[PATCH] Smack: fix use-after-free in smk_write_relabel_self()
Casey Schaufler
casey at schaufler-ca.com
Tue Jul 21 00:57:03 UTC 2020
On 7/20/2020 5:38 PM, Eric Biggers wrote:
> On Wed, Jul 08, 2020 at 01:15:20PM -0700, Eric Biggers wrote:
>> From: Eric Biggers <ebiggers at google.com>
>>
>> smk_write_relabel_self() frees memory from the task's credentials with
>> no locking, which can easily cause a use-after-free because multiple
>> tasks can share the same credentials structure.
>>
>> Fix this by using prepare_creds() and commit_creds() to correctly modify
>> the task's credentials.
>>
>> Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":
>>
>> #include <fcntl.h>
>> #include <pthread.h>
>> #include <unistd.h>
>>
>> static void *thrproc(void *arg)
>> {
>> int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
>> for (;;) write(fd, "foo", 3);
>> }
>>
>> int main()
>> {
>> pthread_t t;
>> pthread_create(&t, NULL, thrproc, NULL);
>> thrproc(NULL);
>> }
>>
>> Reported-by: syzbot+e6416dabb497a650da40 at syzkaller.appspotmail.com
>> Fixes: 38416e53936e ("Smack: limited capability for changing process label")
>> Cc: <stable at vger.kernel.org> # v4.4+
>> Signed-off-by: Eric Biggers <ebiggers at google.com>
> Ping.
I have queued your patch and will be pushing it for next shortly.
More information about the Linux-security-module-archive
mailing list