Reminder: 2 open syzbot bugs in "security/tomoyo" subsystem
Eric Biggers
ebiggers at kernel.org
Wed Jul 24 05:00:29 UTC 2019
On Wed, Jul 24, 2019 at 01:54:40PM +0900, Tetsuo Handa wrote:
> On 2019/07/24 13:34, Eric Biggers wrote:
> > On Wed, Jul 24, 2019 at 12:18:47PM +0900, Tetsuo Handa wrote:
> >>> --------------------------------------------------------------------------------
> >>> Title: KASAN: invalid-free in tomoyo_realpath_from_path
> >>> Last occurred: 57 days ago
> >>> Reported: 56 days ago
> >>> Branches: net-next
> >>> Dashboard link: https://syzkaller.appspot.com/bug?id=e9e5a1d41c3fb5d0f79aeea0e4cd535f160a6702
> >>> Original thread: https://lkml.kernel.org/lkml/000000000000785e9d0589ec359a@google.com/T/#u
> >>
> >> This cannot be a TOMOYO's bug. We are waiting for a reproducer but
> >> no crash occurred since then. Maybe it is time to close as invalid.
> >
> > Maybe. Did you check for stack buffer overflows in the functions that
> > tomoyo_realpath_from_path() calls? Perhaps something is corrupting the 'buf'
> > variable in the parent's stack frame.
> >
>
> What do you mean? If this crash were a stack buffer overflow, this crash
> should have already occurred again.
>
Well not necessarily, it could be very rare.
That being said, it was only seen on net-next and only once; so it could have
been caused by some broken patch elsewhere in the kernel that was only present
for a short time.
So if you aren't going to do anything else with this, please just go ahead and
invalidate it.
> Since the "buf" variable is a local variable, it cannot be shared between
> two threads. Since "buf" is assigned as
>
> buf = kmalloc(buf_len, GFP_NOFS);
>
> and nobody else is reassigning "buf",
>
> kfree(buf);
>
> can't become an invalid free.
>
- Eric
More information about the Linux-security-module-archive
mailing list