From: Manfred Spraul <manfred@colorfullife.com>
To: Ethan Zhao <ethan.kernel@gmail.com>, Stephen Smalley <sds@tycho.nsa.gov>
Cc: Ethan Zhao <ethan.zhao@oracle.com>,
james.l.morris@oracle.com, serge@hallyn.com,
eparis@parisplace.org, paul@paul-moore.com,
selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
ethan.kernel@gmail.conm
Subject: Re: [PATCH] Selinux/hooks.c: Fix a NULL pointer dereference caused by semop()
Date: Wed, 21 Jan 2015 06:30:25 +0100 [thread overview]
Message-ID: <54BF3971.2090003@colorfullife.com> (raw)
In-Reply-To: <CABawtvPrhVWV3bC-=wygqfHJzctvrmd1WxDD1ciuLE7F7-_yaQ@mail.gmail.com>
On 01/21/2015 04:53 AM, Ethan Zhao wrote:
> On Tue, Jan 20, 2015 at 10:10 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 01/20/2015 04:18 AM, Ethan Zhao wrote:
>>> sys_semget()
>>> ->newary()
>>> ->security_sem_alloc()
>>> ->sem_alloc_security()
>>> selinux_sem_alloc_security()
>>> ->ipc_alloc_security() {
>>> ->rc = avc_has_perm()
>>> if (rc) {
>>> ipc_free_security(&sma->sem_perm);
>>> return rc;
>> We free the security structure here to avoid a memory leak on a
>> failed/denied semaphore set creation. In this situation, we return an
>> error to the caller (ultimately to newary), it does an
>> ipc_rcu_putref(sma, ipc_rcu_free), and it returns an error to the
>> caller. Thus, it never calls ipc_addid() and the semaphore set is not
>> created. So how then can you call semtimedop() on it?
> Seems it wouldn't happen after commit e8577d1f0329d4842e8302e289fb2c22156abef4 ?
That was my first guess when I read the bug report - but it can't be the
fix, because security_sem_alloc() is before the ipc_addid(), with or
without the patch.
thread A:
thread B:
semtimedop()
-> sem_obtain_object_check()
semctl(IPC_RMID)
-> freeary()
-> ipc_rcu_putref()
-> call_rcu()
-> somehow a grace period
-> sem_rcu_free()
-> security_sem_free()
Perhaps: modify ipc_free_security() to hexdump perm and a few more bytes
if the pointer is NULL?
--
Manfred
> Thanks,
> Ethan
>>> So ipc_perms->security was NULL, then semtimedop() was called as
>>> following:
>>>
>>> sys_semtimedop() / semop()
>>> ->selinux_sem_semop()
>>> ->ipc_has_perm()
>>> ->avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
>>> ^- NULL pointer dereference happens
>>>
>>> The test kernel was running on VMware.
>>> This patch use to fix this serious security issue could be triggered by user space.
>>> This patch was tested with v3.19-rc5.
>>>
>>> Signed-off-by: Ethan Zhao <ethan.zhao@oracle.com>
>>> ---
>>> security/selinux/hooks.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 6da7532..bbe76f5 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -5129,6 +5129,8 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
>>> u32 sid = current_sid();
>>>
>>> isec = ipc_perms->security;
>>> + if (!isec)
>>> + return -EACCES;
>>>
>>> ad.type = LSM_AUDIT_DATA_IPC;
>>> ad.u.ipc_id = ipc_perms->key;
>>>
>> That is not the correct fix; it just hides a bug. If we reach
>> ipc_has_perm() with a NULL isec, it is a bug in the ipc code.
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2015-01-21 5:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-20 9:18 [PATCH] Selinux/hooks.c: Fix a NULL pointer dereference caused by semop() Ethan Zhao
2015-01-20 14:10 ` Stephen Smalley
2015-01-20 18:49 ` Manfred Spraul
2015-01-20 21:01 ` Stephen Smalley
2015-01-20 21:06 ` Eric Paris
2015-01-20 21:09 ` Stephen Smalley
2015-01-21 1:30 ` ethan zhao
2015-01-21 3:53 ` Ethan Zhao
2015-01-21 5:30 ` Manfred Spraul [this message]
2015-01-22 2:44 ` Ethan Zhao
2015-01-22 18:15 ` Manfred Spraul
2015-01-23 2:00 ` ethan zhao
2015-01-22 19:05 ` Stephen Smalley
2015-01-22 20:48 ` Davidlohr Bueso
2015-01-23 2:38 ` ethan zhao
2015-01-23 2:19 ` ethan zhao
2015-01-23 3:30 ` Davidlohr Bueso
2015-01-23 15:30 ` Ethan Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54BF3971.2090003@colorfullife.com \
--to=manfred@colorfullife.com \
--cc=eparis@parisplace.org \
--cc=ethan.kernel@gmail.com \
--cc=ethan.kernel@gmail.conm \
--cc=ethan.zhao@oracle.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox