From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH 1/2] selinux: fix a race condition in security_read_policy()
Date: Mon, 24 Aug 2020 13:30:14 +0200 [thread overview]
Message-ID: <20200824113015.1375857-2-omosnace@redhat.com> (raw)
In-Reply-To: <20200824113015.1375857-1-omosnace@redhat.com>
In security_read_policy(), the policy length is computed using
security_policydb_len(), which does a separate transaction, and then
another transaction is done to write the policydb into a buffer of this
length.
The bug is that the policy might be re-loaded in between the two
transactions and so the length can be wrong. In case the new length is
lower than the old length, the length is corrected at the end of the
function. In case the new length is higher than the old one, an error is
returned.
Since we can't call vmalloc_user() under read_lock(), fix it by checking
if the allocated buffer is sufficiently large after doing the allocation
and taking the read lock and if not, retry the whole operation with the
new size.
Fixes: cee74f47a6ba ("SELinux: allow userspace to read policy back out of the kernel")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
security/selinux/ss/services.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index a48fc1b337ba9..2c9072f095985 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3849,14 +3849,22 @@ int security_read_policy(struct selinux_state *state,
*len = security_policydb_len(state);
+again:
*data = vmalloc_user(*len);
if (!*data)
return -ENOMEM;
+ read_lock(&state->ss->policy_rwlock);
+ if (*len < state->ss->policy->policydb.len) {
+ *len = state->ss->policy->policydb.len;
+ read_unlock(&state->ss->policy_rwlock);
+ vfree(*data);
+ goto again;
+ }
+
fp.data = *data;
fp.len = *len;
- read_lock(&state->ss->policy_rwlock);
rc = policydb_write(&state->ss->policy->policydb, &fp);
read_unlock(&state->ss->policy_rwlock);
--
2.26.2
next prev parent reply other threads:[~2020-08-24 11:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-24 11:30 [PATCH 0/2] Fix race conditions when reading out policy data Ondrej Mosnacek
2020-08-24 11:30 ` Ondrej Mosnacek [this message]
2020-08-24 12:47 ` [PATCH 1/2] selinux: fix a race condition in security_read_policy() Stephen Smalley
2020-08-24 12:52 ` Stephen Smalley
2020-08-24 13:04 ` Ondrej Mosnacek
2020-08-25 13:28 ` Paul Moore
2020-08-24 11:30 ` [PATCH 2/2] selinux: fix a race condition in sel_open_policy() Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200824113015.1375857-2-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).