Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1618222pxb; Fri, 20 Aug 2021 09:41:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMTVW0oLLNgpMR8byrz6xPI50ybkJuoCMzIMwIZxYf/mJCAl2bBybas4nydjwk1n9KWsJi X-Received: by 2002:a17:907:9152:: with SMTP id l18mr22494878ejs.190.1629477660114; Fri, 20 Aug 2021 09:41:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629477660; cv=none; d=google.com; s=arc-20160816; b=ofHLBGUCRXW3EVKmCknXr9mHFNRTT391fuwWcfGeg//YbC8Bmm+mSjs63ibxCYvCDb Fl6oHPQgp37O65Ard4EECy2zxfqum1R3xOs82J00UQaUjxRwEP+qf8UnTY6/EutjqGSn eE+NYLHD8nHPxpULCKxhtkTLAtES6kIjKfJWiZsTOE38zCrZQc/pfOcD8tkjixWxuemb 3TC6fXXHJ5bFYnJzhYnPU/hYYwzwXiIIG2AXv/J/7DZbyrywB/FtIBC+czjSxg3HeTnt DE7o41YISbxrqz16gbaL3PaGi6pyyJOP5+hb2Hoh4JzSyBV+A/nterdodcNq+mEsQlCU yovA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:importance:content-transfer-encoding :mime-version:subject:references:in-reply-to:message-id:cc:to:from :date; bh=VxfjPgVyEv7lbIOKQjX9YRns11z/kBrI97owt0+5Ucs=; b=fLt5rxlHkUE3YQhdzVlWGQalXEyN8Jz7uyf6j4oShQkgxanumSbPE3h6bJ5KvNFffy yGLs1QAXnLSIqFQQnuzpYx/NwdHNIbVk8CqPyROhPhodxHKj5ePlpPYtcTHCGPqBNqul 8lZvUAJtnlKoftQ7a7S585M86SNvfzr8Qu9WhJgJGccs+hVWfR01srjOagQjRHEE7dTx uGhI+gW9wJP/iW2arStcks96sBVgLhpKOpXZe+puj//3Incr8kVZnnJDC+AjdW6bG5hE WEl4mX+KzWMbkZO5dMgK09nInys3tyV8u1A0bT4c9rS3AyNB//LovkwbI1dufaAQQwlK RAmA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v21si7184819edy.30.2021.08.20.09.40.25; Fri, 20 Aug 2021 09:41:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231583AbhHTQjW convert rfc822-to-8bit (ORCPT + 99 others); Fri, 20 Aug 2021 12:39:22 -0400 Received: from h4.fbrelay.privateemail.com ([131.153.2.45]:40555 "EHLO h4.fbrelay.privateemail.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229772AbhHTQjV (ORCPT ); Fri, 20 Aug 2021 12:39:21 -0400 Received: from MTA-07-4.privateemail.com (mta-07-1.privateemail.com [198.54.122.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by h3.fbrelay.privateemail.com (Postfix) with ESMTPS id A470A80514 for ; Fri, 20 Aug 2021 12:38:42 -0400 (EDT) Received: from mta-07.privateemail.com (localhost [127.0.0.1]) by mta-07.privateemail.com (Postfix) with ESMTP id 9C5391800236; Fri, 20 Aug 2021 12:38:40 -0400 (EDT) Received: from APP-04 (unknown [10.50.14.154]) by mta-07.privateemail.com (Postfix) with ESMTPA id 5980D180022D; Fri, 20 Aug 2021 12:38:40 -0400 (EDT) Date: Fri, 20 Aug 2021 12:38:40 -0400 (EDT) From: Jordy Zomer To: Kees Cook , James Bottomley Cc: linux-kernel@vger.kernel.org, Andrew Morton , linux-mm@kvack.org, Mike Rapoport Message-ID: <209705133.1285234.1629477520318@privateemail.com> In-Reply-To: <202108200904.81ED4AA52@keescook> References: <20210820043339.2151352-1-jordy@pwning.systems> <0874a50b61cfaf7c817cab7344c49c1641c1fd10.camel@HansenPartnership.com> <202108200904.81ED4AA52@keescook> Subject: Re: [PATCH] mm/secretmem: use refcount_t instead of atomic_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.5-Rev17 X-Originating-Client: open-xchange-appsuite X-Virus-Scanned: ClamAV using ClamSMTP Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi There! Because this is a global variable, it appears to be exploitable. Either we generate a sufficient number of processes to achieve this counter, or you increase the open file limit with ulimit or sysctl. Unless the kernel has a hard restriction on the number of potential file descriptors that I'm not aware of. In any case, it's probably a good idea to patch this to make it explicitly secure. If you discover a hard-limit in the kernel for open file descriptors, please let me know. I'm genuinely ​interested :D! Best Regards, Jordy > On 08/20/2021 12:05 PM Kees Cook wrote: > > > On Fri, Aug 20, 2021 at 07:57:25AM -0700, James Bottomley wrote: > > On Fri, 2021-08-20 at 06:33 +0200, Jordy Zomer wrote: > > > As you can see there's an `atomic_inc` for each `memfd` that is > > > opened in the `memfd_secret` syscall. If a local attacker succeeds to > > > open 2^32 memfd's, the counter will wrap around to 0. This implies > > > that you may hibernate again, even though there are still regions of > > > this secret memory, thereby bypassing the security check. > > > > This isn't a possible attack, is it? secret memory is per process and > > each process usually has an open fd limit of 1024. That's not to say > > we shouldn't have overflow protection just in case, but I think today > > we don't have a problem. > > But it's a _global_ setting, so it's still possible, though likely > impractical today. But refcount_t mitigates it and is a trivial change. > :) > > -- > Kees Cook