Bug 61331

Summary: ipc/shm.c: Use after free with selinux
Product: Other Reporter: Manfred Spraul (manfred)
Component: OtherAssignee: other_other
Status: RESOLVED CODE_FIX    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
URL: http://marc.info/?l=linux-kernel&m=137898843310644
Kernel Version: Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 62061    

Description Manfred Spraul 2013-09-15 10:47:16 UTC
The synchronization between security_shm_xx and security_shm_free was modified without updating security/*.c.

This created an use-after-free race with security/selinux/hooks.c

Affected: current head

Details:
Assume a preemptible kernel that is preempted just after
> isec = ipc_perms->security;
in ipc_has_perm (called from e.g. selinux_shm_at()).
The call happens just with rcu_read_lock().

Now the other thread calls whatever operations are necessary to end up in sem_destroy(), which calls security_shm_free().
This ends up doing kfree(isec).