Re: CVE-2024-57937: mm: reinstate ability to map write-sealed memfd mappings read-only

[Lorenzo Stoakes]

On Sun, Sep 16, 2001 at 11:00:00PM +0000, Greg Kroah-Hartman wrote:
> Description
> ===========
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> mm: reinstate ability to map write-sealed memfd mappings read-only

Hi Greg,

This is not a vulnerability and I don't see how it could possibly be
exploited. So unless somebody can suggest a means by which it could be, I
suggest this CVE should be dropped.

Thanks, Lorenzo

>
> Patch series "mm: reinstate ability to map write-sealed memfd mappings
> read-only".
>
> In commit 158978945f31 ("mm: perform the mapping_map_writable() check
> after call_mmap()") (and preceding changes in the same series) it became
> possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
>
> Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
> behaviour") unintentionally undid this logic by moving the
> mapping_map_writable() check before the shmem_mmap() hook is invoked,
> thereby regressing this change.
>
> This series reworks how we both permit write-sealed mappings being mapped
> read-only and disallow mprotect() from undoing the write-seal, fixing this
> regression.
>
> We also add a regression test to ensure that we do not accidentally
> regress this in future.
>
> Thanks to Julian Orth for reporting this regression.
>
>
> This patch (of 2):
>
> In commit 158978945f31 ("mm: perform the mapping_map_writable() check
> after call_mmap()") (and preceding changes in the same series) it became
> possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
>
> This was previously unnecessarily disallowed, despite the man page
> documentation indicating that it would be, thereby limiting the usefulness
> of F_SEAL_WRITE logic.
>
> We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE
> seal (one which disallows future writes to the memfd) to also be used for
> F_SEAL_WRITE.
>
> For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a
> read-only mapping to disallow mprotect() from overriding the seal - an
> operation performed by seal_check_write(), invoked from shmem_mmap(), the
> f_op->mmap() hook used by shmem mappings.
>
> By extending this to F_SEAL_WRITE and critically - checking
> mapping_map_writable() to determine if we may map the memfd AFTER we
> invoke shmem_mmap() - the desired logic becomes possible.  This is because
> mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will
> have cleared.
>
> Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
> behaviour") unintentionally undid this logic by moving the
> mapping_map_writable() check before the shmem_mmap() hook is invoked,
> thereby regressing this change.
>
> We reinstate this functionality by moving the check out of shmem_mmap()
> and instead performing it in do_mmap() at the point at which VMA flags are
> being determined, which seems in any case to be a more appropriate place
> in which to make this determination.
>
> In order to achieve this we rework memfd seal logic to allow us access to
> this information using existing logic and eliminate the clearing of
> VM_MAYWRITE from seal_check_write() which we are performing in do_mmap()
> instead.
>
> The Linux kernel CVE team has assigned CVE-2024-57937 to this issue.
>
>
> Affected and fixed versions
> ===========================
>
> 	Issue introduced in 6.12 with commit 5de195060b2e251a835f622759550e6202167641 and fixed in 6.12.9 with commit 464770df46095e6967334d77113972960f7ef1fa
> 	Issue introduced in 6.12 with commit 5de195060b2e251a835f622759550e6202167641 and fixed in 6.13 with commit 8ec396d05d1b737c87311fb7311f753b02c2a6b1
> 	Issue introduced in 5.10.231 with commit 43323a4e5b3f8ccc08e2f835abfdc7ee9da8f6ed
> 	Issue introduced in 5.15.174 with commit 44f48eb9a6051826227bbd375446064fb2a43c6c
> 	Issue introduced in 6.1.119 with commit 52c81fd0f5a8bf8032687b94ccf00d13b44cc5c8
> 	Issue introduced in 6.6.63 with commit bdc136e2b05fabcd780fe5f165d154eb779dfcb0
>
> Please see https://www.kernel.org for a full list of currently supported
> kernel versions by the kernel community.
>
> Unaffected versions might change over time as fixes are backported to
> older supported kernel versions.  The official CVE entry at
> 	https://cve.org/CVERecord/?id=CVE-2024-57937
> will be updated if fixes are backported, please check that for the most
> up to date information about this issue.
>
>
> Affected files
> ==============
>
> The file(s) affected by this issue are:
> 	include/linux/memfd.h
> 	include/linux/mm.h
> 	mm/memfd.c
> 	mm/mmap.c
>
>
> Mitigation
> ==========
>
> The Linux kernel CVE team recommends that you update to the latest
> stable kernel version for this, and many other bugfixes.  Individual
> changes are never tested alone, but rather are part of a larger kernel
> release.  Cherry-picking individual commits is not recommended or
> supported by the Linux kernel community at all.  If however, updating to
> the latest release is impossible, the individual changes to resolve this
> issue can be found at these commits:
> 	https://git.kernel.org/stable/c/464770df46095e6967334d77113972960f7ef1fa
> 	https://git.kernel.org/stable/c/8ec396d05d1b737c87311fb7311f753b02c2a6b1