2006-09-22 23:13:33

by Kylene Jo Hall

[permalink] [raw]
Subject: [PATCH] slim: fix bug with mm_users usage

There is a NULL pointer dereference possible that was introduced in the
last round of modifications to the demotion code before merging.
current->mm should be checked for existence before it is dereferenced to
check the value of the mm_users field. This patch fixes all instances
of this bug.

Signed-off-by: Kylene Hall <[email protected]>
---
security/slim/slm_main.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)

--- linux-2.6.18-rc6-orig/security/slim/slm_main.c 2006-09-18 16:41:51.000000000 -0500
+++ linux-2.6.18-rc6/security/slim/slm_main.c 2006-09-22 13:58:35.000000000 -0500
@@ -529,7 +519,7 @@ static int enforce_integrity_read(struct
spin_lock(&cur_tsec->lock);
if (!is_iac_less_than_or_exempt(level, cur_tsec->iac_r)) {
rc = has_file_wperm(level);
- if (atomic_read(&current->mm->mm_users) != 1)
+ if (current->mm && atomic_read(&current->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE, "ppid %d(%s p=%d-%s) "
@@ -1100,7 +1092,7 @@ int slm_socket_create(int family, int ty
memset(&level, 0, sizeof(struct slm_file_xattr));
level.iac_level = SLM_IAC_UNTRUSTED;
rc = has_file_wperm(&level);
- if (atomic_read(&current->mm->mm_users) != 1)
+ if (current->mm && atomic_read(&current->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE,
@@ -1306,7 +1298,7 @@ static int enforce_integrity_execute(str
cur_tsec->iac_r = cur_tsec->iac_wx;
} else {
rc = has_file_wperm(level);
- if (atomic_read(&current->mm->mm_users) != 1)
+ if (current->mm && atomic_read(&current->mm->mm_users) != 1)
rc = 1;
if (rc) {
dprintk(SLM_BASE,



2006-09-23 14:38:44

by Hugh Dickins

[permalink] [raw]
Subject: Re: [PATCH] slim: fix bug with mm_users usage

On Fri, 22 Sep 2006, Kylene Jo Hall wrote:

Nothing to do with this patch as such, but as it went past I noticed

> --- linux-2.6.18-rc6-orig/security/slim/slm_main.c 2006-09-18 16:41:51.000000000 -0500
> +++ linux-2.6.18-rc6/security/slim/slm_main.c 2006-09-22 13:58:35.000000000 -0500
> @@ -529,7 +519,7 @@ static int enforce_integrity_read(struct
> spin_lock(&cur_tsec->lock);
> if (!is_iac_less_than_or_exempt(level, cur_tsec->iac_r)) {
> rc = has_file_wperm(level);
> - if (atomic_read(&current->mm->mm_users) != 1)
> + if (current->mm && atomic_read(&current->mm->mm_users) != 1)
> rc = 1;

I've not studied your patches, and I don't know what that line's about,
but you appear to be attaching considerable significance to the value of
mm->mm_users. Yet swapoff (try_to_unuse) has to bump it up to hold the
mm temporarily, as does get_task_mm() used in various places (mainly /proc).

Hugh