[PATCH] SELinux: fix sidtab locking bug

This patch by Kaigai Kohei fixes a bug in the SELinux sidtab code, where we do a spin_unlock_irq() while nested under another irq lock, which enables interrupts and allows a deadlock to happen: sidtab_set() is called between POLICY_WRLOCK and POLICY_WRUNLOCK in services.c:1092. sidtab_set() uses SIDTAB_LOCK()/SIDTAB_UNLOCK(), but SIDTAB_UNLOCK() enables any interruptions because it's defined as spin_unlock_irq(). If an interruption occurs between SIDTAB_UNLOCK() and POLICY_WRUNLOCK, and interruption context try to hold the POLICY_RDLOCK, then a deadlock happen in the result. The solution is to save & restore flags on the inner lock, per the patch below. Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Kaigai Kohei <kaigai@ak.jp.nec.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] SELinux: fix sidtab locking bug
This patch by Kaigai Kohei fixes a bug in the SELinux sidtab code, where we do a spin_unlock_irq() while nested under another irq lock, which enables interrupts and allows a deadlock to happen: sidtab_set() is called between POLICY_WRLOCK and POLICY_WRUNLOCK in services.c:1092. sidtab_set() uses SIDTAB_LOCK()/SIDTAB_UNLOCK(), but SIDTAB_UNLOCK() enables any interruptions because it's defined as spin_unlock_irq(). If an interruption occurs between SIDTAB_UNLOCK() and POLICY_WRUNLOCK, and interruption context try to hold the POLICY_RDLOCK, then a deadlock happen in the result. The solution is to save & restore flags on the inner lock, per the patch below. Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil> Signed-off-by: Kaigai Kohei <kaigai@ak.jp.nec.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
e46c823e · James Morris · Linus Torvalds · de1750ca · e46c823e
Commit e46c823e authored Oct 27, 2004 by James Morris Committed by Linus Torvalds Oct 27, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 8 deletions

security/selinux/ss/sidtab.c security/selinux/ss/sidtab.c +13 -8

No files found.
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -16,8 +16,8 @@
 (sid & SIDTAB_HASH_MASK)

 #define INIT_SIDTAB_LOCK(s) spin_lock_init(&s->lock)
-#define SIDTAB_LOCK(s) spin_lock_irq(&s->lock)
-#define SIDTAB_UNLOCK(s) spin_unlock_irq(&s->lock)
+#define SIDTAB_LOCK(s, x) spin_lock_irqsave(&s->lock, x)
+#define SIDTAB_UNLOCK(s, x) spin_unlock_irqrestore(&s->lock, x)

 int sidtab_init(struct sidtab *s)
 {
@@ -237,12 +237,13 @@ int sidtab_context_to_sid(struct sidtab *s,
 {
 	u32 sid;
 	int ret = 0;
+	unsigned long flags;

 	*out_sid = SECSID_NULL;

 	sid = sidtab_search_context(s, context);
 	if (!sid) {
-		SIDTAB_LOCK(s);
+		SIDTAB_LOCK(s, flags);
 		/* Rescan now that we hold the lock. */
 		sid = sidtab_search_context(s, context);
 		if (sid)
@@ -257,7 +258,7 @@ int sidtab_context_to_sid(struct sidtab *s,
 		if (ret)
 			s->next_sid--;
 unlock_out:
-		SIDTAB_UNLOCK(s);
+		SIDTAB_UNLOCK(s, flags);
 	}

 	if (ret)
@@ -320,17 +321,21 @@ void sidtab_destroy(struct sidtab *s)

 void sidtab_set(struct sidtab *dst, struct sidtab *src)
 {
-	SIDTAB_LOCK(src);
+	unsigned long flags;
+
+	SIDTAB_LOCK(src, flags);
 	dst->htable = src->htable;
 	dst->nel = src->nel;
 	dst->next_sid = src->next_sid;
 	dst->shutdown = 0;
-	SIDTAB_UNLOCK(src);
+	SIDTAB_UNLOCK(src, flags);
 }

 void sidtab_shutdown(struct sidtab *s)
 {
-	SIDTAB_LOCK(s);
+	unsigned long flags;
+
+	SIDTAB_LOCK(s, flags);
 	s->shutdown = 1;
-	SIDTAB_UNLOCK(s);
+	SIDTAB_UNLOCK(s, flags);
 }