From: "Kasireddy, Vivek" <vivek.kasireddy@intel.com>
To: Jann Horn <jannh@google.com>, Gerd Hoffmann <kraxel@redhat.com>,
dri-devel <dri-devel@lists.freedesktop.org>
Cc: Julian Orth <ju.orth@gmail.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Linux-MM <linux-mm@kvack.org>
Subject: RE: udmabuf: check_memfd_seals() is racy
Date: Tue, 3 Dec 2024 08:25:32 +0000 [thread overview]
Message-ID: <IA0PR11MB7185E2589D638EF287E627E0F8362@IA0PR11MB7185.namprd11.prod.outlook.com> (raw)
In-Reply-To: <CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com>
Hi Jann, Julian,
> Subject: udmabuf: check_memfd_seals() is racy
>
> Hi!
>
> Julian Orth reported at
> https://bugzilla.kernel.org/show_bug.cgi?id=219106 that
Thank you for reporting this bug.
> udmabuf_create() checks for F_SEAL_WRITE in a racy way, so a udmabuf
> can end up holding references to pages in a write-sealed memfd, which
> theoretically breaks one of the security properties of memfd sealing.
> See also the discussion starting at
> <https://lore.kernel.org/linux-
> mm/CAHijbEV6wtTQy01djSfWBJksq4AEoZ=KYUsaKEKNSXbTTSM-
> Ww@mail.gmail.com/>.
AFAICS, this problem does not adversely affect the main user of udmabuf driver
(Qemu) given that Qemu adds F_SEAL_SEAL while creating the memfd but
I can see how other users of udmabuf driver might be impacted by this issue.
>
> I think one possible correct pattern would be something like:
>
> mapping_map_writable() [with error bailout]
> check seals with F_GET_SEALS
> udmabuf_pin_folios()
> mapping_unmap_writable()
I believe this should probably work as mapping_map_writable() would prevent
F_SEAL_WRITE from getting added later. Do you plan to send a patch to fix
this issue in udmabuf driver?
Thanks,
Vivek
next parent reply other threads:[~2024-12-03 8:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com>
2024-12-03 8:25 ` Kasireddy, Vivek [this message]
2024-12-03 17:28 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=IA0PR11MB7185E2589D638EF287E627E0F8362@IA0PR11MB7185.namprd11.prod.outlook.com \
--to=vivek.kasireddy@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jannh@google.com \
--cc=ju.orth@gmail.com \
--cc=kraxel@redhat.com \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox