| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEXW_YRb4PsFgEvHW2QBDY5dxJ+aoMTn3qtj5v9eboxO3SxPLg@mail.gmail.com>
Date: Tue, 10 Dec 2024 17:51:29 -0500
From: Joel Fernandes <joel@...lfernandes.org>
To: Jann Horn <jannh@...gle.com>
Cc: Gerd Hoffmann <kraxel@...hat.com>, Vivek Kasireddy <vivek.kasireddy@...el.com>,
Sumit Semwal <sumit.semwal@...aro.org>, Christian König <christian.koenig@....com>,
Simona Vetter <simona.vetter@...ll.ch>, John Stultz <jstultz@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>, dri-devel@...ts.freedesktop.org,
linux-media@...r.kernel.org, linaro-mm-sig@...ts.linaro.org,
linux-kernel@...r.kernel.org, Julian Orth <ju.orth@...il.com>, stable@...r.kernel.org
Subject: Re: [PATCH v2 1/3] udmabuf: fix racy memfd sealing check
On Wed, Dec 4, 2024 at 11:27 AM Jann Horn <jannh@...gle.com> wrote:
>
> The current check_memfd_seals() is racy: Since we first do
> check_memfd_seals() and then udmabuf_pin_folios() without holding any
> relevant lock across both, F_SEAL_WRITE can be set in between.
> This is problematic because we can end up holding pins to pages in a
> write-sealed memfd.
>
> Fix it using the inode lock, that's probably the easiest way.
> In the future, we might want to consider moving this logic into memfd,
> especially if anyone else wants to use memfd_pin_folios().
I am curious, why is it not possible to have a reproducer for this
issue, is it not reproducible and is theoretical?
thanks,
- Joel
>
> Reported-by: Julian Orth <ju.orth@...il.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219106
> Closes: https://lore.kernel.org/r/CAG48ez0w8HrFEZtJkfmkVKFDhE5aP7nz=obrimeTgpD+StkV9w@mail.gmail.com
> Fixes: fbb0de795078 ("Add udmabuf misc device")
> Cc: stable@...r.kernel.org
> Signed-off-by: Jann Horn <jannh@...gle.com>
> ---
> drivers/dma-buf/udmabuf.c | 13 +++++++++----
> 1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> index 8ce1f074c2d32a0a9f59ff7184359e37d56548c6..c1d8c2766d6d36fc5fe1b3d73057f6e01ec6678f 100644
> --- a/drivers/dma-buf/udmabuf.c
> +++ b/drivers/dma-buf/udmabuf.c
> @@ -436,14 +436,19 @@ static long udmabuf_create(struct miscdevice *device,
> goto err;
> }
>
> + /*
> + * Take the inode lock to protect against concurrent
> + * memfd_add_seals(), which takes this lock in write mode.
> + */
> + inode_lock_shared(file_inode(memfd));
> ret = check_memfd_seals(memfd);
> - if (ret < 0) {
> - fput(memfd);
> - goto err;
> - }
> + if (ret)
> + goto out_unlock;
>
> ret = udmabuf_pin_folios(ubuf, memfd, list[i].offset,
> list[i].size, folios);
> +out_unlock:
> + inode_unlock_shared(file_inode(memfd));
> fput(memfd);
> if (ret)
> goto err;
>
> --
> 2.47.0.338.g60cca15819-goog
>
Powered by blists - more mailing lists