From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Fabian Frederick <fabf@skynet.be>,
Davidlohr Bueso <dbueso@suse.de>,
Manfred Spraul <manfred@colorfullife.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.7 23/41] sysv, ipc: fix security-layer leaking
Date: Sun, 14 Aug 2016 22:38:49 +0200 [thread overview]
Message-ID: <20160814202533.138914415@linuxfoundation.org> (raw)
In-Reply-To: <20160814202531.818402015@linuxfoundation.org>
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabian Frederick <fabf@skynet.be>
commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 upstream.
Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
to receive rcu freeing function but used generic ipc_rcu_free() instead
of msg_rcu_free() which does security cleaning.
Running LTP msgsnd06 with kmemleak gives the following:
cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff88003c0a11f8 (size 8):
comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
hex dump (first 8 bytes):
1b 00 00 00 01 00 00 00 ........
backtrace:
kmemleak_alloc+0x23/0x40
kmem_cache_alloc_trace+0xe1/0x180
selinux_msg_queue_alloc_security+0x3f/0xd0
security_msg_queue_alloc+0x2e/0x40
newque+0x4e/0x150
ipcget+0x159/0x1b0
SyS_msgget+0x39/0x40
entry_SYSCALL_64_fastpath+0x13/0x8f
Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
only use ipc_rcu_free in case of security allocation failure in newary()
Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/msg.c | 2 +-
ipc/sem.c | 12 ++++++------
2 files changed, 7 insertions(+), 7 deletions(-)
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -680,7 +680,7 @@ long do_msgsnd(int msqid, long mtype, vo
rcu_read_lock();
ipc_lock_object(&msq->q_perm);
- ipc_rcu_putref(msq, ipc_rcu_free);
+ ipc_rcu_putref(msq, msg_rcu_free);
/* raced with RMID? */
if (!ipc_valid_object(&msq->q_perm)) {
err = -EIDRM;
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -449,7 +449,7 @@ static inline struct sem_array *sem_obta
static inline void sem_lock_and_putref(struct sem_array *sma)
{
sem_lock(sma, NULL, -1);
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
}
static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
@@ -1392,7 +1392,7 @@ static int semctl_main(struct ipc_namesp
rcu_read_unlock();
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if (sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
@@ -1426,20 +1426,20 @@ static int semctl_main(struct ipc_namesp
if (nsems > SEMMSL_FAST) {
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if (sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
}
if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -EFAULT;
goto out_free;
}
for (i = 0; i < nsems; i++) {
if (sem_io[i] > SEMVMX) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -ERANGE;
goto out_free;
}
@@ -1731,7 +1731,7 @@ static struct sem_undo *find_alloc_undo(
/* step 2: allocate new undo structure */
new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL);
if (!new) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return ERR_PTR(-ENOMEM);
}
next prev parent reply other threads:[~2016-08-14 20:45 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160814204653uscas1p136630e2fd59612e56b31ed2096f71df2@uscas1p1.samsung.com>
2016-08-14 20:38 ` [PATCH 4.7 00/41] 4.7.1-stable review Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 01/41] ext4: verify extent header depth Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 02/41] vfs: ioctl: prevent double-fetch in dedupe ioctl Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 03/41] vfs: fix deadlock in file_remove_privs() on overlayfs Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 04/41] udp: use sk_filter_trim_cap for udp{,6}_queue_rcv_skb Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 05/41] net/bonding: Enforce active-backup policy for IPoIB bonds Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 06/41] bridge: Fix incorrect re-injection of LLDP packets Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 07/41] net: ipv6: Always leave anycast and multicast groups on link down Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 08/41] sctp: fix BH handling on socket backlog Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 09/41] net/irda: fix NULL pointer dereference on memory allocation failure Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 10/41] net/sctp: terminate rhashtable walk correctly Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 11/41] qed: Fix setting/clearing bit in completion bitmap Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 12/41] macsec: ensure rx_sa is set when validation is disabled Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 13/41] tcp: consider recv buf for the initial window scale Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 14/41] arm: oabi compat: add missing access checks Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 15/41] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 16/41] IB/hfi1: Disable by default Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 17/41] apparmor: fix ref count leak when profile sha1 hash is read Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 18/41] random: strengthen input validation for RNDADDTOENTCNT Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 19/41] mm: memcontrol: fix swap counter leak on swapout from offline cgroup Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 20/41] mm: memcontrol: fix memcg id ref counter on swap charge move Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 21/41] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 22/41] block: fix use-after-free in seq file Greg Kroah-Hartman
2016-08-14 20:38 ` Greg Kroah-Hartman [this message]
2016-08-14 20:38 ` [PATCH 4.7 24/41] radix-tree: account nodes to memcg only if explicitly requested Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 25/41] x86/microcode: Fix suspend to RAM with builtin microcode Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 26/41] x86/power/64: Fix hibernation return address corruption Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 27/41] fuse: fsync() did not return IO errors Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 28/41] fuse: fuse_flush must check mapping->flags for errors Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 29/41] fuse: fix wrong assignment of ->flags in fuse_send_init() Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 30/41] Revert "mm, mempool: only set __GFP_NOMEMALLOC if there are free elements" Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 31/41] fs/dcache.c: avoid soft-lockup in dput() Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 32/41] Revert "cpufreq: pcc-cpufreq: update default value of cpuinfo_transition_latency" Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.7 33/41] crypto: gcm - Filter out async ghash if necessary Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 34/41] crypto: scatterwalk - Fix test in scatterwalk_done Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 35/41] serial: mvebu-uart: free the IRQ in ->shutdown() Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 36/41] ext4: check for extents that wrap around Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 37/41] ext4: fix deadlock during page writeback Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 38/41] ext4: dont call ext4_should_journal_data() on the journal inode Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 39/41] ext4: validate s_reserved_gdt_blocks on mount Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 40/41] ext4: short-cut orphan cleanup on error Greg Kroah-Hartman
2016-08-14 20:39 ` [PATCH 4.7 41/41] ext4: fix reference counting bug on block allocation error Greg Kroah-Hartman
[not found] ` <57b11e62.eeb8c20a.9231a.76ad@mx.google.com>
2016-08-15 7:56 ` [PATCH 4.7 00/41] 4.7.1-stable review Greg Kroah-Hartman
2016-08-15 21:31 ` Kevin Hilman
2016-08-15 13:03 ` Guenter Roeck
2016-08-15 13:46 ` Greg Kroah-Hartman
2016-08-16 4:03 ` Shuah Khan
2016-08-16 10:48 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160814202533.138914415@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=dbueso@suse.de \
--cc=fabf@skynet.be \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.