Commit 72de2591 authored by Jeff Xu's avatar Jeff Xu Committed by Andrew Morton
Browse files

mm/memfd: sysctl: fix MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED 

Patch series "mm/memfd: fix sysctl MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED", v2.

When sysctl vm.memfd_noexec is 2 (MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED),
memfd_create(.., MFD_EXEC) should fail.

This complies with how MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED is defined -
"memfd_create() without MFD_NOEXEC_SEAL will be rejected"

Thanks to Dominique Martinet <asmadeus@codewreck.org> who reported the bug.
see [1] for context.

[1] https://lore.kernel.org/linux-mm/CABi2SkXUX_QqTQ10Yx9bBUGpN1wByOi_=gZU6WEy5a8MaQY3Jw@mail.gmail.com/T/


This patch (of 2):

When vm.memfd_noexec is 2 (MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED),
memfd_create(.., MFD_EXEC) should fail.

This complies with how MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED is
defined - "memfd_create() without MFD_NOEXEC_SEAL will be rejected"

Link: https://lkml.kernel.org/r/20230705063315.3680666-1-jeffxu@google.com
Link: https://lkml.kernel.org/r/20230705063315.3680666-2-jeffxu@google.com


Fixes: 105ff533 ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC")
Reported-by: default avatarDominique Martinet <asmadeus@codewreck.org>
Closes: https://lore.kernel.org/linux-mm/CABi2SkXUX_QqTQ10Yx9bBUGpN1wByOi_=gZU6WEy5a8MaQY3Jw@mail.gmail.com/T/


Reported-by: default avatarkernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202306301351.kkbSegQW-lkp@intel.com/


Signed-off-by: default avatarJeff Xu <jeffxu@google.com>
Cc: Daniel Verkamp <dverkamp@chromium.org>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jorge Lucangeli Obes <jorgelo@chromium.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
parent 8a144612

mm/memfd.c

+33 −24
Original line number Diff line number Diff line
@@ -268,6 +268,36 @@ long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg) 


#define MFD_ALL_FLAGS (MFD_CLOEXEC | MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_NOEXEC_SEAL | MFD_EXEC)



static int check_sysctl_memfd_noexec(unsigned int *flags)

{

#ifdef CONFIG_SYSCTL

	char comm[TASK_COMM_LEN];

	int sysctl = MEMFD_NOEXEC_SCOPE_EXEC;

	struct pid_namespace *ns;



	ns = task_active_pid_ns(current);

	if (ns)

		sysctl = ns->memfd_noexec_scope;



	if (!(*flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) {

		if (sysctl == MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL)

			*flags |= MFD_NOEXEC_SEAL;

		else

			*flags |= MFD_EXEC;

	}



	if (*flags & MFD_EXEC && sysctl >= MEMFD_NOEXEC_SCOPE_NOEXEC_ENFORCED) {

		pr_warn_once(

			"memfd_create(): MFD_NOEXEC_SEAL is enforced, pid=%d '%s'\n",

			task_pid_nr(current), get_task_comm(comm, current));



		return -EACCES;

	}

#endif



	return 0;

}



SYSCALL_DEFINE2(memfd_create,

		const char __user *, uname,

		unsigned int, flags)
@@ -294,35 +324,14 @@ SYSCALL_DEFINE2(memfd_create, 
		return -EINVAL;



	if (!(flags & (MFD_EXEC | MFD_NOEXEC_SEAL))) {

#ifdef CONFIG_SYSCTL

		int sysctl = MEMFD_NOEXEC_SCOPE_EXEC;

		struct pid_namespace *ns;



		ns = task_active_pid_ns(current);

		if (ns)

			sysctl = ns->memfd_noexec_scope;



		switch (sysctl) {

		case MEMFD_NOEXEC_SCOPE_EXEC:

			flags |= MFD_EXEC;

			break;

		case MEMFD_NOEXEC_SCOPE_NOEXEC_SEAL:

			flags |= MFD_NOEXEC_SEAL;

			break;

		default:

			pr_warn_once(

				"memfd_create(): MFD_NOEXEC_SEAL is enforced, pid=%d '%s'\n",

				task_pid_nr(current), get_task_comm(comm, current));

			return -EINVAL;

		}

#else

		flags |= MFD_EXEC;

#endif

		pr_warn_once(

			"memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=%d '%s'\n",

			task_pid_nr(current), get_task_comm(comm, current));

	}



	if (check_sysctl_memfd_noexec(&flags) < 0)

		return -EACCES;



	/* length includes terminating zero */

	len = strnlen_user(uname, MFD_NAME_MAX_LEN + 1);

	if (len <= 0)