From: Paul Moore <paul@paul-moore.com>
To: jeffxu@chromium.org
Cc: skhan@linuxfoundation.org, keescook@chromium.org,
akpm@linux-foundation.org, dmitry.torokhov@gmail.com,
dverkamp@chromium.org, hughd@google.com, jeffxu@google.com,
jorgelo@chromium.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
jannh@google.com, linux-hardening@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v7 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC
Date: Fri, 9 Dec 2022 13:15:03 -0500 [thread overview]
Message-ID: <CAHC9VhQ2P0rif2hiVGMGafWXQyZqPQc-yGQDEzjEehH1gzWgSA@mail.gmail.com> (raw)
In-Reply-To: <20221209160453.3246150-1-jeffxu@google.com>
On Fri, Dec 9, 2022 at 11:05 AM <jeffxu@chromium.org> wrote:
> From: Jeff Xu <jeffxu@google.com>
>
> Since Linux introduced the memfd feature, memfd have always had their
> execute bit set, and the memfd_create() syscall doesn't allow setting
> it differently.
>
> However, in a secure by default system, such as ChromeOS, (where all
> executables should come from the rootfs, which is protected by Verified
> boot), this executable nature of memfd opens a door for NoExec bypass
> and enables “confused deputy attack”. E.g, in VRP bug [1]: cros_vm
> process created a memfd to share the content with an external process,
> however the memfd is overwritten and used for executing arbitrary code
> and root escalation. [2] lists more VRP in this kind.
...
> [1] https://crbug.com/1305411
Can you make this accessible so those of us on the public lists can
view this bug? If not, please remove it from future postings and
adjust your description accordingly.
--
paul-moore.com
next parent reply other threads:[~2022-12-09 18:15 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20221209160453.3246150-1-jeffxu@google.com>
2022-12-09 18:15 ` Paul Moore [this message]
[not found] ` <20221209160453.3246150-7-jeffxu@google.com>
2022-12-09 17:02 ` [PATCH v7 6/6] mm/memfd: security hook for memfd_create Casey Schaufler
2022-12-09 18:29 ` Paul Moore
2022-12-13 15:00 ` Jeff Xu
2022-12-13 15:37 ` Casey Schaufler
2022-12-13 19:22 ` Paul Moore
2022-12-13 23:05 ` Jeff Xu
2025-09-20 5:54 ` Abhinav Saxena
2025-09-20 18:58 ` Jeff Xu
[not found] ` <20221209160453.3246150-3-jeffxu@google.com>
2022-12-14 18:52 ` [PATCH v7 2/6] selftests/memfd: add tests for F_SEAL_EXEC Kees Cook
2022-12-14 18:54 ` [PATCH v7 0/6] mm/memfd: introduce MFD_NOEXEC_SEAL and MFD_EXEC Kees Cook
2022-12-14 23:32 ` Jeff Xu
2022-12-15 0:08 ` Kees Cook
2022-12-15 16:55 ` Jeff Xu
[not found] ` <20221209160453.3246150-4-jeffxu@google.com>
2022-12-14 18:53 ` [PATCH v7 3/6] mm/memfd: add " Kees Cook
2022-12-16 18:39 ` SeongJae Park
2022-12-16 19:03 ` Jeff Xu
2022-12-16 19:21 ` Andrew Morton
2022-12-16 19:31 ` SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhQ2P0rif2hiVGMGafWXQyZqPQc-yGQDEzjEehH1gzWgSA@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=akpm@linux-foundation.org \
--cc=dmitry.torokhov@gmail.com \
--cc=dverkamp@chromium.org \
--cc=hughd@google.com \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox