Re: CVE-2024-57937: mm: reinstate ability to map write-sealed memfd mappings read-only

From: Lorenzo Stoakes
Date: Wed Jan 22 2025 - 07:47:55 EST

Next message: FUJITA Tomonori: "Re: [PATCH v8 3/7] rust: time: Introduce Instant type"
Previous message: Linus Walleij: "Re: [PATCH 4/5] pinctrl: Add pin controller driver for AAEON UP boards"
In reply to: Greg KH: "Re: CVE-2024-57937: mm: reinstate ability to map write-sealed memfd mappings read-only"
Next in thread: Greg KH: "Re: CVE-2024-57937: mm: reinstate ability to map write-sealed memfd mappings read-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 22, 2025 at 01:36:32PM +0100, Greg KH wrote:
> On Wed, Jan 22, 2025 at 11:51:10AM +0000, Lorenzo Stoakes wrote:
> > On Sun, Sep 16, 2001 at 11:00:00PM +0000, Greg Kroah-Hartman wrote:
> > > Description
> > > ===========
> > >
> > > In the Linux kernel, the following vulnerability has been resolved:
> > >
> > > mm: reinstate ability to map write-sealed memfd mappings read-only
> >
> > Hi Greg,
> >
> > This is not a vulnerability and I don't see how it could possibly be
> > exploited. So unless somebody can suggest a means by which it could be, I
> > suggest this CVE should be dropped.
> >
> > Thanks, Lorenzo
> >
> > >
> > > Patch series "mm: reinstate ability to map write-sealed memfd mappings
> > > read-only".
> > >
> > > In commit 158978945f31 ("mm: perform the mapping_map_writable() check
> > > after call_mmap()") (and preceding changes in the same series) it became
> > > possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
>
> I thought the ability to mmap a sealed memfd mapping as read-only that
> didn't want to be mmaped that way was a "vulnerability fix".

The TL;DR is it's not security-related, the 'TL' is below :P

Yeah perhaps I wasn't clear enough in the commit message - for the longest
time the man page described the ability to mmap() PROT_READ a F_SEAL_WRITE
memfd (or at least - implied - you could do this) - but due to the
mechanism by which these write seals operate, you weren actually't able to.

The reason for this is the VM_MAYWRITE flag will naturally still be set (as
you could mprotect() PROT_WRITE the region).

My solution was to explicitly drop VM_MAYWRITE in this scenario, which
explicitly disallows this, so it is then fine to mmap() PROT_READ the
region and get the desired semantics - at no point are you able to do
anything not permitted by the write seal.

However, when applying the various mmap_region() security features, we had
to move a bunch of these checks around, which accidentally again prevented
the PROT_READ mmap() of these write sealed memfd's (simply due to _where_
things happened).

So this patch was just me finding a different way to achieve the same thing
to account for the new way in which we do mmap() basically.

At no time was a user able to work around these seals (or, in the spirit of
security I should say - at no time was able to work around these seals
_this way_, nor _to my knowledge_ any other way :)

>
> If you don't think so, then that's fine, we'll be glad to revoke this,
> just let us know.

Indeed yeah, I think in this case it's not a security thing so I think it's
appropriate to revoke.

>
> thanks,
>
> greg k-h

Cheers, Lorenzo

Next message: FUJITA Tomonori: "Re: [PATCH v8 3/7] rust: time: Introduce Instant type"
Previous message: Linus Walleij: "Re: [PATCH 4/5] pinctrl: Add pin controller driver for AAEON UP boards"
In reply to: Greg KH: "Re: CVE-2024-57937: mm: reinstate ability to map write-sealed memfd mappings read-only"
Next in thread: Greg KH: "Re: CVE-2024-57937: mm: reinstate ability to map write-sealed memfd mappings read-only"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]