Bug 61341

Summary:	ipc/msg.c: Use after free with selinux
Product:	Other	Reporter:	Manfred Spraul (manfred)
Component:	Other	Assignee:	other_other
Status:	RESOLVED CODE_FIX
Severity:	normal
Priority:	P1
Hardware:	All
OS:	Linux
URL:	http://marc.info/?l=linux-kernel&m=137898843310644
Kernel Version:		Subsystem:
Regression:	Yes	Bisected commit-id:
Bug Depends on:
Bug Blocks:	62061

Description Manfred Spraul 2013-09-15 10:53:33 UTC

The synchronization between security_msg_xx and security_msg_free was modified without updating security/*.c.

This created an use-after-free race with security/selinux/hooks.c

Affected: 3.0.11, current head

Details:
Assume a preemptible kernel that is preempted just after
> isec = msq->q_perm.security;
in selinux_msg_queue_msgrcv.
The call happens just with rcu_read_lock().

Now the other thread calls whatever operations are necessary to end up in msg_freeque(), which calls security_msg_queue_free().
This ends up doing kfree(isec).

Comment 1 Manfred Spraul 2013-09-25 07:45:20 UTC

Fixed
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1