linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-07 22:14:04 +02:00

History

Eric Biggers 67b4be302c Smack: fix use-after-free in smk_write_relabel_self() commit `beb4ee6770` upstream. smk_write_relabel_self() frees memory from the task's credentials with no locking, which can easily cause a use-after-free because multiple tasks can share the same credentials structure. Fix this by using prepare_creds() and commit_creds() to correctly modify the task's credentials. Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self": #include <fcntl.h> #include <pthread.h> #include <unistd.h> static void thrproc(void arg) { int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY); for (;;) write(fd, "foo", 3); } int main() { pthread_t t; pthread_create(&t, NULL, thrproc, NULL); thrproc(NULL); } Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com Fixes: `38416e5393` ("Smack: limited capability for changing process label") Cc: <stable@vger.kernel.org> # v4.4+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-08-11 15:32:36 +02:00
..
apparmor	apparmor: ensure that dfa state tables have entries	2020-07-22 09:32:06 +02:00
integrity	ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()	2020-06-22 09:05:26 +02:00
keys	mm: add kvfree_sensitive() for freeing sensitive data objects	2020-06-22 09:05:01 +02:00
loadpin
selinux	selinux: fix double free	2020-06-25 15:33:07 +02:00
smack	Smack: fix use-after-free in smk_write_relabel_self()	2020-08-11 15:32:36 +02:00
tomoyo	tomoyo: Use atomic_t for statistics counter	2020-02-05 14:43:38 +00:00
yama
commoncap.c	exec: Always set cap_ambient in cap_bprm_set_creds	2020-06-03 08:19:38 +02:00
device_cgroup.c
inode.c
Kconfig
lsm_audit.c
Makefile
min_addr.c
security.c