[PATCH for 6.8] tomoyo: fix UAF write bug in tomoyo_write_control()
Tetsuo Handa
penguin-kernel at I-love.SAKURA.ne.jp
Fri Mar 1 13:04:06 UTC 2024
Since tomoyo_write_control() updates head->write_buf when write() of long
lines is requested, we need to fetch head->write_buf after head->io_sem is
held. Otherwise, concurrent write() requests can cause use-after-free-write
and double-free problems.
Reported-by: Sam Sun <samsun1006219 at gmail.com>
Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com
Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.")
Cc: stable at vger.kernel.org # Linux 3.1+
Signed-off-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
---
I couldn't reproduce this problem in my environment, but I believe
this does fix a bug. Linus, can you directly apply to linux.git ?
If Linus wants a GIT PULL request, can Paul send this patch via LSM tree
because TOMOYO's git tree is not working?
security/tomoyo/common.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 57ee70ae50f2..ea3140d510ec 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2649,13 +2649,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
{
int error = buffer_len;
size_t avail_len = buffer_len;
- char *cp0 = head->write_buf;
+ char *cp0;
int idx;
if (!head->write)
return -EINVAL;
if (mutex_lock_interruptible(&head->io_sem))
return -EINTR;
+ cp0 = head->write_buf;
head->read_user_buf_avail = 0;
idx = tomoyo_read_lock();
/* Read a line and dispatch it to the policy handler. */
--
2.34.1
More information about the Linux-security-module-archive
mailing list