smack: Possible NULL pointer deref in cred_free hook.

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Wed Feb 7 02:54:43 UTC 2024


On 2024/02/07 10:39, Casey Schaufler wrote:
> On 2/6/2024 6:31 AM, Tetsuo Handa wrote:
>> Hello, Casey.
>>
>> I confirmed using fault injection shown below that smack_cred_free() is not
>> prepared for being called without successful smack_cred_prepare().
> 
> The failure cases for smack_cred_prepare() result from memory allocation
> failures. Since init_task_smack() is called before either of the potential
> memory allocations the state of the cred will be safe for smack_cred_free().
> The fault you've described here removes the init_task_smack(), which will
> always succeed, and which is sufficient to prevent the smack_cred_free()
> failure below. Are you suggesting that there is a case where a cred will
> be freed without ever having been "prepared"?

Yes. If smack_cred_prepare() is not the first entry of the cred_prepare list
and the first entry of the cred_prepare list failed, smack_cred_prepare()
will not be called (and therefore init_task_smack() will not be called).




More information about the Linux-security-module-archive mailing list