From: "Theodore Ts'o" <tytso@mit.edu>
To: David Hildenbrand <david@redhat.com>
Cc: David Wang <00107082@163.com>,
akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, Mike Rapoport <rppt@linux.ibm.com>
Subject: Re: [BUG?] mm/secretmem: memory address mapped to memfd_secret can be used in write syscall.
Date: Mon, 13 Nov 2023 08:26:21 -0500 [thread overview]
Message-ID: <ZVIj_cDIzat39lQ6@mit.edu> (raw)
In-Reply-To: <60081af2-d580-4f82-9233-3d3d7dd883bc@redhat.com>
On Mon, Nov 13, 2023 at 10:15:05AM +0100, David Hildenbrand wrote:
>
> According to the man page:
>
> "The memory areas backing the file created with memfd_secret(2) are visible
> only to the processes that have access to the file descriptor. The memory
> region is removed from the kernel page tables and only the page tables of
> the processes holding the file descriptor map the corresponding physical
> memory. (Thus, the pages in the region can't be accessed by the kernel
> itself, so that, for example, pointers to the region can't be passed to
> system calls.)
>
> I'm not sure if the last part is actually true, if the syscalls end up
> walking user page tables to copy data in/out.
The idea behind removing it from the kernel page tables is so that
kernel code running in some other process context won't be able to
reference the memory via the kernel address space. (So if there is
some kind of kernel zero-day which allows arbitrary code execution,
the injected attack code would have to play games with page tables
before being able to reference the memory --- this is not
*impossible*, just more annoying.)
But if you are doing a buffered write, the copy from the user-supplied
buffer to the page cache is happening in the process's context. So
"foreground kernel code" can dereference the user-supplied pointer
just fine.
Cheers,
- Ted
next prev parent reply other threads:[~2023-11-13 13:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-08 11:47 David Wang
2023-11-13 9:15 ` David Hildenbrand
2023-11-13 13:26 ` Theodore Ts'o [this message]
2023-11-13 14:42 ` David Hildenbrand
2023-11-13 15:42 ` David Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZVIj_cDIzat39lQ6@mit.edu \
--to=tytso@mit.edu \
--cc=00107082@163.com \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rppt@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox