Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1165705pxb; Thu, 19 Aug 2021 22:36:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzt+8H31F10psO201VsiBu1HfjRrzIqHpjrrttCajo2X6V3/LQNhLLlByDyGgLV8mpOcR5c X-Received: by 2002:a6b:f007:: with SMTP id w7mr14351928ioc.112.1629437773246; Thu, 19 Aug 2021 22:36:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629437773; cv=none; d=google.com; s=arc-20160816; b=fRU/PDauUboILcHVppH2Ri81+v8M+mDGKqYOpV5o3rL1DfRTYs+d/J4fIE3lYzvdKx 7K144pKcPXXbwIFRCghFoUc5Hva3r85co+lBbmZNmGBZRuHo3Enpf+JPs+uKCsvppuTU eHDRnMtHRKVl/WFAhQ80m8IxHmDsRJlWxc31a25HiWx72zgu4lFO6IGmHl302OSv95Od mAyb97DT5k6u+C9+8peOx0XyZv4Cxc/1OUEBKfZkXWZTcjAGVY7VCEna2mIJujaIH5xo lhMAmuplPnKI7r61TXBNBHy0mVnoxMJHGt5Bz6x67aUBmRGRIU4nRiF5Locf7Ar3UUJl rcVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=t77CbxubGxEGTMmMwfQTPijc/96kf1szGuSMv1EFAD4=; b=os3PLWLH7aSdznc1X6jzJxUHKPkrQ4W1FbC7bu3sSLEL8wDCsIUhRSCfCxEnhs5vj5 7oA9yCBm/z/KVq/JPepletLwZJdtfwlmuRL+hKad/mdUVNhN8fgWsp5Xif0NYOff8hjP 5CfFiWxx8djsyMm0CmzsWT2TnhrcFlFfDW9VZ8lZ+w1deBiN2mGI3v7UtRv4zPLmm1O7 S9Hc72+wNrP5SZL7fG1wPwLt0Dt4bqYvQ8XosROlXtf4Zp7NldnvKywDEtzVldQsXamt NI/h0EY3uaZPd633wjMHkyIxOXiEG4+kwwRBg+C5C8eOScUbI5kqmwJcbiUgVr2WGryX FQXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ja222Isq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d12si5896659ilg.105.2021.08.19.22.36.01; Thu, 19 Aug 2021 22:36:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Ja222Isq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233339AbhHTFe3 (ORCPT + 99 others); Fri, 20 Aug 2021 01:34:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52546 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231256AbhHTFe3 (ORCPT ); Fri, 20 Aug 2021 01:34:29 -0400 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B694AC061575 for ; Thu, 19 Aug 2021 22:33:51 -0700 (PDT) Received: by mail-pj1-x1029.google.com with SMTP id mq3so6567159pjb.5 for ; Thu, 19 Aug 2021 22:33:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=t77CbxubGxEGTMmMwfQTPijc/96kf1szGuSMv1EFAD4=; b=Ja222Isqq11kr4ZhqVigTCcrL9fIFtekeWme0RhNsM6otO6PdQquD7rbRU6+ee4EKm XhdcOSsskOxlBbZcG1GD5chnwgliVOp9yQsp5Nu7/g4B1ZIGmfUmWUnWSqXnXG/mH/vN QiqPfBEv/7xk8Mw9NlHeSrwnpWhRQHDn5K0ck= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=t77CbxubGxEGTMmMwfQTPijc/96kf1szGuSMv1EFAD4=; b=U5xCyBRQU9ZlZJNgk0qMo0j4KA2w/knHUSAw7ocFk02RsuQ1WGcsTMtb29GuHTiWW8 v3DszIpUMfMCWuppv4DRbLELrjz16HfPUMMhZVMaMXGaPYpauNH73yCgZ4ASNliGa2ZP SkiaTHHoIWM+LIJZ8oqDgQLAXvBeoBHHlFQz3G+zBBQ+CU1dJQlsLlJBfcoAXNBvHI4t QsIZBEjjOGKv10vskGSvZruuv/Y4bxaL+omLQCXeh3UDYCW9rFG3/FVCYm4ZAkxOlgCV Jt1cHkXTPtslmL50V6niXpWsOztw+t5hriLjok3NZ1PE7sChTJFZsBGTUOBXH/vr6X/R sh5g== X-Gm-Message-State: AOAM531v+UQlzxTI/J1X1IyfiWWyvHYtyRes0icjL0w8uWNdpD4qWhyS Dq8WD8D6lkbTbVZ4OsgsvOFM0A== X-Received: by 2002:a17:90a:ba0b:: with SMTP id s11mr2736424pjr.96.1629437631270; Thu, 19 Aug 2021 22:33:51 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id r78sm5560641pfc.206.2021.08.19.22.33.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Aug 2021 22:33:50 -0700 (PDT) Date: Thu, 19 Aug 2021 22:33:49 -0700 From: Kees Cook To: Jordy Zomer Cc: linux-kernel@vger.kernel.org, Andrew Morton , linux-mm@kvack.org, Mike Rapoport , James Bottomley Subject: Re: [PATCH] mm/secretmem: use refcount_t instead of atomic_t Message-ID: <202108192227.8BE02F1C@keescook> References: <20210820043339.2151352-1-jordy@pwning.systems> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210820043339.2151352-1-jordy@pwning.systems> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 20, 2021 at 06:33:38AM +0200, Jordy Zomer wrote: > When a secret memory region is active, memfd_secret disables > hibernation. One of the goals is to keep the secret data from being > written to persistent-storage. > > It accomplishes this by maintaining a reference count to > `secretmem_users`. Once this reference is held your system can not be > hibernated due to the check in `hibernation_available()`. However, > because `secretmem_users` is of type `atomic_t`, reference counter > overflows are possible. It's an unlikely condition to hit given max-open-fds, etc, but there's no reason to leave this weakness. Changing this to refcount_t is easy and better than using atomic_t. Reviewed-by: Kees Cook > As you can see there's an `atomic_inc` for each `memfd` that is opened > in the `memfd_secret` syscall. If a local attacker succeeds to open 2^32 > memfd's, the counter will wrap around to 0. This implies that you may > hibernate again, even though there are still regions of this secret > memory, thereby bypassing the security check. IMO, this hibernation check is also buggy, since it looks to be vulnerable to ToCToU: processes aren't frozen when hibernation_available() checks secretmem_users(), so a process could add one and fill it before the process freezer stops it. And of course, there's still the ptrace hole[1], which is think is quite serious as it renders the entire defense moot. -Kees [1] https://lore.kernel.org/lkml/202105071620.E834B1FA92@keescook/ -- Kees Cook