1. Patchew
  2. linux
  3. View series

[PATCH] memfd: Check for non-NULL file_seals in memfd_create() syscall

Roberto Sassu posted 1 patch 2 years, 8 months ago 
mm/memfd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
[PATCH] memfd: Check for non-NULL file_seals in memfd_create() syscall
Posted by Roberto Sassu 2 years, 8 months ago 
From: Roberto Sassu <roberto.sassu@huawei.com>

Ensure that file_seals is non-NULL before using it in the memfd_create()
syscall. One situation in which memfd_file_seals_ptr() could return a NULL
pointer is when CONFIG_SHMEM=n.

Cc: stable@vger.kernel.org # 4.16.x
Fixes: 47b9012ecdc7 ("shmem: add sealing support to hugetlb-backed memfd")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 mm/memfd.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/mm/memfd.c b/mm/memfd.c
index 69b90c31d38..e763e76f110 100644
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -371,12 +371,15 @@ SYSCALL_DEFINE2(memfd_create,
 
 		inode->i_mode &= ~0111;
 		file_seals = memfd_file_seals_ptr(file);
-		*file_seals &= ~F_SEAL_SEAL;
-		*file_seals |= F_SEAL_EXEC;
+		if (file_seals) {
+			*file_seals &= ~F_SEAL_SEAL;
+			*file_seals |= F_SEAL_EXEC;
+		}
 	} else if (flags & MFD_ALLOW_SEALING) {
 		/* MFD_EXEC and MFD_ALLOW_SEALING are set */
 		file_seals = memfd_file_seals_ptr(file);
-		*file_seals &= ~F_SEAL_SEAL;
+		if (file_seals)
+			*file_seals &= ~F_SEAL_SEAL;
 	}
 
 	fd_install(fd, file);
-- 
2.25.1
Re: [PATCH] memfd: Check for non-NULL file_seals in memfd_create() syscall
Posted by Andrew Morton 2 years, 8 months ago 
On Wed,  7 Jun 2023 15:24:27 +0200 Roberto Sassu <roberto.sassu@huaweicloud.com> wrote:

> From: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Ensure that file_seals is non-NULL before using it in the memfd_create()
> syscall. One situation in which memfd_file_seals_ptr() could return a NULL
> pointer is when CONFIG_SHMEM=n.

Thanks.  Has thie crash actually been demonstrated?

> --- a/mm/memfd.c
> +++ b/mm/memfd.c
> @@ -371,12 +371,15 @@ SYSCALL_DEFINE2(memfd_create,
>  
>  		inode->i_mode &= ~0111;
>  		file_seals = memfd_file_seals_ptr(file);
> -		*file_seals &= ~F_SEAL_SEAL;
> -		*file_seals |= F_SEAL_EXEC;
> +		if (file_seals) {
> +			*file_seals &= ~F_SEAL_SEAL;
> +			*file_seals |= F_SEAL_EXEC;
> +		}
>  	} else if (flags & MFD_ALLOW_SEALING) {
>  		/* MFD_EXEC and MFD_ALLOW_SEALING are set */
>  		file_seals = memfd_file_seals_ptr(file);
> -		*file_seals &= ~F_SEAL_SEAL;
> +		if (file_seals)
> +			*file_seals &= ~F_SEAL_SEAL;
>  	}
>  
>  	fd_install(fd, file);
Re: [PATCH] memfd: Check for non-NULL file_seals in memfd_create() syscall
Posted by Roberto Sassu 2 years, 8 months ago 
On 6/7/2023 7:21 PM, Andrew Morton wrote:
> On Wed,  7 Jun 2023 15:24:27 +0200 Roberto Sassu <roberto.sassu@huaweicloud.com> wrote:
> 
>> From: Roberto Sassu <roberto.sassu@huawei.com>
>>
>> Ensure that file_seals is non-NULL before using it in the memfd_create()
>> syscall. One situation in which memfd_file_seals_ptr() could return a NULL
>> pointer is when CONFIG_SHMEM=n.
> 
> Thanks.  Has thie crash actually been demonstrated?

Welcome. Yes, I noticed it when booting Fedora 38:

Jun 07 11:45:17 localhost kernel: BUG: kernel NULL pointer dereference, address: 0000000000000000
Jun 07 11:45:17 localhost kernel: #PF: supervisor write access in kernel mode
Jun 07 11:45:17 localhost kernel: #PF: error_code(0x0002) - not-present page
Jun 07 11:45:17 localhost kernel: PGD 0 P4D 0
Jun 07 11:45:17 localhost kernel: Oops: 0002 [#1] PREEMPT SMP NOPTI
Jun 07 11:45:17 localhost kernel: CPU: 0 PID: 752 Comm: dbus-broker-lau Not tainted 6.4.0-rc1+ #596
Jun 07 11:45:17 localhost kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Jun 07 11:45:17 localhost kernel: RIP: 0010:__do_sys_memfd_create+0x2a4/0x320
Jun 07 11:45:17 localhost kernel: Code: ff 83 e3 02 0f 84 6a ff ff ff 49 81 7d 28 00 cd 24 82 74 0c 4c 89 ef e8 5a 6c 27 00 84 c0 74 29 49 8b 45 20 48 05 88 04 00 0>
Jun 07 11:45:17 localhost kernel: RSP: 0018:ffffc900007d3ef8 EFLAGS: 00010246
Jun 07 11:45:17 localhost kernel: RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
Jun 07 11:45:17 localhost kernel: RDX: 0000000000000003 RSI: 0000000000000004 RDI: ffff888012ab1600
Jun 07 11:45:17 localhost kernel: RBP: ffff888025eb4d60 R08: 0000000000000000 R09: 0000000000000000
Jun 07 11:45:17 localhost kernel: R10: ffffffff83524c90 R11: 0000000000000000 R12: 000000000000000c
Jun 07 11:45:17 localhost kernel: R13: ffff888012ab1600 R14: ffff888025eb4d66 R15: 0000000000000000
Jun 07 11:45:17 localhost kernel: FS:  00007f4ef466de80(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
Jun 07 11:45:17 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 07 11:45:17 localhost kernel: CR2: 0000000000000000 CR3: 000000000e7fe000 CR4: 0000000000350ef0
Jun 07 11:45:17 localhost kernel: Call Trace:
Jun 07 11:45:17 localhost kernel:  <TASK>
Jun 07 11:45:17 localhost kernel:  do_syscall_64+0x3b/0x90
Jun 07 11:45:17 localhost kernel:  entry_SYSCALL_64_after_hwframe+0x72/0xdc
Jun 07 11:45:17 localhost kernel: RIP: 0033:0x7f4ef4a0dd2d
Jun 07 11:45:17 localhost kernel: Code: c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 0>
Jun 07 11:45:17 localhost kernel: RSP: 002b:00007fff308c5b58 EFLAGS: 00000246 ORIG_RAX: 000000000000013f
Jun 07 11:45:17 localhost kernel: RAX: ffffffffffffffda RBX: 00005597c14742d8 RCX: 00007f4ef4a0dd2d
Jun 07 11:45:17 localhost kernel: RDX: 00007f4ef49dfa5b RSI: 0000000000000003 RDI: 00005597c0b8f778
Jun 07 11:45:17 localhost kernel: RBP: 00007fff308c5b80 R08: 0000000000000000 R09: 00007fff308c5fa0
Jun 07 11:45:17 localhost kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
Jun 07 11:45:17 localhost kernel: R13: 00007fff308c5e60 R14: 00007fff308c5c20 R15: 00007fff308c5c00
Jun 07 11:45:17 localhost kernel:  </TASK>
Jun 07 11:45:17 localhost kernel: Modules linked in: sunrpc intel_rapl_msr intel_rapl_common kvm_amd snd_hda_codec_generic ccp snd_hda_intel snd_intel_dspcfg iTCO_w>
Jun 07 11:45:17 localhost kernel: CR2: 0000000000000000
Jun 07 11:45:17 localhost kernel: ---[ end trace 0000000000000000 ]---

Thanks for picking the patches. If it is still possible, it seems
that the Fixes tag is incorrect. The fixed commit should be:

c3b1b1cbf002 ("ramfs: add support for "mode=" mount option")

Roberto

>> --- a/mm/memfd.c
>> +++ b/mm/memfd.c
>> @@ -371,12 +371,15 @@ SYSCALL_DEFINE2(memfd_create,
>>   
>>   		inode->i_mode &= ~0111;
>>   		file_seals = memfd_file_seals_ptr(file);
>> -		*file_seals &= ~F_SEAL_SEAL;
>> -		*file_seals |= F_SEAL_EXEC;
>> +		if (file_seals) {
>> +			*file_seals &= ~F_SEAL_SEAL;
>> +			*file_seals |= F_SEAL_EXEC;
>> +		}
>>   	} else if (flags & MFD_ALLOW_SEALING) {
>>   		/* MFD_EXEC and MFD_ALLOW_SEALING are set */
>>   		file_seals = memfd_file_seals_ptr(file);
>> -		*file_seals &= ~F_SEAL_SEAL;
>> +		if (file_seals)
>> +			*file_seals &= ~F_SEAL_SEAL;
>>   	}
>>   
>>   	fd_install(fd, file);
Re: [PATCH] memfd: Check for non-NULL file_seals in memfd_create() syscall
Posted by Roberto Sassu 2 years, 8 months ago 
On 6/8/2023 11:05 PM, Roberto Sassu wrote:
> On 6/7/2023 7:21 PM, Andrew Morton wrote:
>> On Wed,  7 Jun 2023 15:24:27 +0200 Roberto Sassu 
>> <roberto.sassu@huaweicloud.com> wrote:
>>
>>> From: Roberto Sassu <roberto.sassu@huawei.com>
>>>
>>> Ensure that file_seals is non-NULL before using it in the memfd_create()
>>> syscall. One situation in which memfd_file_seals_ptr() could return a 
>>> NULL
>>> pointer is when CONFIG_SHMEM=n.
>>
>> Thanks.  Has thie crash actually been demonstrated?
> 
> Welcome. Yes, I noticed it when booting Fedora 38:
> 
> Jun 07 11:45:17 localhost kernel: BUG: kernel NULL pointer dereference, 
> address: 0000000000000000
> Jun 07 11:45:17 localhost kernel: #PF: supervisor write access in kernel 
> mode
> Jun 07 11:45:17 localhost kernel: #PF: error_code(0x0002) - not-present 
> page
> Jun 07 11:45:17 localhost kernel: PGD 0 P4D 0
> Jun 07 11:45:17 localhost kernel: Oops: 0002 [#1] PREEMPT SMP NOPTI
> Jun 07 11:45:17 localhost kernel: CPU: 0 PID: 752 Comm: dbus-broker-lau 
> Not tainted 6.4.0-rc1+ #596
> Jun 07 11:45:17 localhost kernel: Hardware name: QEMU Standard PC (Q35 + 
> ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Jun 07 11:45:17 localhost kernel: RIP: 
> 0010:__do_sys_memfd_create+0x2a4/0x320
> Jun 07 11:45:17 localhost kernel: Code: ff 83 e3 02 0f 84 6a ff ff ff 49 
> 81 7d 28 00 cd 24 82 74 0c 4c 89 ef e8 5a 6c 27 00 84 c0 74 29 49 8b 45 
> 20 48 05 88 04 00 0>
> Jun 07 11:45:17 localhost kernel: RSP: 0018:ffffc900007d3ef8 EFLAGS: 
> 00010246
> Jun 07 11:45:17 localhost kernel: RAX: 0000000000000000 RBX: 
> 0000000000000002 RCX: 0000000000000000
> Jun 07 11:45:17 localhost kernel: RDX: 0000000000000003 RSI: 
> 0000000000000004 RDI: ffff888012ab1600
> Jun 07 11:45:17 localhost kernel: RBP: ffff888025eb4d60 R08: 
> 0000000000000000 R09: 0000000000000000
> Jun 07 11:45:17 localhost kernel: R10: ffffffff83524c90 R11: 
> 0000000000000000 R12: 000000000000000c
> Jun 07 11:45:17 localhost kernel: R13: ffff888012ab1600 R14: 
> ffff888025eb4d66 R15: 0000000000000000
> Jun 07 11:45:17 localhost kernel: FS:  00007f4ef466de80(0000) 
> GS:ffff88807dc00000(0000) knlGS:0000000000000000
> Jun 07 11:45:17 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
> 0000000080050033
> Jun 07 11:45:17 localhost kernel: CR2: 0000000000000000 CR3: 
> 000000000e7fe000 CR4: 0000000000350ef0
> Jun 07 11:45:17 localhost kernel: Call Trace:
> Jun 07 11:45:17 localhost kernel:  <TASK>
> Jun 07 11:45:17 localhost kernel:  do_syscall_64+0x3b/0x90
> Jun 07 11:45:17 localhost kernel:  entry_SYSCALL_64_after_hwframe+0x72/0xdc
> Jun 07 11:45:17 localhost kernel: RIP: 0033:0x7f4ef4a0dd2d
> Jun 07 11:45:17 localhost kernel: Code: c3 66 2e 0f 1f 84 00 00 00 00 00 
> 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 
> 4c 8b 4c 24 08 0f 0>
> Jun 07 11:45:17 localhost kernel: RSP: 002b:00007fff308c5b58 EFLAGS: 
> 00000246 ORIG_RAX: 000000000000013f
> Jun 07 11:45:17 localhost kernel: RAX: ffffffffffffffda RBX: 
> 00005597c14742d8 RCX: 00007f4ef4a0dd2d
> Jun 07 11:45:17 localhost kernel: RDX: 00007f4ef49dfa5b RSI: 
> 0000000000000003 RDI: 00005597c0b8f778
> Jun 07 11:45:17 localhost kernel: RBP: 00007fff308c5b80 R08: 
> 0000000000000000 R09: 00007fff308c5fa0
> Jun 07 11:45:17 localhost kernel: R10: 0000000000000000 R11: 
> 0000000000000246 R12: 0000000000000000
> Jun 07 11:45:17 localhost kernel: R13: 00007fff308c5e60 R14: 
> 00007fff308c5c20 R15: 00007fff308c5c00
> Jun 07 11:45:17 localhost kernel:  </TASK>
> Jun 07 11:45:17 localhost kernel: Modules linked in: sunrpc 
> intel_rapl_msr intel_rapl_common kvm_amd snd_hda_codec_generic ccp 
> snd_hda_intel snd_intel_dspcfg iTCO_w>
> Jun 07 11:45:17 localhost kernel: CR2: 0000000000000000
> Jun 07 11:45:17 localhost kernel: ---[ end trace 0000000000000000 ]---
> 
> Thanks for picking the patches. If it is still possible, it seems
> that the Fixes tag is incorrect. The fixed commit should be:
> 
> c3b1b1cbf002 ("ramfs: add support for "mode=" mount option")

Ops, sorry. The comment above was for the patch: shmem: Use 
ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs.

Thanks

Roberto

> Roberto
> 
>>> --- a/mm/memfd.c
>>> +++ b/mm/memfd.c
>>> @@ -371,12 +371,15 @@ SYSCALL_DEFINE2(memfd_create,
>>>           inode->i_mode &= ~0111;
>>>           file_seals = memfd_file_seals_ptr(file);
>>> -        *file_seals &= ~F_SEAL_SEAL;
>>> -        *file_seals |= F_SEAL_EXEC;
>>> +        if (file_seals) {
>>> +            *file_seals &= ~F_SEAL_SEAL;
>>> +            *file_seals |= F_SEAL_EXEC;
>>> +        }
>>>       } else if (flags & MFD_ALLOW_SEALING) {
>>>           /* MFD_EXEC and MFD_ALLOW_SEALING are set */
>>>           file_seals = memfd_file_seals_ptr(file);
>>> -        *file_seals &= ~F_SEAL_SEAL;
>>> +        if (file_seals)
>>> +            *file_seals &= ~F_SEAL_SEAL;
>>>       }
>>>       fd_install(fd, file);

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.