From: Willy Tarreau <w@1wt.eu>
To: Manfred Spraul <manfred@colorfullife.com>
Cc: Fabian Frederick <fabf@skynet.be>,
Davidlohr Bueso <dbueso@suse.de>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH 3.14 17/29] sysv, ipc: fix security-layer leaking
Date: Mon, 29 Aug 2016 13:49:48 +0200 [thread overview]
Message-ID: <20160829114948.GE7870@1wt.eu> (raw)
In-Reply-To: <0f6c6250-a786-b11c-5f82-55f3863bda4d@colorfullife.com>
Hi Manfred,
On Mon, Aug 29, 2016 at 11:23:55AM +0200, Manfred Spraul wrote:
> Hi Willy,
>
> On 08/21/2016 01:49 PM, Willy Tarreau wrote:
> > Hi guys,
> >
> > On Sun, Aug 14, 2016 at 10:07:45PM +0200, Greg Kroah-Hartman wrote:
> > > 3.14-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Fabian Frederick <fabf@skynet.be>
> > >
> > > commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 upstream.
> > >
> > > Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
> > > to receive rcu freeing function but used generic ipc_rcu_free() instead
> > > of msg_rcu_free() which does security cleaning.
> > >
> > > Running LTP msgsnd06 with kmemleak gives the following:
> > >
> > > cat /sys/kernel/debug/kmemleak
> > >
> > > unreferenced object 0xffff88003c0a11f8 (size 8):
> > > comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
> > > hex dump (first 8 bytes):
> > > 1b 00 00 00 01 00 00 00 ........
> > > backtrace:
> > > kmemleak_alloc+0x23/0x40
> > > kmem_cache_alloc_trace+0xe1/0x180
> > > selinux_msg_queue_alloc_security+0x3f/0xd0
> > > security_msg_queue_alloc+0x2e/0x40
> > > newque+0x4e/0x150
> > > ipcget+0x159/0x1b0
> > > SyS_msgget+0x39/0x40
> > > entry_SYSCALL_64_fastpath+0x13/0x8f
> > >
> > > Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
> > > only use ipc_rcu_free in case of security allocation failure in newary()
> > >
> > > Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
> > > Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be
> > > Signed-off-by: Fabian Frederick <fabf@skynet.be>
> > > Cc: Davidlohr Bueso <dbueso@suse.de>
> > > Cc: Manfred Spraul <manfred@colorfullife.com>
> > > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > The patch above was tagged for stable v3.12+, however it references a fix
> > that was backported in 3.10.16 as commit e84ca333, so I'm unsure whether
> > 3.10 is affected or not. It *seems* to me that I should replace remaining
> > instances of ipc_rcu_free with sem_rcu_free in sem.c, and with msg_rcu_free
> > in msg.c, but I'd prefer a confirmation. For now I'm postponing this fix,
> > any hint would be much appreciated.
> Yes, we need the patch for v3.10 as well.
> There must be exactly two instances of ipc_rcu_free in each of sem.c, msg.c,
> shm.c:
> It is called when security_{sem,msg_queue,shm}_alloc fails.
> And obviously within sem_rcu_free, ... .
>
> The rest must be sem_rcu_free(), ... .
OK that seems clear enough.
> Should I test if the patch from 3.14 works with v3.10?
As you like. Your explanation seems clear to me, I think I'll get it
right. However if you have an easy reproducer and don't mind testing
it on 3.10.103, that would indeed be appreciated, otherwise do not
waste your time.
thanks,
Willy
next prev parent reply other threads:[~2016-08-29 11:50 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160814200812uscas1p1ef0170d47bedbb472ff4f71fa6e71b1c@uscas1p1.samsung.com>
2016-08-14 20:07 ` [PATCH 3.14 00/29] 3.14.76-stable review Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 01/29] USB: fix invalid memory access in hub_activate() Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 02/29] mm: migrate dirty page without clear_page_dirty_for_io etc Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 03/29] printk: do cond_resched() between lines while outputting to consoles Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 04/29] x86/mm: Add barriers and document switch_mm()-vs-flush synchronization Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 05/29] sctp: Prevent soft lockup when sctp_accept() is called during a timeout event Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 06/29] x86/mm: Improve switch_mm() barrier comments Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 08/29] USB: fix up incorrect quirk Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 09/29] arm: oabi compat: add missing access checks Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 10/29] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 11/29] apparmor: fix ref count leak when profile sha1 hash is read Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 12/29] random: strengthen input validation for RNDADDTOENTCNT Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 13/29] scsi: remove scsi_end_request Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 14/29] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 15/29] IB/security: Restrict use of the write() interface Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 16/29] block: fix use-after-free in seq file Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 17/29] sysv, ipc: fix security-layer leaking Greg Kroah-Hartman
2016-08-21 11:49 ` Willy Tarreau
2016-08-29 9:23 ` Manfred Spraul
2016-08-29 11:49 ` Willy Tarreau [this message]
2016-08-14 20:07 ` [PATCH 3.14 18/29] fuse: fix wrong assignment of ->flags in fuse_send_init() Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 19/29] crypto: gcm - Filter out async ghash if necessary Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 20/29] crypto: scatterwalk - Fix test in scatterwalk_done Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 21/29] ext4: check for extents that wrap around Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 22/29] ext4: fix deadlock during page writeback Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 23/29] ext4: dont call ext4_should_journal_data() on the journal inode Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 24/29] ext4: short-cut orphan cleanup on error Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 25/29] bonding: set carrier off for devices created through netlink Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 26/29] net/irda: fix NULL pointer dereference on memory allocation failure Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 27/29] tcp: consider recv buf for the initial window scale Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 28/29] [PATCH 1/8] tcp: make challenge acks less predictable Greg Kroah-Hartman
2016-08-14 20:07 ` [PATCH 3.14 29/29] ext4: fix reference counting bug on block allocation error Greg Kroah-Hartman
2016-08-15 14:49 ` [PATCH 3.14 00/29] 3.14.76-stable review Guenter Roeck
2016-08-16 4:01 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160829114948.GE7870@1wt.eu \
--to=w@1wt.eu \
--cc=dbueso@suse.de \
--cc=fabf@skynet.be \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox