Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp523403pxk; Wed, 2 Sep 2020 07:57:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxpOk/lphpJg3Zb/nGlDWVyEK1VPwdMOjVC370Odm1aC3KENUkSogmzdYr6Q7GhFQG80lQA X-Received: by 2002:a05:6402:326:: with SMTP id q6mr471171edw.216.1599058650576; Wed, 02 Sep 2020 07:57:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599058650; cv=none; d=google.com; s=arc-20160816; b=YR70k8yMv9aYJ4ps+Rc60IOc9AnypqpxhgqtVDpeE51P6yQ7l2nYwulG7iDS64JyVN uKUZL+hEFhFXIR19A6jXpQ+iOXtSgV91JYdRc1843OX8fhgU1wPIxUQ3lVcImUbj7JP9 bpEq3Po8AwQPdwvyFHSBtcKv86mzeNFNvJ6k+c5ng7Kx9YjNN/HR99xKRGNrSfqt26La zs8vI/Cug3/tsn12u2ZN94DpALS0nL7BPDS7DiWSY9v/2ajHqba5DKkq2nkgLOt/X1gi 86hklkKPcZtQinuR3FBmh+XDct1NrZKUyD8KiYUTyPchNBw7YtFdOzFqYYIcjU6AVqaP vq6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=7PqQE5cZt4VblhYOFjuBF76nPiqQ+OY9NWSl6QlW+yY=; b=Os2+nejC0HofAdYEVVgJBkFFSDPQDsPCajovzNWAX928Q2bRUgU6SiCWqGclE3Ea4j lGu2ntMTPg7vFkgkh75SyQREmh9EJOSYAZfzrL8OgpAhs3afLizxkhvT5luvpYBk5glz ZFU0NkNIyjZbyBXIF8VtK7AWTLxkdll9C3JUeF7aAEC+hxafG/GiaeluyV5WCuT2TohD Yxbz03o8oCcyyM4Zme4ErW9ljsA2KEsTzN1TjlkRz9jMKfHLTAkYZ4DRSIdYbPvz/7nM WneSp7MnIsWZk6Df0nSv4lIzpUdT4sA4xjXwcyR5iAJnRSRgM5YDwkKOdhu+xfLJcJ4F d/NQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho.pizza header.s=fm1 header.b="Ik/dePyz"; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=ovfYQGFG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g3si2800387ejc.600.2020.09.02.07.57.06; Wed, 02 Sep 2020 07:57:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho.pizza header.s=fm1 header.b="Ik/dePyz"; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=ovfYQGFG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728255AbgIBOuO (ORCPT + 99 others); Wed, 2 Sep 2020 10:50:14 -0400 Received: from new2-smtp.messagingengine.com ([66.111.4.224]:57659 "EHLO new2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726674AbgIBOK4 (ORCPT ); Wed, 2 Sep 2020 10:10:56 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailnew.nyi.internal (Postfix) with ESMTP id A92C95804E0; Wed, 2 Sep 2020 10:10:02 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 02 Sep 2020 10:10:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.pizza; h= from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; s=fm1; bh=7PqQE5cZt4VblhYOFjuBF76nPi qQ+OY9NWSl6QlW+yY=; b=Ik/dePyzFb9DjEnkX6mBpWhIC5q8lnvR7KVTQIhzNG ZX2MHIsErogNQbToOA0wgSzuT7MzW5m7VEFc8abaQZJbuKAqAMjb8Kche59WgD11 nJZR+XvWL5Fmn5XoOF8Tsfr2MbFOtNYvnieUMhu0KwODBMLA5/gH8UhNphCiB3CN POs3ngjUw1sbJpVWCj6gPaFsh6mrHwN6yIHCPp6KJ2N7a+4oeBS6yIX7ZK1WnT40 zsJRUC7XtoQ+//WLplFUPUHhHn8qfDdwHRWR7HqQ/OOk1WUuLdC1+Zh95kty4Ia5 kc62Q2Ayj3aK+ampuMg8ukY9Ykl6C4nYUmtg6e2ULeMQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=7PqQE5cZt4VblhYOF juBF76nPiqQ+OY9NWSl6QlW+yY=; b=ovfYQGFGto3wTFfVtbTt5ITF4AHVGlqi3 etwi4cd9+FDTy+yPbYqDlyKu0G9CTQ9czZmUlN05KMAXuSN6F5OtPd04GTp73jcc RngsOPJzWvkd9X9H1EQINNwuBHIzyyQNXtrxpkMIK6vufY+afa99C26VSGNu3fCT FdQhXwSUj/wzdluhVJSvQ7iZ6eVbYe6v0pwDKzgznk2uD4HLT9tH1wtUbTni3ukY qZiAGmBflvuKJ7SL2E5cre65xzTBCdhkrsMxAMQaocsCvejMVV5xUlDverK0Ip/B BBIE9k+TUu1gqyhApyD1e5mHlITPsdavqIRMIfMboMw2UOqCHCFhw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgjeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefvhigthhhoucet nhguvghrshgvnhcuoehthigthhhosehthigthhhordhpihiiiigrqeenucggtffrrghtth gvrhhnpeelveehveejgefgkedttedvteffgfelfeeuveduteelvdduhefhjeetjeehheel keenucfkphepuddvkedruddtjedrvdeguddrudejkeenucfuphgrmhfkphfpvghtfihorh hkpeduvdekrddutdejrddvgedurddujeeknecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepthihtghhohesthihtghhohdrphhiiiiirg X-ME-Proxy: Received: from cisco.hsd1.co.comcast.net (unknown [128.107.241.178]) by mail.messagingengine.com (Postfix) with ESMTPA id 0A334306005F; Wed, 2 Sep 2020 10:09:59 -0400 (EDT) From: Tycho Andersen To: Kees Cook Cc: linux-kernel@vger.kernel.org, Christian Brauner , Tycho Andersen , Christian Brauner Subject: [PATCH] seccomp: don't leave dangling ->notif if file allocation fails Date: Wed, 2 Sep 2020 08:09:53 -0600 Message-Id: <20200902140953.1201956-1-tycho@tycho.pizza> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christian and Kees both pointed out that this is a bit sloppy to open-code both places, and Christian points out that we leave a dangling pointer to ->notif if file allocation fails. Since we check ->notif for null in order to determine if it's ok to install a filter, this means people won't be able to install a filter if the file allocation fails for some reason, even if they subsequently should be able to. To fix this, let's hoist this free+null into its own little helper and use it. Reported-by: Kees Cook Reported-by: Christian Brauner Signed-off-by: Tycho Andersen --- kernel/seccomp.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index bb0dd9ae699a..676d4af62103 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1109,6 +1109,12 @@ static long seccomp_set_mode_strict(void) } #ifdef CONFIG_SECCOMP_FILTER +static void seccomp_notify_free(struct seccomp_filter *filter) +{ + kfree(filter->notif); + filter->notif = NULL; +} + static void seccomp_notify_detach(struct seccomp_filter *filter) { struct seccomp_knotif *knotif; @@ -1138,8 +1144,7 @@ static void seccomp_notify_detach(struct seccomp_filter *filter) complete(&knotif->ready); } - kfree(filter->notif); - filter->notif = NULL; + seccomp_notify_free(filter); mutex_unlock(&filter->notify_lock); } @@ -1494,7 +1499,7 @@ static struct file *init_listener(struct seccomp_filter *filter) out_notif: if (IS_ERR(ret)) - kfree(filter->notif); + seccomp_notify_free(filter); out: return ret; } base-commit: 7b6aa0bb62fd6fd50f2d14136136262d28fb2dfe -- 2.25.1