Bug 61321 - ipc/sem.c: Use after free with selinux
Summary: ipc/sem.c: Use after free with selinux
Status: RESOLVED CODE_FIX
Alias: None
Product: Other
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: other_other
URL: http://marc.info/?l=linux-kernel&m=13...
Keywords:
Depends on:
Blocks: 62061
  Show dependency tree
 
Reported: 2013-09-15 10:44 UTC by Manfred Spraul
Modified: 2013-09-25 07:46 UTC (History)
0 users

See Also:
Kernel Version:
Subsystem:
Regression: Yes
Bisected commit-id:


Attachments

Description Manfred Spraul 2013-09-15 10:44:56 UTC
The synchronization between security_sem_xx and security_sem_free was modified without updating security/*.c.

This created an use-after-free race with security/selinux/hooks.c

Affected: 3.0.10, 3.0.11, current head

Details:
Assume a preemptible kernel that is preempted just after
> isec = ipc_perms->security;
in ipc_has_perm (called from selinux_sem_xx()).
The call happens just with rcu_read_lock().

Now the other thread calls whatever operations are necessary to end up in sem_freeary(), which calls security_sem_free().
This ends up doing kfree(isec).

Note You need to log in before you can comment on or make changes to this bug.