• Fabian Frederick's avatar
    sysv, ipc: fix security-layer leaking · 9b24fef9
    Fabian Frederick authored
    Commit 53dad6d3 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
    to receive rcu freeing function but used generic ipc_rcu_free() instead
    of msg_rcu_free() which does security cleaning.
    
    Running LTP msgsnd06 with kmemleak gives the following:
    
      cat /sys/kernel/debug/kmemleak
    
      unreferenced object 0xffff88003c0a11f8 (size 8):
        comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
        hex dump (first 8 bytes):
          1b 00 00 00 01 00 00 00                          ........
        backtrace:
          kmemleak_alloc+0x23/0x40
          kmem_cache_alloc_trace+0xe1/0x180
          selinux_msg_queue_alloc_security+0x3f/0xd0
          security_msg_queue_alloc+0x2e/0x40
          newque+0x4e/0x150
          ipcget+0x159/0x1b0
          SyS_msgget+0x39/0x40
          entry_SYSCALL_64_fastpath+0x13/0x8f
    
    Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
    only use ipc_rcu_free in case of security allocation failure in newary()
    
    Fixes: 53dad6d3 ("ipc: fix race with LSMs")
    Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.beSigned-off-by: default avatarFabian Frederick <fabf@skynet.be>
    Cc: Davidlohr Bueso <dbueso@suse.de>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Cc: <stable@vger.kernel.org>	[3.12+]
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    9b24fef9
msg.c 24.1 KB