Commit f27f883d authored by Eric Biggers's avatar Eric Biggers Committed by Kelsey Skunberg

Smack: fix use-after-free in smk_write_relabel_self()

BugLink: https://bugs.launchpad.net/bugs/1892822

commit beb4ee67 upstream.

smk_write_relabel_self() frees memory from the task's credentials with
no locking, which can easily cause a use-after-free because multiple
tasks can share the same credentials structure.

Fix this by using prepare_creds() and commit_creds() to correctly modify
the task's credentials.

Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":

	#include <fcntl.h>
	#include <pthread.h>
	#include <unistd.h>

	static void *thrproc(void *arg)
	{
		int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
		for (;;) write(fd, "foo", 3);
	}

	int main()
	{
		pthread_t t;
		pthread_create(&t, NULL, thrproc, NULL);
		thrproc(NULL);
	}

Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com
Fixes: 38416e53 ("Smack: limited capability for changing process label")
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
Signed-off-by: default avatarIan May <ian.may@canonical.com>
Signed-off-by: default avatarKelsey Skunberg <kelsey.skunberg@canonical.com>
parent 8d0fbb75
...@@ -2791,7 +2791,6 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file) ...@@ -2791,7 +2791,6 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file)
static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
struct task_smack *tsp = current_security();
char *data; char *data;
int rc; int rc;
LIST_HEAD(list_tmp); LIST_HEAD(list_tmp);
...@@ -2821,11 +2820,21 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, ...@@ -2821,11 +2820,21 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
kfree(data); kfree(data);
if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
struct cred *new;
struct task_smack *tsp;
new = prepare_creds();
if (!new) {
rc = -ENOMEM;
goto out;
}
tsp = new->security;
smk_destroy_label_list(&tsp->smk_relabel); smk_destroy_label_list(&tsp->smk_relabel);
list_splice(&list_tmp, &tsp->smk_relabel); list_splice(&list_tmp, &tsp->smk_relabel);
commit_creds(new);
return count; return count;
} }
out:
smk_destroy_label_list(&list_tmp); smk_destroy_label_list(&list_tmp);
return rc; return rc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment