[BUG?] mm/secretmem: memory address mapped to memfd_secret can be used in write syscall.

From: David Wang
Date: Wed Nov 08 2023 - 06:47:54 EST

Next message: Kuen-Han Tsai: "Re: [PATCH] usb: gadget: uvc_video: unlock before submitting a request to ep"
Previous message: Alexander Graf: "Re: [RFC 03/33] KVM: x86: hyper-v: Introduce XMM output support"
Next in thread: David Hildenbrand: "Re: [BUG?] mm/secretmem: memory address mapped to memfd_secret can be used in write syscall."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
According to https://lwn.net/Articles/865256/,
the memory address got from memfd_secret/ftruncate/mmap should not be used by syscalls, since it is not accessible even by kernel.

But my test result shows that the "secret" memory could be used in syscall write, is this expected behavior?
This is my test code:

int main() {
int fd = syscall(__NR_memfd_secret, 0);
if (fd < 0) {
perror("Fail to create secret");
return -1;
}
if (ftruncate(fd, 1024) < 0) {
perror("Fail to size the secret");
return -1;
}
char *key = mmap(NULL, 1024, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (key == MAP_FAILED) {
perror("Fail to mmap");
return -1;
}
// should be some secure channel
strcpy(key, "ThisIsAKey");
// printf("[%d]key(%s) ready: %p\n", getpid(), key, key);
// getchar();
// make syscall, should err
write(STDOUT_FILENO, key, strlen(key)); //<-- Here the key shows up on stdout.

return 0;
}

Thanks
David

Next message: Kuen-Han Tsai: "Re: [PATCH] usb: gadget: uvc_video: unlock before submitting a request to ep"
Previous message: Alexander Graf: "Re: [RFC 03/33] KVM: x86: hyper-v: Introduce XMM output support"
Next in thread: David Hildenbrand: "Re: [BUG?] mm/secretmem: memory address mapped to memfd_secret can be used in write syscall."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]