Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757355Ab3IPJXT (ORCPT ); Mon, 16 Sep 2013 05:23:19 -0400 Received: from mail-bk0-f51.google.com ([209.85.214.51]:54916 "EHLO mail-bk0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757307Ab3IPJXS (ORCPT ); Mon, 16 Sep 2013 05:23:18 -0400 Message-ID: <5236CE01.8010906@colorfullife.com> Date: Mon, 16 Sep 2013 11:23:13 +0200 From: Manfred Spraul User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: Davidlohr Bueso CC: Linus Torvalds , Andrew Morton , Rik van Riel , Mike Galbraith , sedat.dilek@gmail.com, Linux Kernel Mailing List Subject: Re: [PATCH 1/4] ipc,shm: fix race with selinux References: <1379300677-24188-1-git-send-email-davidlohr@hp.com> <1379300677-24188-2-git-send-email-davidlohr@hp.com> In-Reply-To: <1379300677-24188-2-git-send-email-davidlohr@hp.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2123 Lines: 59 On 09/16/2013 05:04 AM, Davidlohr Bueso wrote: > Currently, we check shm security only under RCU. Since selinux > can free the security structure, through selinux_sem_free_security(), > we can run into a use-after-free condition. This bug affects both > shmctl and shmat syscalls. > > The fix is obvious, make sure we hold the kern_ipc_perm.lock while > performing these security checks. Actually: either kern_ipc_perm or down_xx(&shm_ids(ns).rwsem) is sufficient. > > Reported-by: Manfred Spraul > Signed-off-by: Davidlohr Bueso > --- > ipc/shm.c | 23 ++++++++++++++--------- > 1 file changed, 14 insertions(+), 9 deletions(-) > > diff --git a/ipc/shm.c b/ipc/shm.c > index 2821cdf..bc3e897 100644 > --- a/ipc/shm.c > +++ b/ipc/shm.c > @@ -781,18 +781,17 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd, > > shp = container_of(ipcp, struct shmid_kernel, shm_perm); > > + ipc_lock_object(&shp->shm_perm); > err = security_shm_shmctl(shp, cmd); > if (err) > - goto out_unlock1; > + goto out_unlock0; This change is not necessary: down_write(shm_ids(ns).rwsem) already synchronizes against another IPC_RMID. But it doesn't hurt. > @@ -960,11 +962,12 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) > } > > audit_ipc_obj(&(shp->shm_perm)); > + > + ipc_lock_object(&shp->shm_perm); > err = security_shm_shmctl(shp, cmd); What about audit_ipc_obj()? calls __audit_ipc_obj calls security_ipc_getsecid calls security_ops->ipc_getsecid, which can be selinux_ipc_getsecid selinux_ipc_getsecid dereferences ipcp->security Please: Restart from 3.0.9 (i.e. before the scalability improvement project was started) Every function that is moved from "synchronization with ipc_lock()" to "only rcu_read_lock() held" must be checked. -- Manfred -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/