Re: [PATCH 3.14 17/29] sysv, ipc: fix security-layer leaking

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: Fabian Frederick <fabf@skynet.be>,
	Davidlohr Bueso <dbueso@suse.de>,
	Manfred Spraul <manfred@colorfullife.com>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH 3.14 17/29] sysv, ipc: fix security-layer leaking
Date: Sun, 21 Aug 2016 13:49:46 +0200	[thread overview]
Message-ID: <20160821114946.GA30629@1wt.eu> (raw)
In-Reply-To: <20160814200732.279601435@linuxfoundation.org>

Hi guys,

On Sun, Aug 14, 2016 at 10:07:45PM +0200, Greg Kroah-Hartman wrote:
> 3.14-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Fabian Frederick <fabf@skynet.be>
> 
> commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 upstream.
> 
> Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
> to receive rcu freeing function but used generic ipc_rcu_free() instead
> of msg_rcu_free() which does security cleaning.
> 
> Running LTP msgsnd06 with kmemleak gives the following:
> 
>   cat /sys/kernel/debug/kmemleak
> 
>   unreferenced object 0xffff88003c0a11f8 (size 8):
>     comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
>     hex dump (first 8 bytes):
>       1b 00 00 00 01 00 00 00                          ........
>     backtrace:
>       kmemleak_alloc+0x23/0x40
>       kmem_cache_alloc_trace+0xe1/0x180
>       selinux_msg_queue_alloc_security+0x3f/0xd0
>       security_msg_queue_alloc+0x2e/0x40
>       newque+0x4e/0x150
>       ipcget+0x159/0x1b0
>       SyS_msgget+0x39/0x40
>       entry_SYSCALL_64_fastpath+0x13/0x8f
> 
> Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
> only use ipc_rcu_free in case of security allocation failure in newary()
> 
> Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
> Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be
> Signed-off-by: Fabian Frederick <fabf@skynet.be>
> Cc: Davidlohr Bueso <dbueso@suse.de>
> Cc: Manfred Spraul <manfred@colorfullife.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

The patch above was tagged for stable v3.12+, however it references a fix
that was backported in 3.10.16 as commit e84ca333, so I'm unsure whether
3.10 is affected or not. It *seems* to me that I should replace remaining
instances of ipc_rcu_free with sem_rcu_free in sem.c, and with msg_rcu_free
in msg.c, but I'd prefer a confirmation. For now I'm postponing this fix,
any hint would be much appreciated.

Thanks,
Willy

next prev parent reply	other threads:[~2016-08-21 11:49 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CGME20160814200812uscas1p1ef0170d47bedbb472ff4f71fa6e71b1c@uscas1p1.samsung.com>
2016-08-14 20:07 ` [PATCH 3.14 00/29] 3.14.76-stable review Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 01/29] USB: fix invalid memory access in hub_activate() Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 02/29] mm: migrate dirty page without clear_page_dirty_for_io etc Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 03/29] printk: do cond_resched() between lines while outputting to consoles Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 04/29] x86/mm: Add barriers and document switch_mm()-vs-flush synchronization Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 05/29] sctp: Prevent soft lockup when sctp_accept() is called during a timeout event Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 06/29] x86/mm: Improve switch_mm() barrier comments Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 08/29] USB: fix up incorrect quirk Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 09/29] arm: oabi compat: add missing access checks Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 10/29] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 11/29] apparmor: fix ref count leak when profile sha1 hash is read Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 12/29] random: strengthen input validation for RNDADDTOENTCNT Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 13/29] scsi: remove scsi_end_request Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 14/29] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 15/29] IB/security: Restrict use of the write() interface Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 16/29] block: fix use-after-free in seq file Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 17/29] sysv, ipc: fix security-layer leaking Greg Kroah-Hartman
2016-08-21 11:49     ` Willy Tarreau [this message]
2016-08-29  9:23       ` Manfred Spraul
2016-08-29 11:49         ` Willy Tarreau
2016-08-14 20:07   ` [PATCH 3.14 18/29] fuse: fix wrong assignment of ->flags in fuse_send_init() Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 19/29] crypto: gcm - Filter out async ghash if necessary Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 20/29] crypto: scatterwalk - Fix test in scatterwalk_done Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 21/29] ext4: check for extents that wrap around Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 22/29] ext4: fix deadlock during page writeback Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 23/29] ext4: dont call ext4_should_journal_data() on the journal inode Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 24/29] ext4: short-cut orphan cleanup on error Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 25/29] bonding: set carrier off for devices created through netlink Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 26/29] net/irda: fix NULL pointer dereference on memory allocation failure Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 27/29] tcp: consider recv buf for the initial window scale Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 28/29] [PATCH 1/8] tcp: make challenge acks less predictable Greg Kroah-Hartman
2016-08-14 20:07   ` [PATCH 3.14 29/29] ext4: fix reference counting bug on block allocation error Greg Kroah-Hartman
2016-08-15 14:49   ` [PATCH 3.14 00/29] 3.14.76-stable review Guenter Roeck
2016-08-16  4:01   ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160821114946.GA30629@1wt.eu \
    --to=w@1wt.eu \
    --cc=dbueso@suse.de \
    --cc=fabf@skynet.be \
    --cc=linux-kernel@vger.kernel.org \
    --cc=manfred@colorfullife.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).