From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: Fabian Frederick <fabf@skynet.be>,
Davidlohr Bueso <dbueso@suse.de>,
Manfred Spraul <manfred@colorfullife.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jiri Slaby <jslaby@suse.cz>
Subject: [patch added to 3.12-stable] sysv, ipc: fix security-layer leaking
Date: Thu, 18 Aug 2016 14:49:27 +0200 [thread overview]
Message-ID: <20160818124953.31969-22-jslaby@suse.cz> (raw)
In-Reply-To: <20160818124953.31969-1-jslaby@suse.cz>
From: Fabian Frederick <fabf@skynet.be>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 upstream.
Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
to receive rcu freeing function but used generic ipc_rcu_free() instead
of msg_rcu_free() which does security cleaning.
Running LTP msgsnd06 with kmemleak gives the following:
cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff88003c0a11f8 (size 8):
comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
hex dump (first 8 bytes):
1b 00 00 00 01 00 00 00 ........
backtrace:
kmemleak_alloc+0x23/0x40
kmem_cache_alloc_trace+0xe1/0x180
selinux_msg_queue_alloc_security+0x3f/0xd0
security_msg_queue_alloc+0x2e/0x40
newque+0x4e/0x150
ipcget+0x159/0x1b0
SyS_msgget+0x39/0x40
entry_SYSCALL_64_fastpath+0x13/0x8f
Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
only use ipc_rcu_free in case of security allocation failure in newary()
Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
ipc/msg.c | 2 +-
ipc/sem.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/ipc/msg.c b/ipc/msg.c
index 32aaaab15c5c..f8c22afff450 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -730,7 +730,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
rcu_read_lock();
ipc_lock_object(&msq->q_perm);
- ipc_rcu_putref(msq, ipc_rcu_free);
+ ipc_rcu_putref(msq, msg_rcu_free);
if (msq->q_perm.deleted) {
err = -EIDRM;
goto out_unlock0;
diff --git a/ipc/sem.c b/ipc/sem.c
index b064468e876f..7fb486739cbb 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -442,7 +442,7 @@ static inline struct sem_array *sem_obtain_object_check(struct ipc_namespace *ns
static inline void sem_lock_and_putref(struct sem_array *sma)
{
sem_lock(sma, NULL, -1);
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
}
static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
@@ -1373,7 +1373,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
rcu_read_unlock();
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if(sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
@@ -1407,20 +1407,20 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
if(nsems > SEMMSL_FAST) {
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if(sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
}
if (copy_from_user (sem_io, p, nsems*sizeof(ushort))) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -EFAULT;
goto out_free;
}
for (i = 0; i < nsems; i++) {
if (sem_io[i] > SEMVMX) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -ERANGE;
goto out_free;
}
@@ -1710,7 +1710,7 @@ static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid)
/* step 2: allocate new undo structure */
new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL);
if (!new) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return ERR_PTR(-ENOMEM);
}
--
2.9.3
next prev parent reply other threads:[~2016-08-18 12:50 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-18 12:49 [patch added to 3.12-stable] x86, asmlinkage, lguest: Pass in globals into assembler statement Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: at91_can: RX queue could get stuck at high bus load Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: fix handling of unmodifiable configuration options fix Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: fix oops caused by wrong rtnl dellink usage Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ipr: Clear interrupt on croc/crocodile when running with LSI Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] net: mvneta: set real interrupt per packet for tx_done Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] random32: add prandom_u32_max and convert open coded users Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] tcp: make challenge acks less predictable Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] net/irda: fix NULL pointer dereference on memory allocation failure Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] tcp: consider recv buf for the initial window scale Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Fix mapped fault broken commpage handling Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Add missing gfn range check Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Fix gfn range check in kseg0 tlb faults Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Propagate kseg0/mapped tlb fault errors Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] HID: i2c-hid: set power sleep before shutdown Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] HID: multitouch: Add MT_QUIRK_NOT_SEEN_MEANS_UP to Surface Pro 3 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] x86/mm: Improve switch_mm() barrier comments Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] arm: oabi compat: add missing access checks Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] apparmor: fix ref count leak when profile sha1 hash is read Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] block: fix use-after-free in seq file Jiri Slaby
2016-08-18 12:49 ` Jiri Slaby [this message]
2016-08-18 12:49 ` [patch added to 3.12-stable] fuse: fix wrong assignment of ->flags in fuse_send_init() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] crypto: gcm - Filter out async ghash if necessary Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] crypto: scatterwalk - Fix test in scatterwalk_done Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: check for extents that wrap around Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: fix deadlock during page writeback Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: don't call ext4_should_journal_data() on the journal inode Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: short-cut orphan cleanup on error Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: fix reference counting bug on block allocation error Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] USB: serial: option: add support for Telit LE910 PID 0x1206 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] gpio: pca953x: Fix NBANK calculation for PCA9536 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] s5p-mfc: Set device name for reserved memory region devs Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] s5p-mfc: Add release callback for " Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] cifs: Check for existing directory when opening file with O_CREAT Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] cifs: fix crash due to race in hmac(md5) handling Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] CIFS: Fix a possible invalid memory access in smb2_query_symlink() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] random: properly align get_random_int_hash Jiri Slaby
2016-08-19 3:14 ` Eric Biggers
2016-08-19 7:07 ` Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] nfs: don't create zero-length requests Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160818124953.31969-22-jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=akpm@linux-foundation.org \
--cc=dbueso@suse.de \
--cc=fabf@skynet.be \
--cc=manfred@colorfullife.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.