219106 – udmabuf allows creating write mapping for write-sealed memfd

Bug 219106 - udmabuf allows creating write mapping for write-sealed memfd

Summary: udmabuf allows creating write mapping for write-sealed memfd

Status:	NEW

Alias:	None

Product:	Linux
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	Virtual assignee for kernel bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-07-30 05:56 UTC by Julian Orth
Modified:	2024-12-03 17:32 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Julian Orth 2024-07-30 05:56:58 UTC

udmabuf

1. checks that the memfd does not have a write seal
2. makes it so that no write seal can be added in the future

But these two steps are not atomic and userspace can add a seal in between. Userspace can then map the dmabuf to get write access to the memfd.

POC: https://github.com/mahkoh/udmabuf-seal

Requires the user to have read access to /dev/udmabuf.

Tested with 6.10.1 and 6.11-rc1.

Comment 1 Jann Horn (Google) 2024-12-03 17:32:04 UTC

I posted a patch for this at https://lore.kernel.org/all/20241203-udmabuf-fixes-v1-1-f99281c345aa@google.com/ .

Note You need to log in before you can comment on or make changes to this bug.