From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8EB8FE74AC7 for ; Tue, 3 Dec 2024 17:29:03 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 07DB26B0082; Tue, 3 Dec 2024 12:29:03 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 02C586B0083; Tue, 3 Dec 2024 12:29:02 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E363B6B0085; Tue, 3 Dec 2024 12:29:02 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id C53C46B0082 for ; Tue, 3 Dec 2024 12:29:02 -0500 (EST) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 56F314158E for ; Tue, 3 Dec 2024 17:29:02 +0000 (UTC) X-FDA: 82854332946.12.92E7E41 Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) by imf02.hostedemail.com (Postfix) with ESMTP id EB72380008 for ; Tue, 3 Dec 2024 17:28:34 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=3ISyrlXx; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf02.hostedemail.com: domain of jannh@google.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733246934; a=rsa-sha256; cv=none; b=1gt0iqYGYO2Xji/DRhOMyYj+7vv6AsHsQcLcc8/PxVZlzV+HRJ1CE2x75XAdnHCsswFfgs gI5vIbd/KDIr9zjb8KJC5yb126RPpiMXhTSrdr1an57WxOBerdQXhF7K8YwfOBHOcsrhnX 7X37z1ggaA3TmAJmdbAlvi8apRCcZHQ= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=3ISyrlXx; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf02.hostedemail.com: domain of jannh@google.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733246934; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8zEoxOgatX3OgU4qGavIbeS/jNtTx+aBW797DF25fM4=; b=sk1YmvtmmIn8sCWTa/nZh7jLrVe6CK5Ln0NDFVMDIv+zx/7RLZbdV34Gnz0vmXT8LWWDnl SdgmN16Duwkcqt9Lua9F91nUyfi50kzcOQn9OYiBJZA4MjGRPovyC2cvppEAZu9bYDOGl3 x/3cx8ZYpA9MfilTG4GEqZXceZlXrzo= Received: by mail-ed1-f51.google.com with SMTP id 4fb4d7f45d1cf-5cfc18d5259so9582a12.1 for ; Tue, 03 Dec 2024 09:29:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733246939; x=1733851739; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=8zEoxOgatX3OgU4qGavIbeS/jNtTx+aBW797DF25fM4=; b=3ISyrlXx5Dgq3vXfDlfZ5oQtt/k405Fb4OuP+xUqJI6/1CtZlO1TjAgDfFONcykaGg Ytj7Nf/4zvxNTHmgNPGbp44oSoeqyEhgG4mvwe50LlO20YQ1yW0Avi0jTJM8c7FPW7/j EVyWQAbMMJScFgPes7qPKHhHLudRIpcyqQvkE26VXnRTEbhYZnA+FrebtEiu0Qe8utPJ NbfwaSdDqNPaBFIoK/ZXZNzvxwZ85NRtCasS+e7ZWw985acaroeW2OKTD23Lw/ihy5gj o68W3L/ciPcnihWSbfkPUCV06WE8FUlrAazFAUt46a0Kis/5a6lAQ6Rzu14aNxggyZXB z/tA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733246939; x=1733851739; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8zEoxOgatX3OgU4qGavIbeS/jNtTx+aBW797DF25fM4=; b=U7fPxZVYs5pB+hj6sb6v14xq0M92sIwpjxz40+EEieZPT+BsTXgdx3bqwV89mjtLX4 pUOGC0BkAxBqiDGS8+/FV5hjEptpzB77bEcIgJnxn9eg4AeDrlSZ0F3n8XtK0aqQkmYt QmtjWd3FjkBSjckSC8Z0chyTY3zKZP3lzueeTwuOlEnGdON9OFmLiTmiThLL3deIZfbw tSR7DhtM4zbukqSleKhYBcL12ca/nxIU9pnDB4yfyPZHwuzceeh4rhC6qg9uEEVnsVEc h1XTrHpZcaDbJ09PDmlrRcP0xZinU14RurK7fRyg959FHOG9QvcymQD+mP7ixULWL6sU 00Yg== X-Forwarded-Encrypted: i=1; AJvYcCWTt8bC7xc/K8xWTIhGV+BVxJ3STKAIZ2dghDkc5cBAS02/KEJ5+GbqMV8gTRmjRQAEsqXm4uZnZw==@kvack.org X-Gm-Message-State: AOJu0Yxz6tACoK6TQ0aIPuGeOWV7OjmxAR1uZkAabH7RYfYT31bL3U3P 4VaYxlUZ2zmpsB3PkoLwjen9VuH8nzXjrVen700OK5O0O95M+DMCWfnj2h0i7qW9FlH9n2hflU7 bD4xxfi1oEZXkRB7MTxju6M4yilT8WLI3dCK6ZoX1Q78tK6FjLgNCTWE= X-Gm-Gg: ASbGnctSe05aBZnwUzRWDIS6ODC2Q3qVNWmTc7ibjQ48HgiZKIlM2BJXYXb3vEl2OB4 iFDEvZoWmBUh43a0e8RvwKGelIfd2uzThQ9Am71JR5NiR7HfiIau3JGPa0nk= X-Google-Smtp-Source: AGHT+IEkU+zbQ8W8SOhd2ZkEGWuPQgYxHAiQC9NmnbLpt2BY3rA5dILHt1/UpotcudtM7dqmvzlcwmUDruhX9bjJ3gM= X-Received: by 2002:aa7:cb98:0:b0:5d1:10a4:de9 with SMTP id 4fb4d7f45d1cf-5d110a40e94mr50781a12.7.1733246938492; Tue, 03 Dec 2024 09:28:58 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Jann Horn Date: Tue, 3 Dec 2024 18:28:22 +0100 Message-ID: Subject: Re: udmabuf: check_memfd_seals() is racy To: "Kasireddy, Vivek" Cc: Gerd Hoffmann , dri-devel , Julian Orth , Lorenzo Stoakes , Linux-MM Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: EB72380008 X-Stat-Signature: z7qg7zae3fzjhigw5ynia4ui961gm1hy X-HE-Tag: 1733246914-389945 X-HE-Meta: U2FsdGVkX19a2SNsa7McQVIfK1HhHJdaQqmEVkK7A4dPimZKvfp7kJLepE+Wihcf8jZ8xKEZc47nCocm2VSX7sXnMb49XjkvKqhv35hfI74SV8hUS0NgcI7+yVW5yFMKO2XqiuOhUGQ4CRolT10CoLUlwCFA8etpCrmaoKshgCTe6CQJHys8T3I5yXtVD5IjpmtvUDbtOiIGsTrAQiaLd+4CJQl3R6d9W51CIBFdYKB8mDX5zmm15ZmXyzo4VEp7wcNDrzt0MwY1OsCTawAt9KmWayb1CKRyGA4kWLo8nPY0URvQEBXfS2KgnIhToZ+TM+cbIC6dNRAsiSTg+v9Yf3ChnJBTcHTKIijBiDJjEhzrSPq6+a3sX9YX6DATjmLYNtR/O3oF2bjgoxOHWDOAcBy1prYBc/pPRVFcQLRb42ZlI1WvpT1wK1CEj3guKHTutpT3VPc7XOuv5B6K4HI4UpKxz2/szzsKbT33TsfsuouwkhHPyUiOAb10d+jymQz4IsUYrb+tj2hfW2IDcqUEYtBTIZUJXC/IIFkR++2qC2+NVqc/8zci0LyfcLS5SfTJ5YvNuwPvtEydxl6JDL0hacVb7da5UBx4za+NI8xzTHPQmcbgLuEb4gjSvlifsXaBAsxLMW09isi0DIAkpgGb+Vu/kW28f8VKRTLwJYoeHB+sZ4qcV6ldMYj3V836uoP8RweYX2SAKuMqyzi2KmQlEeknw4ZwEulxZI/CojLU5c3HHgKsP6DFDJzi1yEFik37xsR3NAx26SmVErpp62AchLABEJhEDxa03vg4+rTvNSoheCXkH8T7pQMiPUcwPe1BmRH7rbanBJ/tOUtGGoomZVEa5WGmCVgNJdrpduUrlBHcAE1c8g6tD60w9WWF9sbQoTXrsNJkiZRrtMZgv6ZmrYV8loQNoFZYbfo8WHm9oGKdyYRif028cgXRrcVJVUIoeEY6MGr5l5yVjKZqFro ySRI7KNg AS3j//N5ejjr3hesnO+BJO6OCk+hQKdzpxtfrZMXgk2BCPZev8jkiHbC6WmJxOh2O4KbpnYT6FwWG5QoweD1vOeF3lspJ642t5kXGVpu2tEt81S+oPnNwvu+Vyu+1Vivqay9KKZvEX55z2jsDn/MVGA+XoLCDnJ9zInhW44zkn/OhqH3TqIYjhIHeeCEkRG1DdX7z+qN14LQd49EHKy8wNO+ibcIxnUD4r50wQdPJ+PNVi5AkJNBG9sLCdpz7oeOC3sR94D1y+ioL3N4Zp74DLaZsb5ogvsHO4lWokEtg4pg5RZJeJC1JwUmHZPHPZdDPOgJb6rVdN6Q93FOaqYx0UDZo8L1bKDGTcil9KOayzTifeciN/JpDxgc8et97AXPd5Tw5FGjEKd/17vf9tSo9UIAIRQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.184232, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Dec 3, 2024 at 9:25=E2=80=AFAM Kasireddy, Vivek wrote: > > Julian Orth reported at > > https://bugzilla.kernel.org/show_bug.cgi?id=3D219106 that > Thank you for reporting this bug. > > > udmabuf_create() checks for F_SEAL_WRITE in a racy way, so a udmabuf > > can end up holding references to pages in a write-sealed memfd, which > > theoretically breaks one of the security properties of memfd sealing. > > See also the discussion starting at > > > mm/CAHijbEV6wtTQy01djSfWBJksq4AEoZ=3DKYUsaKEKNSXbTTSM- > > Ww@mail.gmail.com/>. > AFAICS, this problem does not adversely affect the main user of udmabuf d= river > (Qemu) given that Qemu adds F_SEAL_SEAL while creating the memfd but > I can see how other users of udmabuf driver might be impacted by this iss= ue. The issue is that in theory, a nefarious process could maybe abuse udmabuf to write to a memfd that is supposed to be sealed. This could violate the assumption that a F_SEAL_WRITE-sealed memfd's memory is immutable in another process. So the affected process wouldn't have to be aware of udmabuf at all. > > I think one possible correct pattern would be something like: > > > > mapping_map_writable() [with error bailout] > > check seals with F_GET_SEALS > > udmabuf_pin_folios() > > mapping_unmap_writable() > I believe this should probably work as mapping_map_writable() would preve= nt > F_SEAL_WRITE from getting added later. Do you plan to send a patch to fix > this issue in udmabuf driver? Yes, I just sent fixes for this issue and two others at (though I went with the inode lock instead of mapping_map_writable() to keep things simpler).