Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
Tetsuo Handa
penguin-kernel at i-love.sakura.ne.jp
Wed Jul 24 04:54:40 UTC 2019
On 2019/07/24 13:34, Eric Biggers wrote:
> On Wed, Jul 24, 2019 at 12:18:47PM +0900, Tetsuo Handa wrote:
>>> --------------------------------------------------------------------------------
>>> Title: KASAN: invalid-free in tomoyo_realpath_from_path
>>> Last occurred: 57 days ago
>>> Reported: 56 days ago
>>> Branches: net-next
>>> Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
>>> Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
>>
>> This cannot be a TOMOYO's bug. We are waiting for a reproducer but
>> no crash occurred since then. Maybe it is time to close as invalid.
>
> Maybe. Did you check for stack buffer overflows in the functions that
> tomoyo_realpath_from_path() calls? Perhaps something is corrupting the 'buf'
> variable in the parent's stack frame.
>
What do you mean? If this crash were a stack buffer overflow, this crash
should have already occurred again.
Since the "buf" variable is a local variable, it cannot be shared between
two threads. Since "buf" is assigned as
buf = kmalloc(buf_len, GFP_NOFS);
and nobody else is reassigning "buf",
kfree(buf);
can't become an invalid free.
More information about the Linux-security-module-archive
mailing list