diff options
| author |   Pratyush Yadav (Google) <pratyush@kernel.org> | 2026-05-05 15:39:20 +0200 |
|---|---|---|
| committer |   Andrew Morton <akpm@linux-foundation.org> | 2026-05-21 19:06:11 -0700 |
| commit | 3b041514cb6eae45869b020f743c14d983363222 (patch) | |
| tree | 217f807f7aaa8089a8d8c168f8ad4c760a2820ff /tools/testing/ktest/examples/include/ssh:/git@git.zx2c4.com | |
| parent | ipc: limit next_id allocation to the valid ID range (diff) | |
memfd: deny writeable mappings when implying SEAL_WRITE
When SEAL_EXEC is added, SEAL_WRITE is implied to make W^X. But the
implied seal is set after the check that makes sure the memfd can not have
any writable mappings. This means one can use SEAL_EXEC to apply
SEAL_WRITE while having writeable mappings.
This breaks the contract that SEAL_WRITE provides and can be used by an
attacker to pass a memfd that appears to be write sealed but can still be
modified arbitrarily.
Fix this by adding the implied seals before the call for
mapping_deny_writable() is done.
Link: https://lore.kernel.org/20260505133922.797635-1-pratyush@kernel.org
Fixes: c4f75bc8bd6b ("mm/memfd: add write seals when apply SEAL_EXEC to executable memfd")
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Acked-by: Jeff Xu <jeffxu@google.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Diffstat (limited to 'tools/testing/ktest/examples/include/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions