Bug 61331

Summary:	ipc/shm.c: Use after free with selinux
Product:	Other	Reporter:	Manfred Spraul (manfred)
Component:	Other	Assignee:	other_other
Status:	RESOLVED CODE_FIX
Severity:	normal
Priority:	P1
Hardware:	All
OS:	Linux
URL:	http://marc.info/?l=linux-kernel&m=137898843310644
Kernel Version:		Subsystem:
Regression:	Yes	Bisected commit-id:
Bug Depends on:
Bug Blocks:	62061

Description Manfred Spraul 2013-09-15 10:47:16 UTC

The synchronization between security_shm_xx and security_shm_free was modified without updating security/*.c.

This created an use-after-free race with security/selinux/hooks.c

Affected: current head

Details:
Assume a preemptible kernel that is preempted just after
> isec = ipc_perms->security;
in ipc_has_perm (called from e.g. selinux_shm_at()).
The call happens just with rcu_read_lock().

Now the other thread calls whatever operations are necessary to end up in sem_destroy(), which calls security_shm_free().
This ends up doing kfree(isec).

Comment 1 Manfred Spraul 2013-09-25 07:45:50 UTC

Fixed
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1