From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 10 Aug 2020 13:54:21 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.19.139~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c193ee045860bdc41a2bc8ca5161068b182998d6;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	smack-fix-use-after-free-in-smk_write_relabel_self.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index 59fc332c23d..ddca82daa7c 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -50,3 +50,4 @@ revert-vxlan-fix-tos-value-before-xmit.patch
 net-lan78xx-replace-bogus-endpoint-lookup.patch
 usb-hso-check-for-return-value-in-hso_serial_common_create.patch
 vxlan-ensure-fdb-dump-is-performed-under-rcu.patch
+smack-fix-use-after-free-in-smk_write_relabel_self.patch
diff --git a/queue-4.4/smack-fix-use-after-free-in-smk_write_relabel_self.patch b/queue-4.4/smack-fix-use-after-free-in-smk_write_relabel_self.patch
new file mode 100644
index 00000000000..da5bfa8a754
--- /dev/null
+++ b/queue-4.4/smack-fix-use-after-free-in-smk_write_relabel_self.patch
@@ -0,0 +1,79 @@
+From beb4ee6770a89646659e6a2178538d2b13e2654e Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 8 Jul 2020 13:15:20 -0700
+Subject: Smack: fix use-after-free in smk_write_relabel_self()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream.
+
+smk_write_relabel_self() frees memory from the task's credentials with
+no locking, which can easily cause a use-after-free because multiple
+tasks can share the same credentials structure.
+
+Fix this by using prepare_creds() and commit_creds() to correctly modify
+the task's credentials.
+
+Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":
+
+	#include <fcntl.h>
+	#include <pthread.h>
+	#include <unistd.h>
+
+	static void *thrproc(void *arg)
+	{
+		int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
+		for (;;) write(fd, "foo", 3);
+	}
+
+	int main()
+	{
+		pthread_t t;
+		pthread_create(&t, NULL, thrproc, NULL);
+		thrproc(NULL);
+	}
+
+Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com
+Fixes: 38416e53936e ("Smack: limited capability for changing process label")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smackfs.c |   13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -2791,7 +2791,6 @@ static int smk_open_relabel_self(struct
+ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
+ 				size_t count, loff_t *ppos)
+ {
+-	struct task_smack *tsp = current_security();
+ 	char *data;
+ 	int rc;
+ 	LIST_HEAD(list_tmp);
+@@ -2821,11 +2820,21 @@ static ssize_t smk_write_relabel_self(st
+ 	kfree(data);
+ 
+ 	if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
++		struct cred *new;
++		struct task_smack *tsp;
++
++		new = prepare_creds();
++		if (!new) {
++			rc = -ENOMEM;
++			goto out;
++		}
++		tsp = new->security;
+ 		smk_destroy_label_list(&tsp->smk_relabel);
+ 		list_splice(&list_tmp, &tsp->smk_relabel);
++		commit_creds(new);
+ 		return count;
+ 	}
+-
++out:
+ 	smk_destroy_label_list(&list_tmp);
+ 	return rc;
+ }