lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <61159548.60cf.18baec1fd65.Coremail.00107082@163.com>
Date:   Wed, 8 Nov 2023 19:47:10 +0800 (CST)
From:   "David Wang" <00107082@....com>
To:     akpm@...ux-foundation.org, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: [BUG?] mm/secretmem: memory address mapped to memfd_secret can be
 used in write syscall.


Hi,
According to https://lwn.net/Articles/865256/, 
the memory address got from memfd_secret/ftruncate/mmap should not be used by syscalls, since it is not accessible even by kernel.

But my test result shows that the "secret" memory could be used in  syscall write, is this expected behavior?
This is my test code:

int main() {
	int fd = syscall(__NR_memfd_secret, 0);
	if (fd < 0) {
		perror("Fail to create secret");
		return -1;
	}
	if (ftruncate(fd, 1024) < 0) {
		perror("Fail to size the secret");
		return -1;
	}
	char *key = mmap(NULL, 1024, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	if (key == MAP_FAILED) {
		perror("Fail to mmap");
		return -1;
	}
	// should be some secure channel
	strcpy(key, "ThisIsAKey");
	// printf("[%d]key(%s) ready: %p\n", getpid(), key, key);
	// getchar();
	// make syscall, should err
	write(STDOUT_FILENO, key, strlen(key));  //<-- Here the key shows up on stdout.

	return 0;
}

Thanks
David


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ