Bug 61341

Summary: ipc/msg.c: Use after free with selinux
Product: Other Reporter: Manfred Spraul (manfred)
Component: OtherAssignee: other_other
Status: RESOLVED CODE_FIX    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
URL: http://marc.info/?l=linux-kernel&m=137898843310644
Kernel Version: Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 62061    

Description Manfred Spraul 2013-09-15 10:53:33 UTC
The synchronization between security_msg_xx and security_msg_free was modified without updating security/*.c.

This created an use-after-free race with security/selinux/hooks.c

Affected: 3.0.11, current head

Details:
Assume a preemptible kernel that is preempted just after
> isec = msq->q_perm.security;
in selinux_msg_queue_msgrcv.
The call happens just with rcu_read_lock().

Now the other thread calls whatever operations are necessary to end up in msg_freeque(), which calls security_msg_queue_free().
This ends up doing kfree(isec).