From 9db6de36bcbbd618c3c1228204b4837fd4c89fbf Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 Aug 2020 15:54:52 +0200 Subject: [PATCH] 4.14-stable patches added patches: smack-fix-use-after-free-in-smk_write_relabel_self.patch --- queue-4.14/series | 1 + ...after-free-in-smk_write_relabel_self.patch | 79 +++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 queue-4.14/smack-fix-use-after-free-in-smk_write_relabel_self.patch diff --git a/queue-4.14/series b/queue-4.14/series index f4c76f93e5b..d13a22fcf23 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -39,3 +39,4 @@ revert-vxlan-fix-tos-value-before-xmit.patch selftests-net-relax-cpu-affinity-requirement-in-msg_zerocopy-test.patch usb-hso-check-for-return-value-in-hso_serial_common_create.patch rxrpc-fix-race-between-recvmsg-and-sendmsg-on-immediate-call-failure.patch +smack-fix-use-after-free-in-smk_write_relabel_self.patch diff --git a/queue-4.14/smack-fix-use-after-free-in-smk_write_relabel_self.patch b/queue-4.14/smack-fix-use-after-free-in-smk_write_relabel_self.patch new file mode 100644 index 00000000000..bf3d64c9a24 --- /dev/null +++ b/queue-4.14/smack-fix-use-after-free-in-smk_write_relabel_self.patch @@ -0,0 +1,79 @@ +From beb4ee6770a89646659e6a2178538d2b13e2654e Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 8 Jul 2020 13:15:20 -0700 +Subject: Smack: fix use-after-free in smk_write_relabel_self() + +From: Eric Biggers + +commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream. + +smk_write_relabel_self() frees memory from the task's credentials with +no locking, which can easily cause a use-after-free because multiple +tasks can share the same credentials structure. + +Fix this by using prepare_creds() and commit_creds() to correctly modify +the task's credentials. + +Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self": + + #include + #include + #include + + static void *thrproc(void *arg) + { + int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY); + for (;;) write(fd, "foo", 3); + } + + int main() + { + pthread_t t; + pthread_create(&t, NULL, thrproc, NULL); + thrproc(NULL); + } + +Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com +Fixes: 38416e53936e ("Smack: limited capability for changing process label") +Cc: # v4.4+ +Signed-off-by: Eric Biggers +Signed-off-by: Casey Schaufler +Signed-off-by: Greg Kroah-Hartman + +--- + security/smack/smackfs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -2746,7 +2746,6 @@ static int smk_open_relabel_self(struct + static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct task_smack *tsp = current_security(); + char *data; + int rc; + LIST_HEAD(list_tmp); +@@ -2771,11 +2770,21 @@ static ssize_t smk_write_relabel_self(st + kfree(data); + + if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { ++ struct cred *new; ++ struct task_smack *tsp; ++ ++ new = prepare_creds(); ++ if (!new) { ++ rc = -ENOMEM; ++ goto out; ++ } ++ tsp = new->security; + smk_destroy_label_list(&tsp->smk_relabel); + list_splice(&list_tmp, &tsp->smk_relabel); ++ commit_creds(new); + return count; + } +- ++out: + smk_destroy_label_list(&list_tmp); + return rc; + } -- 2.47.3