From: David Hildenbrand <david@redhat.com>
To: David Wang <00107082@163.com>,
akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Cc: Mike Rapoport <rppt@linux.ibm.com>
Subject: Re: [BUG?] mm/secretmem: memory address mapped to memfd_secret can be used in write syscall.
Date: Mon, 13 Nov 2023 10:15:05 +0100 [thread overview]
Message-ID: <60081af2-d580-4f82-9233-3d3d7dd883bc@redhat.com> (raw)
In-Reply-To: <61159548.60cf.18baec1fd65.Coremail.00107082@163.com>
On 08.11.23 12:47, David Wang wrote:
>
> Hi,
> According to https://lwn.net/Articles/865256/,
> the memory address got from memfd_secret/ftruncate/mmap should not be used by syscalls, since it is not accessible even by kernel.
>
> But my test result shows that the "secret" memory could be used in syscall write, is this expected behavior?
> This is my test code:
CCing Mike.
According to the man page:
"The memory areas backing the file created with memfd_secret(2) are
visible only to the processes that have access to the file descriptor.
The memory region is removed from the kernel page tables and only the
page tables of the processes holding the file descriptor map the
corresponding physical memory. (Thus, the pages in the region can't be
accessed by the kernel itself, so that, for example, pointers to the
region can't be passed to system calls.)
I'm not sure if the last part is actually true, if the syscalls end up
walking user page tables to copy data in/out.
>
> int main() {
> int fd = syscall(__NR_memfd_secret, 0);
> if (fd < 0) {
> perror("Fail to create secret");
> return -1;
> }
> if (ftruncate(fd, 1024) < 0) {
> perror("Fail to size the secret");
> return -1;
> }
> char *key = mmap(NULL, 1024, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
> if (key == MAP_FAILED) {
> perror("Fail to mmap");
> return -1;
> }
> // should be some secure channel
> strcpy(key, "ThisIsAKey");
> // printf("[%d]key(%s) ready: %p\n", getpid(), key, key);
> // getchar();
> // make syscall, should err
> write(STDOUT_FILENO, key, strlen(key)); //<-- Here the key shows up on stdout.
What probably happens here is that the kernel reads the data via the
user page tables, and can, therefore, access that memory just fine.
Looking at the selftest (tools/testing/selftests/mm/memfd_secret.c) we
test that we cannot read from the memfd and cannot write to the memfd.
We don't test if other syscalls can access that user-provided buffer
that is backed by a memfd.
--
Cheers,
David / dhildenb
next prev parent reply other threads:[~2023-11-13 9:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-08 11:47 David Wang
2023-11-13 9:15 ` David Hildenbrand [this message]
2023-11-13 13:26 ` Theodore Ts'o
2023-11-13 14:42 ` David Hildenbrand
2023-11-13 15:42 ` David Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=60081af2-d580-4f82-9233-3d3d7dd883bc@redhat.com \
--to=david@redhat.com \
--cc=00107082@163.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rppt@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox