Bug 61331
Summary: | ipc/shm.c: Use after free with selinux | ||
---|---|---|---|
Product: | Other | Reporter: | Manfred Spraul (manfred) |
Component: | Other | Assignee: | other_other |
Status: | RESOLVED CODE_FIX | ||
Severity: | normal | ||
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://marc.info/?l=linux-kernel&m=137898843310644 | ||
Kernel Version: | Subsystem: | ||
Regression: | Yes | Bisected commit-id: | |
Bug Depends on: | |||
Bug Blocks: | 62061 |
The synchronization between security_shm_xx and security_shm_free was modified without updating security/*.c. This created an use-after-free race with security/selinux/hooks.c Affected: current head Details: Assume a preemptible kernel that is preempted just after > isec = ipc_perms->security; in ipc_has_perm (called from e.g. selinux_shm_at()). The call happens just with rcu_read_lock(). Now the other thread calls whatever operations are necessary to end up in sem_destroy(), which calls security_shm_free(). This ends up doing kfree(isec).