[PATCH] Smack: fix use-after-free in smk_write_relabel_self()

Casey Schaufler casey at schaufler-ca.com
Tue Jul 21 00:57:03 UTC 2020


On 7/20/2020 5:38 PM, Eric Biggers wrote:
> On Wed, Jul 08, 2020 at 01:15:20PM -0700, Eric Biggers wrote:
>> From: Eric Biggers <ebiggers at google.com>
>>
>> smk_write_relabel_self() frees memory from the task's credentials with
>> no locking, which can easily cause a use-after-free because multiple
>> tasks can share the same credentials structure.
>>
>> Fix this by using prepare_creds() and commit_creds() to correctly modify
>> the task's credentials.
>>
>> Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":
>>
>> 	#include <fcntl.h>
>> 	#include <pthread.h>
>> 	#include <unistd.h>
>>
>> 	static void *thrproc(void *arg)
>> 	{
>> 		int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
>> 		for (;;) write(fd, "foo", 3);
>> 	}
>>
>> 	int main()
>> 	{
>> 		pthread_t t;
>> 		pthread_create(&t, NULL, thrproc, NULL);
>> 		thrproc(NULL);
>> 	}
>>
>> Reported-by: syzbot+e6416dabb497a650da40 at syzkaller.appspotmail.com
>> Fixes: 38416e53936e ("Smack: limited capability for changing process label")
>> Cc: <stable at vger.kernel.org> # v4.4+
>> Signed-off-by: Eric Biggers <ebiggers at google.com>
> Ping.

I have queued your patch and will be pushing it for next shortly.



More information about the Linux-security-module-archive mailing list