Bug 61321

Summary:	ipc/sem.c: Use after free with selinux
Product:	Other	Reporter:	Manfred Spraul (manfred)
Component:	Other	Assignee:	other_other
Status:	RESOLVED CODE_FIX
Severity:	normal
Priority:	P1
Hardware:	All
OS:	Linux
URL:	http://marc.info/?l=linux-kernel&m=137898843310644
Kernel Version:		Subsystem:
Regression:	Yes	Bisected commit-id:
Bug Depends on:
Bug Blocks:	62061

Description Manfred Spraul 2013-09-15 10:44:56 UTC

The synchronization between security_sem_xx and security_sem_free was modified without updating security/*.c.

This created an use-after-free race with security/selinux/hooks.c

Affected: 3.0.10, 3.0.11, current head

Details:
Assume a preemptible kernel that is preempted just after
> isec = ipc_perms->security;
in ipc_has_perm (called from selinux_sem_xx()).
The call happens just with rcu_read_lock().

Now the other thread calls whatever operations are necessary to end up in sem_freeary(), which calls security_sem_free().
This ends up doing kfree(isec).

Comment 1 Manfred Spraul 2013-09-25 07:46:24 UTC

Fixed

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1