lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0f6c6250-a786-b11c-5f82-55f3863bda4d@colorfullife.com>
Date:   Mon, 29 Aug 2016 11:23:55 +0200
From:   Manfred Spraul <manfred@...orfullife.com>
To:     Willy Tarreau <w@....eu>, Fabian Frederick <fabf@...net.be>,
        Davidlohr Bueso <dbueso@...e.de>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH 3.14 17/29] sysv, ipc: fix security-layer leaking

Hi Willy,

On 08/21/2016 01:49 PM, Willy Tarreau wrote:
> Hi guys,
>
> On Sun, Aug 14, 2016 at 10:07:45PM +0200, Greg Kroah-Hartman wrote:
>> 3.14-stable review patch.  If anyone has any objections, please let me know.
>>
>> ------------------
>>
>> From: Fabian Frederick <fabf@...net.be>
>>
>> commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 upstream.
>>
>> Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
>> to receive rcu freeing function but used generic ipc_rcu_free() instead
>> of msg_rcu_free() which does security cleaning.
>>
>> Running LTP msgsnd06 with kmemleak gives the following:
>>
>>    cat /sys/kernel/debug/kmemleak
>>
>>    unreferenced object 0xffff88003c0a11f8 (size 8):
>>      comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
>>      hex dump (first 8 bytes):
>>        1b 00 00 00 01 00 00 00                          ........
>>      backtrace:
>>        kmemleak_alloc+0x23/0x40
>>        kmem_cache_alloc_trace+0xe1/0x180
>>        selinux_msg_queue_alloc_security+0x3f/0xd0
>>        security_msg_queue_alloc+0x2e/0x40
>>        newque+0x4e/0x150
>>        ipcget+0x159/0x1b0
>>        SyS_msgget+0x39/0x40
>>        entry_SYSCALL_64_fastpath+0x13/0x8f
>>
>> Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
>> only use ipc_rcu_free in case of security allocation failure in newary()
>>
>> Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
>> Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be
>> Signed-off-by: Fabian Frederick <fabf@...net.be>
>> Cc: Davidlohr Bueso <dbueso@...e.de>
>> Cc: Manfred Spraul <manfred@...orfullife.com>
>> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
>> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> The patch above was tagged for stable v3.12+, however it references a fix
> that was backported in 3.10.16 as commit e84ca333, so I'm unsure whether
> 3.10 is affected or not. It *seems* to me that I should replace remaining
> instances of ipc_rcu_free with sem_rcu_free in sem.c, and with msg_rcu_free
> in msg.c, but I'd prefer a confirmation. For now I'm postponing this fix,
> any hint would be much appreciated.
Yes, we need the patch for v3.10 as well.
There must be exactly two instances of ipc_rcu_free in each of sem.c, 
msg.c, shm.c:
It is called when security_{sem,msg_queue,shm}_alloc fails.
And obviously within sem_rcu_free, ... .

The rest must be sem_rcu_free(), ... .

Should I test if the patch from 3.14 works with v3.10?

--
     Manfred

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ