KASAN: use-after-free Read in tomoyo_realpath_from_path
Tetsuo Handa
penguin-kernel at i-love.sakura.ne.jp
Thu Jun 6 02:08:29 UTC 2019
Here is a reproducer.
The problem is that TOMOYO is accessing already freed socket from security_file_open()
which later fails with -ENXIO (because we can't get file descriptor of sockets via
/proc/pid/fd/n interface), and the file descriptor is getting released before
security_file_open() completes because we do not raise "struct file"->f_count of
the file which is accessible via /proc/pid/fd/n interface. We can avoid this problem
if we can avoid calling security_file_open() which after all fails with -ENXIO.
How should we handle this race? Let LSM modules check if security_file_open() was
called on a socket?
----------------------------------------
diff --git a/fs/open.c b/fs/open.c
index b5b80469b93d..995ffcb37128 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -765,6 +765,12 @@ static int do_dentry_open(struct file *f,
error = security_file_open(f);
if (error)
goto cleanup_all;
+ if (!strcmp(current->comm, "a.out") &&
+ f->f_path.dentry->d_sb->s_magic == SOCKFS_MAGIC) {
+ printk("Start open(socket) delay\n");
+ schedule_timeout_killable(HZ * 5);
+ printk("End open(socket) delay\n");
+ }
error = break_lease(locks_inode(f), f->f_flags);
if (error)
----------------------------------------
----------------------------------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/socket.h>
int main(int argc, char *argv[])
{
pid_t pid = getpid();
int fd = socket(AF_ISDN, SOCK_RAW, 0);
char buffer[128] = { };
if (fork() == 0) {
close(fd);
snprintf(buffer, sizeof(buffer) - 1, "/proc/%u/fd/%u", pid, fd);
open(buffer, 3);
_exit(0);
}
sleep(2);
close(fd);
return 0;
}
----------------------------------------
----------------------------------------
getpid() = 32504
socket(AF_ISDN, SOCK_RAW, 0) = 3
clone(strace: Process 32505 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7efea30dda10) = 32505
[pid 32504] rt_sigprocmask(SIG_BLOCK, [CHLD], <unfinished ...>
[pid 32505] close(3 <unfinished ...>
[pid 32504] <... rt_sigprocmask resumed> [], 8) = 0
[pid 32505] <... close resumed> ) = 0
[pid 32504] rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
[pid 32505] open("/proc/32504/fd/3", O_ACCMODE <unfinished ...>
[pid 32504] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid 32504] nanosleep({2, 0}, 0x7ffd3c608150) = 0
[pid 32504] close(3) = 0
[pid 32504] exit_group(0) = ?
[pid 32504] +++ exited with 0 +++
<... open resumed> ) = -1 ENXIO (No such device or address)
exit_group(0) = ?
----------------------------------------
----------------------------------------
[ 95.109628] Start open(socket) delay
[ 97.113150] base_sock_release(00000000506a3239) sk=00000000016d0ceb
[ 100.142235] End open(socket) delay
----------------------------------------
More information about the Linux-security-module-archive
mailing list