Received: by 2002:ab2:3141:0:b0:1ed:23cc:44d1 with SMTP id i1csp272537lqg; Fri, 1 Mar 2024 05:04:24 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUTw9V3w8Hbx+9g8NFG4C0bM8lyWcgR4uEb/8Kx18veqf4V+fnB+g8QTMAda3AaDxBPI+FLEbgZ3xnNrFIytYLsxXQp4HJIi0BrTrMGFg== X-Google-Smtp-Source: AGHT+IGK9r7IHkdzp4Trhqn0Lof+qHo+OE6DC//xY0N1skb51Pz5gmjUWbkpwFFwOO4GhZMnlI7c X-Received: by 2002:a6b:5b09:0:b0:7c7:b91c:f766 with SMTP id v9-20020a6b5b09000000b007c7b91cf766mr1547261ioh.5.1709298263733; Fri, 01 Mar 2024 05:04:23 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709298263; cv=pass; d=google.com; s=arc-20160816; b=aT4sAAgprjg5i6Gz7l42UcKBaDC4CdjDsrB3QdOeZL9z5YrTBhyjGCjP+Q17O92hyd Au2oPP34G8N/kIN09rAZk5EcNI6M4mW/IXXQ0zSEv/kEabVqVXaAvO7GulpS770K3uzn 9U4oGsuFWHRsA9jkaxmrcLyrA9VWGzYdu8OHSlSJ0CpV8uZwRMK10XMlJVuMfDNKzpED Lb+S9V3doH845hRjSBIKnoKXPUlTF1GltahNIReN4K3O9GOm0Gy8NQegW1LIBNSnVCGw fIGlXUE44aYdy7Tgpoei5oD7+wjx0GSWdyQPann2WW+Y4n2pqsAy3pauGKsh/3izm7++ +cgg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=zXI2Pt1V7gesKpEerLi9+TGNV889tUn1ID/mewhNy68=; fh=x1P3J4qxOssnnr7CcZE4wt2j4JFr1PHzoNOW/2iv/CE=; b=Z4rHXrdL5DeLzBTMWt/7ov9agRsFBjtSWJz82coQMmqlMkHG/mA8vAkacUIoAM2uh8 5cmEciyN8knaYfARNpQEueYkdnuuplNCcSXiwHKez0PIA6iTwpGA1ftBnk8JlyqX3/Pn 7AjK0mTMWjFAcjZjV8O/5/oxEdRg28c9Wo5GxB4yATL4gY+OmgaUsjjjzvzcOJB4cYvj 1aQ2Z2JUM5Tah7VwADWHMbByHqeVagFKlNlCfM3y56tAsxKeAre6qi/MhsGZpDwZQZn9 yeZw1p0gHbESROpRgCX4LsADO+VB4fuLsVAH4MgggsRaApl5/mzDbBmJEgs/V66Ck+kj ydAQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-88429-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-88429-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id w5-20020a029685000000b004741cf1910csi1137322jai.38.2024.03.01.05.04.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Mar 2024 05:04:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-88429-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-88429-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-88429-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 55AF1283FC0 for ; Fri, 1 Mar 2024 13:04:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2407B4205A; Fri, 1 Mar 2024 13:04:18 +0000 (UTC) Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E552638FBE for ; Fri, 1 Mar 2024 13:04:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709298257; cv=none; b=X567dpHQyONrJmffvPaRUOOCjCnQdJy+OCh6VUYIFu9AN4XMt/jj3CGUxcevVWN8+6W6/VvkKiO6KHTMveWrMjRaHg8BnMwY7P0Dm8BrgdPfmeNFu8KYNKBxOWVDBQYQv+btOQZZSwJZJ4sLXwJRrPiC1Bx8VZH7fYWf7uMTum4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709298257; c=relaxed/simple; bh=0ndBKkzJP+ZMoxO9U7QYSs+Fbh76QQrdNHEic+5wGnc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Imz20Y4uyfGltY1QKE6NHbR5bviX5lv8OAv8dOMLcKBenRX8JIA1ja9DYc61hNVbXUq8helhqilaGopgk+jI49XsM0iljhR2/nR8h3jlJimj9q7u6bK3czWUxsfVyORvXN2jFoNhtqaelqnybm74fn0ixQ2JsUjvl3/zMc1mAYQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp Received: from fsav413.sakura.ne.jp (fsav413.sakura.ne.jp [133.242.250.112]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 421D46Sd054249; Fri, 1 Mar 2024 22:04:06 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav413.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav413.sakura.ne.jp); Fri, 01 Mar 2024 22:04:06 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav413.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 421D46jq054245 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Mar 2024 22:04:06 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <70bfa1c9-6790-4537-bdc5-5d633c6ea806@I-love.SAKURA.ne.jp> Date: Fri, 1 Mar 2024 22:04:06 +0900 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH for 6.8] tomoyo: fix UAF write bug in tomoyo_write_control() Content-Language: en-US To: Sam Sun , paul@paul-moore.com, Linus Torvalds Cc: syzkaller@googlegroups.com, takedakn@nttdata.co.jp, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org References: From: Tetsuo Handa In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: stable@vger.kernel.org # Linux 3.1+ Signed-off-by: Tetsuo Handa --- I couldn't reproduce this problem in my environment, but I believe this does fix a bug. Linus, can you directly apply to linux.git ? If Linus wants a GIT PULL request, can Paul send this patch via LSM tree because TOMOYO's git tree is not working? security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 57ee70ae50f2..ea3140d510ec 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2649,13 +2649,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */ -- 2.34.1