[PATCH] fix security_release_secctx seems broken
James Morris
jmorris at namei.org
Wed Oct 4 22:10:58 UTC 2017
On Wed, 4 Oct 2017, Konstantin Khlebnikov wrote:
> Just "getcap /bin/ping" is enough to tigger leak if file has capabilities.
> Selinux shouldn't be loaded because its release_secctx hook call kfree.
Ahh, makes sense.
>
> But sometimes it takes some time for kmemleak to find leak. Presumably
> because stale poiner stays on stack which could be reused nowdays.
Thanks for finding this!
--
James Morris
<jmorris at namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list