From patchwork Thu Oct 28 21:36:21 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Morton <akpm@linux-foundation.org>
X-Patchwork-Id: 12591231
Return-Path: <SRS0=RE7g=PQ=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7541EC433FE
	for <linux-mm@archiver.kernel.org>; Thu, 28 Oct 2021 21:36:24 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 28F7E60FE3
	for <linux-mm@archiver.kernel.org>; Thu, 28 Oct 2021 21:36:24 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 28F7E60FE3
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id C52896B0078; Thu, 28 Oct 2021 17:36:23 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C01E36B007B; Thu, 28 Oct 2021 17:36:23 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id AF16B6B007D; Thu, 28 Oct 2021 17:36:23 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0110.hostedemail.com
 [216.40.44.110])
	by kanga.kvack.org (Postfix) with ESMTP id 896276B0078
	for <linux-mm@kvack.org>; Thu, 28 Oct 2021 17:36:23 -0400 (EDT)
Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 0C8482D23E
	for <linux-mm@kvack.org>; Thu, 28 Oct 2021 21:36:23 +0000 (UTC)
X-FDA: 78747155046.07.EE3B6E1
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf15.hostedemail.com (Postfix) with ESMTP id 65CA5D0004AC
	for <linux-mm@kvack.org>; Thu, 28 Oct 2021 21:36:15 +0000 (UTC)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8757B61100;
	Thu, 28 Oct 2021 21:36:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1635456981;
	bh=IjMgySs6iaDJWIXfdPuYVV+8o6w8AxU6pCSF6E7pZbU=;
	h=Date:From:To:Subject:In-Reply-To:From;
	b=Y+ubBOHWBAJ3MqyHZ6igQYUL0wxSU65M7H/03SqKGe055VOsJCjE4dwLdXakT7aC8
	 7on8tm9IXUJuco3dSAfhrldMIlMWCrhtasivVGZDaA24xuGAMDHsUMYiRbxWK+kUk2
	 b8UeNAWUFqa5PenBkyXW6mcFDEq0KoykaTfODI/s=
Date: Thu, 28 Oct 2021 14:36:21 -0700
From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, david@redhat.com, dvyukov@google.com,
 jordy@pwning.systems, keescook@chromium.org, linux-mm@kvack.org,
 mm-commits@vger.kernel.org, rppt@kernel.org,
 torvalds@linux-foundation.org
Subject: [patch 06/11] mm/secretmem: avoid letting secretmem_users
 drop to zero
Message-ID: <20211028213621.YTZcxbpZE%akpm@linux-foundation.org>
In-Reply-To: <20211028143506.5f5d5e2cd1f768a1da864844@linux-foundation.org>
User-Agent: s-nail v14.8.16
X-Stat-Signature: 6czifwoff7o7fmiunxc6876q87ytbmhq
Authentication-Results: imf15.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=Y+ubBOHW;
	spf=pass (imf15.hostedemail.com: domain of akpm@linux-foundation.org
 designates 198.145.29.99 as permitted sender)
 smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 65CA5D0004AC
X-HE-Tag: 1635456975-772294
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Kees Cook <keescook@chromium.org>
Subject: mm/secretmem: avoid letting secretmem_users drop to zero

Quoting Dmitry: "refcount_inc() needs to be done before fd_install(). 
After fd_install() finishes, the fd can be used by userspace and we can
have secret data in memory before the refcount_inc().

A straightforward misuse where a user will predict the returned fd in
another thread before the syscall returns and will use it to store secret
data is somewhat dubious because such a user just shoots themself in the
foot.

But a more interesting misuse would be to close the predicted fd and
decrement the refcount before the corresponding refcount_inc, this way one
can briefly drop the refcount to zero while there are other users of
secretmem."

Move fd_install() after refcount_inc().

Link: https://lkml.kernel.org/r/20211021154046.880251-1-keescook@chromium.org
Link: https://lore.kernel.org/lkml/CACT4Y+b1sW6-Hkn8HQYw_SsT7X3tp-CJNh2ci0wG3ZnQz9jjig@mail.gmail.com
Fixes: 9a436f8ff631 ("PM: hibernate: disable when there are active secretmem users")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Jordy Zomer <jordy@pwning.systems>
Cc: Mike Rapoport <rppt@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/secretmem.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/secretmem.c~mm-secretmem-avoid-letting-secretmem_users-drop-to-zero
+++ a/mm/secretmem.c
@@ -218,8 +218,8 @@ SYSCALL_DEFINE1(memfd_secret, unsigned i
 
 	file->f_flags |= O_LARGEFILE;
 
-	fd_install(fd, file);
 	atomic_inc(&secretmem_users);
+	fd_install(fd, file);
 	return fd;
 
 err_put_fd: