Bug 61341
Summary: | ipc/msg.c: Use after free with selinux | ||
---|---|---|---|
Product: | Other | Reporter: | Manfred Spraul (manfred) |
Component: | Other | Assignee: | other_other |
Status: | RESOLVED CODE_FIX | ||
Severity: | normal | ||
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://marc.info/?l=linux-kernel&m=137898843310644 | ||
Kernel Version: | Subsystem: | ||
Regression: | Yes | Bisected commit-id: | |
Bug Depends on: | |||
Bug Blocks: | 62061 |
The synchronization between security_msg_xx and security_msg_free was modified without updating security/*.c. This created an use-after-free race with security/selinux/hooks.c Affected: 3.0.11, current head Details: Assume a preemptible kernel that is preempted just after > isec = msq->q_perm.security; in selinux_msg_queue_msgrcv. The call happens just with rcu_read_lock(). Now the other thread calls whatever operations are necessary to end up in msg_freeque(), which calls security_msg_queue_free(). This ends up doing kfree(isec).