lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241210010030.2854024-1-quic_jiangenj@quicinc.com>
Date: Tue, 10 Dec 2024 09:00:29 +0800
From: Joey Jiao <quic_jiangenj@...cinc.com>
To: Paul Moore <paul@...l-moore.com>,
        Stephen Smalley
	<stephen.smalley.work@...il.com>,
        Ondrej Mosnacek <omosnace@...hat.com>,
        "open list:SELINUX SECURITY MODULE" <selinux@...r.kernel.org>,
        open list
	<linux-kernel@...r.kernel.org>
CC: <kernel@...cinc.com>, <quic_jiangenj@...cinc.com>
Subject: [PATCH] selinux: KASAN; slab-out-of-bounds in avc_lookup

From: "Jiao, Joey" <quic_jiangenj@...cinc.com>

BUG: KASAN: slab-out-of-bounds in avc_lookup+0x174/0x298
Read of size 8 at addr ffffff8846ef70b1 by task spdaemon/1037

Call trace:
 dump_backtrace+0xf0/0x13c
 show_stack+0x18/0x28
 dump_stack_lvl+0xd0/0x128
 print_report+0x13c/0x6f8
 kasan_report+0xe8/0x148
 __asan_load8+0x98/0xa0
 avc_lookup+0x174/0x298
 avc_has_perm_noaudit+0x60/0x12c
 selinux_inode_permission+0x278/0x3cc
 security_inode_permission+0x84/0xc8
 inode_permission+0xb8/0x2b8
 link_path_walk+0x178/0x7c0
 path_lookupat+0x6c/0x298
 filename_lookup+0x11c/0x2e4
 vfs_statx+0xb4/0x3f0
 vfs_fstatat+0xfc/0x3e4
 __arm64_sys_newfstatat+0x88/0x340
 invoke_syscall+0x6c/0x17c
 el0_svc_common+0xf8/0x138
 do_el0_svc+0x30/0x40
 el0_svc+0x3c/0x70
 el0t_64_sync_handler+0x68/0xbc
 el0t_64_sync+0x19c/0x1a0

To fix this, protect the rcu read access

Signed-off-by: Jiao, Joey <quic_jiangenj@...cinc.com>
---
 security/selinux/avc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 32eb67fb3e42..ded3823d4451 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -528,6 +528,7 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
 
 	hvalue = avc_hash(ssid, tsid, tclass);
 	head = &selinux_avc.avc_cache.slots[hvalue];
+	rcu_read_lock();
 	hlist_for_each_entry_rcu(node, head, list) {
 		if (ssid == node->ae.ssid &&
 		    tclass == node->ae.tclass &&
@@ -536,6 +537,7 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
 			break;
 		}
 	}
+	rcu_read_unlock();
 
 	return ret;
 }
-- 
2.47.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ