+ mm-secretmem-avoid-letting-secretmem_users-drop-to-zero.patch added to -mm tree - Linux-stable-mirror

22 Oct 2021

The patch titled
     Subject: mm/secretmem: avoid letting secretmem_users drop to zero
has been added to the -mm tree.  Its filename is
     mm-secretmem-avoid-letting-secretmem_users-drop-to-zero.patch
This patch should soon appear at
    https://ozlabs.org/~akpm/mmots/broken-out/mm-secretmem-avoid-letting-secretm...
and later at
    https://ozlabs.org/~akpm/mmotm/broken-out/mm-secretmem-avoid-letting-secretm...
Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Kees Cook keescook@chromium.org
Subject: mm/secretmem: avoid letting secretmem_users drop to zero
Quoting Dmitry: "refcount_inc() needs to be done before fd_install(). 
After fd_install() finishes, the fd can be used by userspace and we can
have secret data in memory before the refcount_inc().
A straightforward misuse where a user will predict the returned fd in
another thread before the syscall returns and will use it to store secret
data is somewhat dubious because such a user just shoots themself in the
foot.
But a more interesting misuse would be to close the predicted fd and
decrement the refcount before the corresponding refcount_inc, this way one
can briefly drop the refcount to zero while there are other users of
secretmem."
Move fd_install() after refcount_inc().
Link: https://lkml.kernel.org/r/20211021154046.880251-1-keescook@chromium.org
Link: https://lore.kernel.org/lkml/CACT4Y+b1sW6-Hkn8HQYw_SsT7X3tp-CJNh2ci0wG3ZnQz9...
Fixes: 9a436f8ff631 ("PM: hibernate: disable when there are active secretmem users")
Signed-off-by: Kees Cook keescook@chromium.org
Reported-by: Dmitry Vyukov dvyukov@google.com
Reviewed-by: Dmitry Vyukov dvyukov@google.com
Reviewed-by: David Hildenbrand david@redhat.com
Reviewed-by: Jordy Zomer jordy@pwning.systems
Cc: Mike Rapoport rppt@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Morton akpm@linux-foundation.org
---
mm/secretmem.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/secretmem.c~mm-secretmem-avoid-letting-secretmem_users-drop-to-zero
+++ a/mm/secretmem.c
@@ -217,8 +217,8 @@ SYSCALL_DEFINE1(memfd_secret, unsigned i
file->f_flags |= O_LARGEFILE;
-	fd_install(fd, file);
    refcount_inc(&secretmem_users);
+	fd_install(fd, file);
    return fd;
err_put_fd:
_
Patches currently in -mm which might be from keescook@chromium.org are
mm-secretmem-avoid-letting-secretmem_users-drop-to-zero.patch
kasan-test-bypass-__alloc_size-checks.patch
rapidio-avoid-bogus-__alloc_size-warning.patch
compiler-attributes-add-__alloc_size-for-better-bounds-checking.patch
slab-clean-up-function-prototypes.patch
slab-add-__alloc_size-attributes-for-better-bounds-checking.patch
mm-kvmalloc-add-__alloc_size-attributes-for-better-bounds-checking.patch
mm-vmalloc-add-__alloc_size-attributes-for-better-bounds-checking.patch
mm-page_alloc-add-__alloc_size-attributes-for-better-bounds-checking.patch
percpu-add-__alloc_size-attributes-for-better-bounds-checking.patch
kasan-test-consolidate-workarounds-for-unwanted-__alloc_size-protection.patch
maintainers-add-exec-binfmt-section-with-myself-and-eric.patch
binfmt_elf-reintroduce-using-map_fixed_noreplace.patch

    