Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem

Tetsuo Handa penguin-kernel at i-love.sakura.ne.jp
Wed Jul 24 04:54:40 UTC 2019


On 2019/07/24 13:34, Eric Biggers wrote:
> On Wed, Jul 24, 2019 at 12:18:47PM +0900, Tetsuo Handa wrote:
>>> --------------------------------------------------------------------------------
>>> Title:              KASAN: invalid-free in tomoyo_realpath_from_path
>>> Last occurred:      57 days ago
>>> Reported:           56 days ago
>>> Branches:           net-next
>>> Dashboard link:     https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
>>> Original thread:    https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
>>
>> This cannot be a TOMOYO's bug. We are waiting for a reproducer but
>> no crash occurred since then. Maybe it is time to close as invalid.
> 
> Maybe.  Did you check for stack buffer overflows in the functions that
> tomoyo_realpath_from_path() calls?  Perhaps something is corrupting the 'buf'
> variable in the parent's stack frame.
> 

What do you mean? If this crash were a stack buffer overflow, this crash
should have already occurred again.

Since the "buf" variable is a local variable, it cannot be shared between
two threads. Since "buf" is assigned as

  buf = kmalloc(buf_len, GFP_NOFS);

and nobody else is reassigning "buf",

  kfree(buf);

can't become an invalid free.



More information about the Linux-security-module-archive mailing list