still possible, though likely > impractical today. But refcount_t mitigates it and is a trivial change. > :) >=20 > --=20 > Kees Cook