lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5236CE01.8010906@colorfullife.com>
Date:	Mon, 16 Sep 2013 11:23:13 +0200
From:	Manfred Spraul <manfred@...orfullife.com>
To:	Davidlohr Bueso <davidlohr@...com>
CC:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Rik van Riel <riel@...hat.com>,
	Mike Galbraith <efault@....de>, sedat.dilek@...il.com,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/4] ipc,shm: fix race with selinux

On 09/16/2013 05:04 AM, Davidlohr Bueso wrote:
> Currently, we check shm security only under RCU. Since selinux
> can free the security structure, through selinux_sem_free_security(),
> we can run into a use-after-free condition. This bug affects both
> shmctl and shmat syscalls.
>
> The fix is obvious, make sure we hold the kern_ipc_perm.lock while
> performing these security checks.
Actually: either kern_ipc_perm or down_xx(&shm_ids(ns).rwsem) is sufficient.

>
> Reported-by: Manfred Spraul <manfred@...orfullife.com>
> Signed-off-by: Davidlohr Bueso <davidlohr@...com>
> ---
>   ipc/shm.c | 23 ++++++++++++++---------
>   1 file changed, 14 insertions(+), 9 deletions(-)
>
> diff --git a/ipc/shm.c b/ipc/shm.c
> index 2821cdf..bc3e897 100644
> --- a/ipc/shm.c
> +++ b/ipc/shm.c
> @@ -781,18 +781,17 @@ static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
>   
>   	shp = container_of(ipcp, struct shmid_kernel, shm_perm);
>   
> +	ipc_lock_object(&shp->shm_perm);
>   	err = security_shm_shmctl(shp, cmd);
>   	if (err)
> -		goto out_unlock1;
> +		goto out_unlock0;
This change is not necessary: down_write(shm_ids(ns).rwsem) already 
synchronizes against another IPC_RMID.
But it doesn't hurt.

> @@ -960,11 +962,12 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
>   		}
>   
>   		audit_ipc_obj(&(shp->shm_perm));
> +
> +		ipc_lock_object(&shp->shm_perm);
>   		err = security_shm_shmctl(shp, cmd);
What about audit_ipc_obj()?
calls __audit_ipc_obj
calls security_ipc_getsecid
calls security_ops->ipc_getsecid, which can be selinux_ipc_getsecid
selinux_ipc_getsecid dereferences ipcp->security

Please: Restart from 3.0.9 (i.e. before the scalability improvement 
project was started)
Every function that is moved from "synchronization with ipc_lock()" to 
"only rcu_read_lock() held" must be checked.

--
     Manfred
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ