Bug 61331 - ipc/shm.c: Use after free with selinux
Summary: ipc/shm.c: Use after free with selinux
Status: RESOLVED CODE_FIX
Alias: None
Product: Other
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: other_other
URL: http://marc.info/?l=linux-kernel&m=13...
Keywords:
Depends on:
Blocks: 62061
  Show dependency tree
 
Reported: 2013-09-15 10:47 UTC by Manfred Spraul
Modified: 2013-09-25 07:45 UTC (History)
0 users

See Also:
Kernel Version:
Subsystem:
Regression: Yes
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Manfred Spraul 2013-09-15 10:47:16 UTC 
The synchronization between security_shm_xx and security_shm_free was modified without updating security/*.c.

This created an use-after-free race with security/selinux/hooks.c

Affected: current head

Details:
Assume a preemptible kernel that is preempted just after
> isec = ipc_perms->security;
in ipc_has_perm (called from e.g. selinux_shm_at()).
The call happens just with rcu_read_lock().

Now the other thread calls whatever operations are necessary to end up in sem_destroy(), which calls security_shm_free().
This ends up doing kfree(isec).
Note You need to log in before you can comment on or make changes to this bug.