From patchwork Thu Oct 21 15:40:46 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 12575645
Return-Path: <SRS0=ID2a=PJ=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 38615C433EF
	for <linux-mm@archiver.kernel.org>; Thu, 21 Oct 2021 15:40:59 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id B7FD5611C7
	for <linux-mm@archiver.kernel.org>; Thu, 21 Oct 2021 15:40:58 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B7FD5611C7
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=chromium.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 14093900002; Thu, 21 Oct 2021 11:40:58 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0F2716B0071; Thu, 21 Oct 2021 11:40:58 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 00693900002; Thu, 21 Oct 2021 11:40:57 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0004.hostedemail.com
 [216.40.44.4])
	by kanga.kvack.org (Postfix) with ESMTP id E15576B006C
	for <linux-mm@kvack.org>; Thu, 21 Oct 2021 11:40:57 -0400 (EDT)
Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 8B8E33015C
	for <linux-mm@kvack.org>; Thu, 21 Oct 2021 15:40:57 +0000 (UTC)
X-FDA: 78720857754.28.78211BC
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
 [209.85.214.179])
	by imf25.hostedemail.com (Postfix) with ESMTP id BF49AB000189
	for <linux-mm@kvack.org>; Thu, 21 Oct 2021 15:40:52 +0000 (UTC)
Received: by mail-pl1-f179.google.com with SMTP id g5so713581plg.1
        for <linux-mm@kvack.org>; Thu, 21 Oct 2021 08:40:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=bjoPyXkr6BV0dE+yUHbVGsg5Kch/RG6+gsn2Vg2w1gY=;
        b=QRFnssmAHusAf4AsyE7xykM+jeNm9TVbcBZny5z+0bOEBkq+F8VjAWk5lEOfVtxJK/
         n+L3vNRort1jo76UzuAQGb5iya4i1ZbsZjfSyR0zsdL5WZW4pic4D3G5AY1gFD5YxZvk
         /7QYO+7SEOASn1Gu/e04XZ5/xRPpUQCFFrB1k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=bjoPyXkr6BV0dE+yUHbVGsg5Kch/RG6+gsn2Vg2w1gY=;
        b=VnsOrWJpW8JAsxDkA9uDl+sKCl/pOodNd5SI78XVcZidM/20OfJHuqHs32HJAY9LUe
         cHgkMeFSdhuU99Xo6u6ByouorpMvqqQjP42oYJFmTr4jR0aRY0CYl+oWXElUatjQddS9
         cq3DOugarz4LC0YBtu8DXaBc8W/YvAHY0DXYmXIeWVhadCYcSH+cTk02nH26MkC2s4Ww
         q0gKTZRMGYAr/nPCJEvFI3+UztsVkaOf6icAC3vjwPX8sFLL66mS8AoXq0m3vLcFvsec
         yVO5pX6TOMpWEZll2u4ivahlq6uMrAmrFtuEMkctCxz9873+lrDIKlArK1ptuth1LlfH
         p83A==
X-Gm-Message-State: AOAM530LNdsf46nYEwi4Is6SsQAsTE9AWlZLaVJC3fNSrux7Z63G7knn
	axOVHVLPTNvH+lzTQTD1tMx27A==
X-Google-Smtp-Source: 
 ABdhPJzOFte7SFD509WcWquMBljCqJbCjwmI95RIMLhDJ5FRtlRaMsLEHs4ZoY7vKNyHC63290orug==
X-Received: by 2002:a17:90a:b314:: with SMTP id
 d20mr7490963pjr.174.1634830856276;
        Thu, 21 Oct 2021 08:40:56 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id
 d23sm6260334pjx.4.2021.10.21.08.40.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 21 Oct 2021 08:40:55 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>,
	Mike Rapoport <rppt@kernel.org>,
	Jordy Zomer <jordy@pwning.systems>,
	linux-mm@kvack.org,
	Dmitry Vyukov <dvyukov@google.com>,
	James Bottomley <James.Bottomley@HansenPartnership.com>,
	David Hildenbrand <david@redhat.com>,
	linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: [PATCH] mm/secretmem: Avoid letting secretmem_users drop to zero
Date: Thu, 21 Oct 2021 08:40:46 -0700
Message-Id: <20211021154046.880251-1-keescook@chromium.org>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1545; h=from:subject;
 bh=2je4tCGogJs5O0M1a6Owc8LlmksMf1YAds2mqYCwhPk=;
 b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhcYn+VjVqfZ1g4oxjbETXXpGe3Wzs/9s8ZXeqpwO1
 lxxXjO+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYXGJ/gAKCRCJcvTf3G3AJi/wEA
 COl1Z2nPbM2KnDN3X3n3/Xxdip10rRV7AOHHMPthSbxZ/5I2fACRIb0D1OjsvkvC7LBj6GmL497HOw
 afsHGtdAO0GH6BOZWbjcdMCUQUOJny/JG78+aTE1aNnxRzBXkr+zuBhG7fL9evc/8y9W+9p8hcB1kf
 /NsK8T1B9LDWnMXLdkpkEpn0dVumR0cZPGwCmtHAAJqU1HkAZ45tdTplysKlsZ6zqIMqZr4qcVdllD
 YyRMYdWal6Z4mTFn0PI7DDgsUynCaISVHfQ7e/2J+YDYhvwrgnaAphPIzssE3lxSN4qhCXQtKYqBOt
 ekqfk3K1i73BaK5Y6irkW106FV/aPZeldUXza3hJILhdj7ekAl0RMvbN1WNMpjOKJB4rHGJAKI+LJK
 4Qaz5ye43sDP4OJgYy79/jzE3HZqtt3rj9eApTaGmNNTTQsko45e7XZLEgv4XvpRpOi34PyJORqyIE
 Aot/QBbq/dld2vxDkWJ+XDKXp23PFRUTr74bgQXjhIiKZ+HC0/BLzpgy3w8V3Rme+4/UrXJlL2i3KA
 ZBLrYGGrACDoaZWY+rbJ0Cz9sEUJFP2MOldX5ev8zy+4u+dzMFRaq/BOJ0b+5TJo1yy4iOxhf7r3eX
 yfRPrjyHHAM/+sT5TeZcCFKsA6CtI1itMszhzVxZJTfSpil+YECIzXq0Xz7g==
X-Developer-Key: i=keescook@chromium.org; a=openpgp;
 fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026
X-Rspamd-Server: rspam05
X-Rspamd-Queue-Id: BF49AB000189
X-Stat-Signature: ju75fiinp6m9ys5rsaa5cts7qkgxzxoh
Authentication-Results: imf25.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=QRFnssmA;
	spf=pass (imf25.hostedemail.com: domain of keescook@chromium.org designates
 209.85.214.179 as permitted sender) smtp.mailfrom=keescook@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
X-HE-Tag: 1634830852-767326
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Quoting Dmitry: "refcount_inc() needs to be done before fd_install().
After fd_install() finishes, the fd can be used by userspace and we can
have secret data in memory before the refcount_inc().

A straightforward mis-use where a user will predict the returned fd
in another thread before the syscall returns and will use it to store
secret data is somewhat dubious because such a user just shoots themself
in the foot.

But a more interesting mis-use would be to close the predicted fd and
decrement the refcount before the corresponding refcount_inc, this way
one can briefly drop the refcount to zero while there are other users
of secretmem."

Move fd_install() after refcount_inc().

Cc: Mike Rapoport <rppt@kernel.org>
Cc: Jordy Zomer <jordy@pwning.systems>
Cc: linux-mm@kvack.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Link: https://lore.kernel.org/lkml/CACT4Y+b1sW6-Hkn8HQYw_SsT7X3tp-CJNh2ci0wG3ZnQz9jjig@mail.gmail.com
Fixes: 9a436f8ff631 ("PM: hibernate: disable when there are active secretmem users")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Jordy Zomer <jordy@pwning.systems>
---
 mm/secretmem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/secretmem.c b/mm/secretmem.c
index 1fea68b8d5a6..924d84ba481f 100644
--- a/mm/secretmem.c
+++ b/mm/secretmem.c
@@ -217,8 +217,8 @@ SYSCALL_DEFINE1(memfd_secret, unsigned int, flags)
 
 	file->f_flags |= O_LARGEFILE;
 
-	fd_install(fd, file);
 	refcount_inc(&secretmem_users);
+	fd_install(fd, file);
 	return fd;
 
 err_put_fd: