* + sysv-ipc-fix-security-layer-leaking.patch added to -mm tree
@ 2016-08-01 21:52 akpm
0 siblings, 0 replies; only message in thread
From: akpm @ 2016-08-01 21:52 UTC (permalink / raw)
To: fabf, dbueso, manfred, stable, mm-commits
The patch titled
Subject: sysv, ipc: fix security-layer leaking
has been added to the -mm tree. Its filename is
sysv-ipc-fix-security-layer-leaking.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/sysv-ipc-fix-security-layer-leaking.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/sysv-ipc-fix-security-layer-leaking.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Fabian Frederick <fabf@skynet.be>
Subject: sysv, ipc: fix security-layer leaking
53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref() to
receive rcu freeing function but used generic ipc_rcu_free() instead of
msg_rcu_free() which does security cleaning.
Running LTP msgsnd06 with kmemleak gives the following:
cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff88003c0a11f8 (size 8):
comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
hex dump (first 8 bytes):
1b 00 00 00 01 00 00 00 ........
backtrace:
[<ffffffff818e2c43>] kmemleak_alloc+0x23/0x40
[<ffffffff81177f31>] kmem_cache_alloc_trace+0xe1/0x180
[<ffffffff812d42af>] selinux_msg_queue_alloc_security+0x3f/0xd0
[<ffffffff812cc6be>] security_msg_queue_alloc+0x2e/0x40
[<ffffffff812b94ee>] newque+0x4e/0x150
[<ffffffff812b8cb9>] ipcget+0x159/0x1b0
[<ffffffff812b98d9>] SyS_msgget+0x39/0x40
[<ffffffff818e7bdb>] entry_SYSCALL_64_fastpath+0x13/0x8f
[<ffffffffffffffff>] 0xffffffffffffffff
Manfred Spraul suggested to fix sem.c as well and
Davidlohr Bueso to only use ipc_rcu_free in case of security
allocation failure in newary()
Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: <stable@vger.kernel.org> [3.12+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
ipc/msg.c | 2 +-
ipc/sem.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
diff -puN ipc/msg.c~sysv-ipc-fix-security-layer-leaking ipc/msg.c
--- a/ipc/msg.c~sysv-ipc-fix-security-layer-leaking
+++ a/ipc/msg.c
@@ -680,7 +680,7 @@ long do_msgsnd(int msqid, long mtype, vo
rcu_read_lock();
ipc_lock_object(&msq->q_perm);
- ipc_rcu_putref(msq, ipc_rcu_free);
+ ipc_rcu_putref(msq, msg_rcu_free);
/* raced with RMID? */
if (!ipc_valid_object(&msq->q_perm)) {
err = -EIDRM;
diff -puN ipc/sem.c~sysv-ipc-fix-security-layer-leaking ipc/sem.c
--- a/ipc/sem.c~sysv-ipc-fix-security-layer-leaking
+++ a/ipc/sem.c
@@ -438,7 +438,7 @@ static inline struct sem_array *sem_obta
static inline void sem_lock_and_putref(struct sem_array *sma)
{
sem_lock(sma, NULL, -1);
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
}
static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
@@ -1381,7 +1381,7 @@ static int semctl_main(struct ipc_namesp
rcu_read_unlock();
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if (sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
@@ -1415,20 +1415,20 @@ static int semctl_main(struct ipc_namesp
if (nsems > SEMMSL_FAST) {
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if (sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
}
if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -EFAULT;
goto out_free;
}
for (i = 0; i < nsems; i++) {
if (sem_io[i] > SEMVMX) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -ERANGE;
goto out_free;
}
@@ -1720,7 +1720,7 @@ static struct sem_undo *find_alloc_undo(
/* step 2: allocate new undo structure */
new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL);
if (!new) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return ERR_PTR(-ENOMEM);
}
_
Patches currently in -mm which might be from fabf@skynet.be are
sysv-ipc-fix-security-layer-leaking.patch
treewide-replace-obsolete-_refok-by-__ref.patch
ipc-msgc-fix-memory-leak-in-do_msgsnd.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-08-01 22:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-01 21:52 + sysv-ipc-fix-security-layer-leaking.patch added to -mm tree akpm
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.