* [PATCH] slim: fix bug with mm_users usage
@ 2006-09-22 23:13 Kylene Jo Hall
2006-09-23 14:38 ` Hugh Dickins
0 siblings, 1 reply; 2+ messages in thread
From: Kylene Jo Hall @ 2006-09-22 23:13 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, Mimi Zohar, Dave Safford, Serge Hallyn
There is a NULL pointer dereference possible that was introduced in the
last round of modifications to the demotion code before merging.
current->mm should be checked for existence before it is dereferenced to
check the value of the mm_users field. This patch fixes all instances
of this bug.
Signed-off-by: Kylene Hall <kjhall@us.ibm.com>
---
security/slim/slm_main.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
--- linux-2.6.18-rc6-orig/security/slim/slm_main.c 2006-09-18 16:41:51.000000000 -0500
+++ linux-2.6.18-rc6/security/slim/slm_main.c 2006-09-22 13:58:35.000000000 -0500
@@ -529,7 +519,7 @@ static int enforce_integrity_read(struct
spin_lock(&cur_tsec->lock);
if (!is_iac_less_than_or_exempt(level, cur_tsec->iac_r)) {
rc = has_file_wperm(level);
- if (atomic_read(¤t->mm->mm_users) != 1)
+ if (current->mm && atomic_read(¤t->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE, "ppid %d(%s p=%d-%s) "
@@ -1100,7 +1092,7 @@ int slm_socket_create(int family, int ty
memset(&level, 0, sizeof(struct slm_file_xattr));
level.iac_level = SLM_IAC_UNTRUSTED;
rc = has_file_wperm(&level);
- if (atomic_read(¤t->mm->mm_users) != 1)
+ if (current->mm && atomic_read(¤t->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE,
@@ -1306,7 +1298,7 @@ static int enforce_integrity_execute(str
cur_tsec->iac_r = cur_tsec->iac_wx;
} else {
rc = has_file_wperm(level);
- if (atomic_read(¤t->mm->mm_users) != 1)
+ if (current->mm && atomic_read(¤t->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE,
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] slim: fix bug with mm_users usage
2006-09-22 23:13 [PATCH] slim: fix bug with mm_users usage Kylene Jo Hall
@ 2006-09-23 14:38 ` Hugh Dickins
0 siblings, 0 replies; 2+ messages in thread
From: Hugh Dickins @ 2006-09-23 14:38 UTC (permalink / raw)
To: Kylene Jo Hall; +Cc: linux-kernel, akpm, Mimi Zohar, Dave Safford, Serge Hallyn
On Fri, 22 Sep 2006, Kylene Jo Hall wrote:
Nothing to do with this patch as such, but as it went past I noticed
> --- linux-2.6.18-rc6-orig/security/slim/slm_main.c 2006-09-18 16:41:51.000000000 -0500
> +++ linux-2.6.18-rc6/security/slim/slm_main.c 2006-09-22 13:58:35.000000000 -0500
> @@ -529,7 +519,7 @@ static int enforce_integrity_read(struct
> spin_lock(&cur_tsec->lock);
> if (!is_iac_less_than_or_exempt(level, cur_tsec->iac_r)) {
> rc = has_file_wperm(level);
> - if (atomic_read(¤t->mm->mm_users) != 1)
> + if (current->mm && atomic_read(¤t->mm->mm_users) != 1)
> rc = 1;
I've not studied your patches, and I don't know what that line's about,
but you appear to be attaching considerable significance to the value of
mm->mm_users. Yet swapoff (try_to_unuse) has to bump it up to hold the
mm temporarily, as does get_task_mm() used in various places (mainly /proc).
Hugh
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-09-23 14:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-09-22 23:13 [PATCH] slim: fix bug with mm_users usage Kylene Jo Hall
2006-09-23 14:38 ` Hugh Dickins
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).