Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp4421542rwd; Tue, 30 May 2023 05:22:14 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4buIw6z3lEXRs6EP/c8C72uyciPXyf1B0cRp/J+33oWmjznea1QOQi2GUlBDmid1rRdYLi X-Received: by 2002:a17:903:1cf:b0:1af:eea0:4f35 with SMTP id e15-20020a17090301cf00b001afeea04f35mr2211728plh.2.1685449334351; Tue, 30 May 2023 05:22:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685449334; cv=none; d=google.com; s=arc-20160816; b=DFBQeSxnhcWnR1YC5PE+UR2BDpk6liDdom3GYVfW3r/prrYVM5PKQIL+hZvLgF1DJt sxsZ9Hg1EPhHJpNCigKw0NScH1T5mFAHm0WBJXpixFiRj6DS+VhB0YAUmaechXKmYbdc XoAGiPrlpPjbdI7J8C6+2EzRlQvTn89/eprQ28uWafvdZScD9t1YBxRvd7ze9bsuMPZx oPsK8d1t6F6EkI3XltbksA73HlmLiC4fgK7dDXF7B66JA0pSgBrJlqLmOjEqtqEYTXux KKwUc4u7OvSnb7EEz9QXbCaQ2Te+GarZFJzC9DLpITHWF0u6vTgt4WmrC+jm7pTyhbHL kRvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=YCmjgC5v74NZcYANMiAiuk8ZTZKsUd7NDQnR+YnQ6PU=; b=ghP+Jmre9cNoKG40SuUcZFiZyAKGRs2Lxi6puKEL8mbZLojD1b19mm/ANJsYkwStjJ 3TJX28MW3qumd0BwTPKeklFW5fPujlLKbhfPkgQ1radijzuiBymAlWMgV/W50JWIEb73 D8Sbdja02/ceIIsMvgkTFU9ROEvzMkCMmk9yyjkFiiky5U/Ui8tujIqjf/iivC7IoPKH 8jB/te7mekCZ2llgQ1E4UgdFK3YvSPiFE8LSdwjLojHIB4I9k0XfRxZElJhboQD+xqGf bgIEOYXLzXDPdZ/l2yX01ZGVCTX8UXFb31uEzf6WEdY1xAOiUrQlD8XxNZopvazxpcdw rYEw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i13-20020a170902c94d00b001afac49e04dsi10485346pla.642.2023.05.30.05.22.02; Tue, 30 May 2023 05:22:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231841AbjE3MPH (ORCPT + 99 others); Tue, 30 May 2023 08:15:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45090 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231735AbjE3MPE (ORCPT ); Tue, 30 May 2023 08:15:04 -0400 Received: from out30-98.freemail.mail.aliyun.com (out30-98.freemail.mail.aliyun.com [115.124.30.98]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CADDC5; Tue, 30 May 2023 05:15:01 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R481e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046059;MF=tianjia.zhang@linux.alibaba.com;NM=1;PH=DS;RN=9;SR=0;TI=SMTPD_---0Vjtf.r0_1685448895; Received: from localhost(mailfrom:tianjia.zhang@linux.alibaba.com fp:SMTPD_---0Vjtf.r0_1685448895) by smtp.aliyun-inc.com; Tue, 30 May 2023 20:14:56 +0800 From: Tianjia Zhang To: Mimi Zohar , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Tianjia Zhang Subject: [PATCH] integrity: Fix possible multiple allocation in integrity_inode_get() Date: Tue, 30 May 2023 20:14:53 +0800 Message-Id: <20230530121453.10249-1-tianjia.zhang@linux.alibaba.com> X-Mailer: git-send-email 2.24.3 (Apple Git-128) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When integrity_inode_get() is querying and inserting the cache, there is a conditional race in the concurrent environment. Query iint within the read-lock. If there is no result, allocate iint first and insert the iint cache in the write-lock protection. When the iint cache does not exist, and when multiple execution streams come at the same time, there will be a race condition, and multiple copies of iint will be allocated at the same time, and then put into the cache one by one under the write-lock protection. This is mainly because the red-black tree insertion does not perform duplicate detection. This is not the desired result, when this happens, the repeated allocation should be freed and the existing iint cache should be returned. Fixes: bf2276d10ce5 ("ima: allocating iint improvements") Signed-off-by: Tianjia Zhang Cc: Dmitry Kasatkin Cc: # v3.10+ --- security/integrity/iint.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/security/integrity/iint.c b/security/integrity/iint.c index c73858e8c6d5..d49c843a88ee 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -43,12 +43,10 @@ static struct integrity_iint_cache *__integrity_iint_find(struct inode *inode) else if (inode > iint->inode) n = n->rb_right; else - break; + return iint; } - if (!n) - return NULL; - return iint; + return NULL; } /* @@ -115,8 +113,13 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) rb_node); if (inode < test_iint->inode) p = &(*p)->rb_left; - else + else if (inode > test_iint->inode) p = &(*p)->rb_right; + else { + write_unlock(&integrity_iint_lock); + kmem_cache_free(iint_cache, iint); + return test_iint; + } } iint->inode = inode; -- 2.24.3 (Apple Git-128)