lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <33d0f861-496e-4baa-9034-b0a356e6a720@lucifer.local>
Date: Wed, 22 Jan 2025 12:47:31 +0000
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
        linux-cve-announce@...r.kernel.org
Subject: Re: CVE-2024-57937: mm: reinstate ability to map write-sealed memfd
 mappings read-only

On Wed, Jan 22, 2025 at 01:36:32PM +0100, Greg KH wrote:
> On Wed, Jan 22, 2025 at 11:51:10AM +0000, Lorenzo Stoakes wrote:
> > On Sun, Sep 16, 2001 at 11:00:00PM +0000, Greg Kroah-Hartman wrote:
> > > Description
> > > ===========
> > >
> > > In the Linux kernel, the following vulnerability has been resolved:
> > >
> > > mm: reinstate ability to map write-sealed memfd mappings read-only
> >
> > Hi Greg,
> >
> > This is not a vulnerability and I don't see how it could possibly be
> > exploited. So unless somebody can suggest a means by which it could be, I
> > suggest this CVE should be dropped.
> >
> > Thanks, Lorenzo
> >
> > >
> > > Patch series "mm: reinstate ability to map write-sealed memfd mappings
> > > read-only".
> > >
> > > In commit 158978945f31 ("mm: perform the mapping_map_writable() check
> > > after call_mmap()") (and preceding changes in the same series) it became
> > > possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
>
> I thought the ability to mmap a sealed memfd mapping as read-only that
> didn't want to be mmaped that way was a "vulnerability fix".

The TL;DR is it's not security-related, the 'TL' is below :P

Yeah perhaps I wasn't clear enough in the commit message - for the longest
time the man page described the ability to mmap() PROT_READ a F_SEAL_WRITE
memfd (or at least - implied - you could do this) - but due to the
mechanism by which these write seals operate, you weren actually't able to.

The reason for this is the VM_MAYWRITE flag will naturally still be set (as
you could mprotect() PROT_WRITE the region).

My solution was to explicitly drop VM_MAYWRITE in this scenario, which
explicitly disallows this, so it is then fine to mmap() PROT_READ the
region and get the desired semantics - at no point are you able to do
anything not permitted by the write seal.

However, when applying the various mmap_region() security features, we had
to move a bunch of these checks around, which accidentally again prevented
the PROT_READ mmap() of these write sealed memfd's (simply due to _where_
things happened).

So this patch was just me finding a different way to achieve the same thing
to account for the new way in which we do mmap() basically.

At no time was a user able to work around these seals (or, in the spirit of
security I should say - at no time was able to work around these seals
_this way_, nor _to my knowledge_ any other way :)

>
> If you don't think so, then that's fine, we'll be glad to revoke this,
> just let us know.

Indeed yeah, I think in this case it's not a security thing so I think it's
appropriate to revoke.

>
> thanks,
>
> greg k-h

Cheers, Lorenzo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ