lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2025012255-worshiper-doorframe-ba19@gregkh>
Date: Wed, 22 Jan 2025 13:51:11 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	linux-cve-announce@...r.kernel.org
Subject: Re: CVE-2024-57937: mm: reinstate ability to map write-sealed memfd
 mappings read-only

On Wed, Jan 22, 2025 at 12:47:31PM +0000, Lorenzo Stoakes wrote:
> On Wed, Jan 22, 2025 at 01:36:32PM +0100, Greg KH wrote:
> > On Wed, Jan 22, 2025 at 11:51:10AM +0000, Lorenzo Stoakes wrote:
> > > On Sun, Sep 16, 2001 at 11:00:00PM +0000, Greg Kroah-Hartman wrote:
> > > > Description
> > > > ===========
> > > >
> > > > In the Linux kernel, the following vulnerability has been resolved:
> > > >
> > > > mm: reinstate ability to map write-sealed memfd mappings read-only
> > >
> > > Hi Greg,
> > >
> > > This is not a vulnerability and I don't see how it could possibly be
> > > exploited. So unless somebody can suggest a means by which it could be, I
> > > suggest this CVE should be dropped.
> > >
> > > Thanks, Lorenzo
> > >
> > > >
> > > > Patch series "mm: reinstate ability to map write-sealed memfd mappings
> > > > read-only".
> > > >
> > > > In commit 158978945f31 ("mm: perform the mapping_map_writable() check
> > > > after call_mmap()") (and preceding changes in the same series) it became
> > > > possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
> >
> > I thought the ability to mmap a sealed memfd mapping as read-only that
> > didn't want to be mmaped that way was a "vulnerability fix".
> 
> The TL;DR is it's not security-related, the 'TL' is below :P
> 
> Yeah perhaps I wasn't clear enough in the commit message - for the longest
> time the man page described the ability to mmap() PROT_READ a F_SEAL_WRITE
> memfd (or at least - implied - you could do this) - but due to the
> mechanism by which these write seals operate, you weren actually't able to.
> 
> The reason for this is the VM_MAYWRITE flag will naturally still be set (as
> you could mprotect() PROT_WRITE the region).
> 
> My solution was to explicitly drop VM_MAYWRITE in this scenario, which
> explicitly disallows this, so it is then fine to mmap() PROT_READ the
> region and get the desired semantics - at no point are you able to do
> anything not permitted by the write seal.
> 
> However, when applying the various mmap_region() security features, we had
> to move a bunch of these checks around, which accidentally again prevented
> the PROT_READ mmap() of these write sealed memfd's (simply due to _where_
> things happened).
> 
> So this patch was just me finding a different way to achieve the same thing
> to account for the new way in which we do mmap() basically.
> 
> At no time was a user able to work around these seals (or, in the spirit of
> security I should say - at no time was able to work around these seals
> _this way_, nor _to my knowledge_ any other way :)
> 
> >
> > If you don't think so, then that's fine, we'll be glad to revoke this,
> > just let us know.
> 
> Indeed yeah, I think in this case it's not a security thing so I think it's
> appropriate to revoke.

Thanks for the "TL" that makes more sense :)

Now revoked.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ