From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To: paul@paul-moore.com
Cc: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
eparis@redhat.com, sds@tycho.nsa.gov, casey@schaufler-ca.com,
jmorris@namei.org
Subject: Re: [PATCH] selinux: fix double free in selinux_parse_opts_str()
Date: Sat, 25 Mar 2017 11:55:47 +0900 [thread overview]
Message-ID: <201703251155.FBH12969.LFOFMHSFJQtOOV@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <CAHC9VhQc-55wALE-Qo=b1sY5Ts=Oo1Ra_xp+Euu_WSnuDowa0A@mail.gmail.com>
Paul Moore wrote:
> Hi,
>
> Thank you very much for this patch, but I think we need to look a bit
> harder at this problem as it appears that many callers assume that
> selinux_parse_opts_str() cleans up after itself. Looking quickly I
> found what appear to be two problems, there are likely more ...
>
> * selinux_sb_remount()
> If selinux_parse_opts_str() fails here it doesn't appear we cleanup
> opts properly, although changing the jump target from
> "out_free_secdata" to "out_free_opts" would appear to correct this.
>
> * btrfs_mount()
> This function calls parse_security_options() which in turn calls
> security_sb_parse_opts_str(), but if parse_security_options() fails in
> this case the security_mnt_opts are not free'd.
>
> At this point I wonder if the quick fix is to set opts->mnt_opts to
> NULL after kfree()'ing it, or simply drop the kfree() call and call
> security_free_mnt_opts() in the out_err error handling code; the
> latter is a bit more work than needed, but I believe it should be safe
> in all conditions.
I think the latter is better.
We might allow multiple LSM modules to parse mount options in future
(not limited to SELinux + Smack combination, small LSMs might want to
parse mount options). Then, calling a common function for releasing
memory allocated by individual module will become needed.
WARNING: multiple messages have this Message-ID (diff)
From: penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa)
To: linux-security-module@vger.kernel.org
Subject: [PATCH] selinux: fix double free in selinux_parse_opts_str()
Date: Sat, 25 Mar 2017 11:55:47 +0900 [thread overview]
Message-ID: <201703251155.FBH12969.LFOFMHSFJQtOOV@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <CAHC9VhQc-55wALE-Qo=b1sY5Ts=Oo1Ra_xp+Euu_WSnuDowa0A@mail.gmail.com>
Paul Moore wrote:
> Hi,
>
> Thank you very much for this patch, but I think we need to look a bit
> harder at this problem as it appears that many callers assume that
> selinux_parse_opts_str() cleans up after itself. Looking quickly I
> found what appear to be two problems, there are likely more ...
>
> * selinux_sb_remount()
> If selinux_parse_opts_str() fails here it doesn't appear we cleanup
> opts properly, although changing the jump target from
> "out_free_secdata" to "out_free_opts" would appear to correct this.
>
> * btrfs_mount()
> This function calls parse_security_options() which in turn calls
> security_sb_parse_opts_str(), but if parse_security_options() fails in
> this case the security_mnt_opts are not free'd.
>
> At this point I wonder if the quick fix is to set opts->mnt_opts to
> NULL after kfree()'ing it, or simply drop the kfree() call and call
> security_free_mnt_opts() in the out_err error handling code; the
> latter is a bit more work than needed, but I believe it should be safe
> in all conditions.
I think the latter is better.
We might allow multiple LSM modules to parse mount options in future
(not limited to SELinux + Smack combination, small LSMs might want to
parse mount options). Then, calling a common function for releasing
memory allocated by individual module will become needed.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-03-25 2:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-24 11:40 [PATCH] selinux: fix double free in selinux_parse_opts_str() Tetsuo Handa
2017-03-24 11:40 ` Tetsuo Handa
2017-03-24 17:03 ` Paul Moore
2017-03-24 17:03 ` Paul Moore
2017-03-25 2:55 ` Tetsuo Handa [this message]
2017-03-25 2:55 ` Tetsuo Handa
2017-03-25 17:13 ` Casey Schaufler
2017-03-25 17:13 ` Casey Schaufler
2017-04-26 21:24 ` Paul Moore
2017-04-26 21:24 ` Paul Moore
2017-04-26 21:37 ` Tetsuo Handa
2017-04-26 21:37 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201703251155.FBH12969.LFOFMHSFJQtOOV@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.