Re: [PATCH] mm/secretmem: use refcount_t instead of atomic_t

From: Kees Cook
Date: Fri Aug 20 2021 - 12:11:16 EST

Next message: Jiri Kosina: "Re: [PATCH v2 55/63] HID: roccat: Use struct_group() to zero kone_mouse_event"
Previous message: Joerg Roedel: "Re: [PATCH] x86/efi: Restore Firmware IDT in before ExitBootServices()"
In reply to: James Bottomley: "Re: [PATCH] mm/secretmem: use refcount_t instead of atomic_t"
Next in thread: Jordy Zomer: "Re: [PATCH] mm/secretmem: use refcount_t instead of atomic_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 20, 2021 at 07:57:25AM -0700, James Bottomley wrote:
> On Fri, 2021-08-20 at 06:33 +0200, Jordy Zomer wrote:
> > As you can see there's an `atomic_inc` for each `memfd` that is
> > opened in the `memfd_secret` syscall. If a local attacker succeeds to
> > open 2^32 memfd's, the counter will wrap around to 0. This implies
> > that you may hibernate again, even though there are still regions of
> > this secret memory, thereby bypassing the security check.
>
> This isn't a possible attack, is it? secret memory is per process and
> each process usually has an open fd limit of 1024. That's not to say
> we shouldn't have overflow protection just in case, but I think today
> we don't have a problem.

But it's a _global_ setting, so it's still possible, though likely
impractical today. But refcount_t mitigates it and is a trivial change.
:)

--
Kees Cook

Next message: Jiri Kosina: "Re: [PATCH v2 55/63] HID: roccat: Use struct_group() to zero kone_mouse_event"
Previous message: Joerg Roedel: "Re: [PATCH] x86/efi: Restore Firmware IDT in before ExitBootServices()"
In reply to: James Bottomley: "Re: [PATCH] mm/secretmem: use refcount_t instead of atomic_t"
Next in thread: Jordy Zomer: "Re: [PATCH] mm/secretmem: use refcount_t instead of atomic_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]