security_file_free contract/expectations
Ben Smith
ben.smith at crowdstrike.com
Wed Jan 24 23:46:11 UTC 2024
Hi, I'm looking at a kernel panic and I'm trying to figure out whether the code in question is doing something that breaks the contract for the security_file_free hook. I'm specifically wondering whether it's expected/safe for code called from security_file_free to open and read from a file. In the case I'm looking at what happens is:
- Process exit
- exit_fs() sets current->fs to NULL
- exit_task_work() calls __fput() on files which were closed in exit_files()
- __fput() calls security_file_free()
- security_file_free() then reads the file that was just closed in order to gather information about it.
- a filesystem driver (I've seen this with two out-of-tree filesystems) then accesses current->fs and panics.
So I'm wondering if the expectation here is that filesystem code should NULL check current->fs before using it or that an LSM shouldn't try to read a file from security_file_free().
More information about the Linux-security-module-archive
mailing list