www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Jordy Zomer <jordy@jordyzomer.github.io>
	Mon, 23 Aug 2021 23:59:45 +0000 (09:59 +1000)
committer	Stephen Rothwell <sfr@canb.auug.org.au>
	Wed, 25 Aug 2021 23:34:28 +0000 (09:34 +1000)
commit	59f23b42c3ae176ba298be52cccdf1e69fc91b90
tree	9a9756e05d7aaeb1c2034fb286f8bb732c9a3269	tree
parent	c32716ab0ebf2762331977fc1f922ca48ee8136d	commit \| diff

mm/secretmem: use refcount_t instead of atomic_t

When a secret memory region is active, memfd_secret disables hibernation.
One of the goals is to keep the secret data from being written to
persistent-storage.

It accomplishes this by maintaining a reference count to
`secretmem_users`.  Once this reference is held your system can not be
hibernated due to the check in `hibernation_available()`.  However,
because `secretmem_users` is of type `atomic_t`, reference counter
overflows are possible.

As you can see there's an `atomic_inc` for each `memfd` that is opened in
the `memfd_secret` syscall.  If a local attacker succeeds to open 2^32
memfd's, the counter will wrap around to 0.  This implies that you may
hibernate again, even though there are still regions of this secret
memory, thereby bypassing the security check.

In an attempt to fix this I have used `refcount_t` instead of `atomic_t`
which prevents reference counter overflows.

Link: https://lkml.kernel.org/r/20210820043339.2151352-1-jordy@pwning.systems
Signed-off-by: Jordy Zomer <jordy@pwning.systems>
Cc: Kees Cook <keescook@chromium.org>,
Cc: Jordy Zomer <jordy@jordyzomer.github.io>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Mike Rapoport <rppt@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>