fix security_release_secctx seems broken

Message ID	ec271e46-07d3-78ba-e58d-3606b0889cbf@schaufler-ca.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> Subject: [PATCH] fix security_release_secctx seems broken To: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>, linux-kernel <linux-kernel@vger.kernel.org> Cc: Serge Hallyn <serge@hallyn.com>, James Morris <james.l.morris@oracle.com>, LSM List <linux-security-module@vger.kernel.org>, Casey Schaufler <casey@schaufler-ca.com> References: <d09e29aa-f34c-3260-677a-3017cd1cd347@yandex-team.ru> <c007fac4-4e2a-6076-513d-6f52f7133a2d@schaufler-ca.com> From: Casey Schaufler <casey@schaufler-ca.com> Message-ID: <ec271e46-07d3-78ba-e58d-3606b0889cbf@schaufler-ca.com> Date: Tue, 19 Sep 2017 09:39:08 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <c007fac4-4e2a-6076-513d-6f52f7133a2d@schaufler-ca.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk

Message ID

ec271e46-07d3-78ba-e58d-3606b0889cbf@schaufler-ca.com (mailing list archive)

State

New, archived

Headers

Subject: [PATCH] fix security_release_secctx seems broken
To: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>,
	linux-kernel <linux-kernel@vger.kernel.org>
Cc: Serge Hallyn <serge@hallyn.com>,
	James Morris <james.l.morris@oracle.com>,
	LSM List <linux-security-module@vger.kernel.org>,
	Casey Schaufler <casey@schaufler-ca.com>
References: <d09e29aa-f34c-3260-677a-3017cd1cd347@yandex-team.ru>
	<c007fac4-4e2a-6076-513d-6f52f7133a2d@schaufler-ca.com>
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <ec271e46-07d3-78ba-e58d-3606b0889cbf@schaufler-ca.com>
Date: Tue, 19 Sep 2017 09:39:08 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
	Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <c007fac4-4e2a-6076-513d-6f52f7133a2d@schaufler-ca.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Commit Message

Casey Schaufler Sept. 19, 2017, 4:39 p.m. UTC

Subject: [PATCH] fix security_release_secctx seems broken

security_inode_getsecurity() provides the text string value
of a security attribute. It does not provide a "secctx".
The code in xattr_getsecurity() that calls security_inode_getsecurity()
and then calls security_release_secctx() happened to work because
SElinux and Smack treat the attribute and the secctx the same way.
It fails for cap_inode_getsecurity(), because that module has no
secctx that ever needs releasing. It turns out that Smack is the
one that's doing things wrong by not allocating memory when instructed
to do so by the "alloc" parameter.

The fix is simple enough. Change the security_release_secctx() to
kfree() because it isn't a secctx being returned by
security_inode_getsecurity(). Change Smack to allocate the string when
told to do so.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

---
 fs/xattr.c                 |  2 +-
 security/smack/smack_lsm.c | 55 +++++++++++++++++++++-------------------------
 2 files changed, 26 insertions(+), 31 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Konstantin Khlebnikov Sept. 20, 2017, 11:48 a.m. UTC | #1

On 19.09.2017 19:39, Casey Schaufler wrote:
> Subject: [PATCH] fix security_release_secctx seems broken
> 
> security_inode_getsecurity() provides the text string value
> of a security attribute. It does not provide a "secctx".
> The code in xattr_getsecurity() that calls security_inode_getsecurity()
> and then calls security_release_secctx() happened to work because
> SElinux and Smack treat the attribute and the secctx the same way.
> It fails for cap_inode_getsecurity(), because that module has no
> secctx that ever needs releasing. It turns out that Smack is the
> one that's doing things wrong by not allocating memory when instructed
> to do so by the "alloc" parameter.
> 
> The fix is simple enough. Change the security_release_secctx() to
> kfree() because it isn't a secctx being returned by
> security_inode_getsecurity(). Change Smack to allocate the string when
> told to do so.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Looks good for me.

Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>


> 
> ---
>   fs/xattr.c                 |  2 +-
>   security/smack/smack_lsm.c | 55 +++++++++++++++++++++-------------------------
>   2 files changed, 26 insertions(+), 31 deletions(-)
> 
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 4424f7fecf14..61cd28ba25f3 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -250,7 +250,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
>   	}
>   	memcpy(value, buffer, len);
>   out:
> -	security_release_secctx(buffer, len);
> +	kfree(buffer);
>   out_noalloc:
>   	return len;
>   }
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 319add31b4a4..286171a16ed2 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -1473,7 +1473,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
>    * @inode: the object
>    * @name: attribute name
>    * @buffer: where to put the result
> - * @alloc: unused
> + * @alloc: duplicate memory
>    *
>    * Returns the size of the attribute or an error code
>    */
> @@ -1486,43 +1486,38 @@ static int smack_inode_getsecurity(struct inode *inode,
>   	struct super_block *sbp;
>   	struct inode *ip = (struct inode *)inode;
>   	struct smack_known *isp;
> -	int ilen;
> -	int rc = 0;
>   
> -	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
> +	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
>   		isp = smk_of_inode(inode);
> -		ilen = strlen(isp->smk_known);
> -		*buffer = isp->smk_known;
> -		return ilen;
> -	}
> +	else {
> +		/*
> +		 * The rest of the Smack xattrs are only on sockets.
> +		 */
> +		sbp = ip->i_sb;
> +		if (sbp->s_magic != SOCKFS_MAGIC)
> +			return -EOPNOTSUPP;
>   
> -	/*
> -	 * The rest of the Smack xattrs are only on sockets.
> -	 */
> -	sbp = ip->i_sb;
> -	if (sbp->s_magic != SOCKFS_MAGIC)
> -		return -EOPNOTSUPP;
> +		sock = SOCKET_I(ip);
> +		if (sock == NULL || sock->sk == NULL)
> +			return -EOPNOTSUPP;
>   
> -	sock = SOCKET_I(ip);
> -	if (sock == NULL || sock->sk == NULL)
> -		return -EOPNOTSUPP;
> -
> -	ssp = sock->sk->sk_security;
> +		ssp = sock->sk->sk_security;
>   
> -	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
> -		isp = ssp->smk_in;
> -	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
> -		isp = ssp->smk_out;
> -	else
> -		return -EOPNOTSUPP;
> +		if (strcmp(name, XATTR_SMACK_IPIN) == 0)
> +			isp = ssp->smk_in;
> +		else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
> +			isp = ssp->smk_out;
> +		else
> +			return -EOPNOTSUPP;
> +	}
>   
> -	ilen = strlen(isp->smk_known);
> -	if (rc == 0) {
> -		*buffer = isp->smk_known;
> -		rc = ilen;
> +	if (alloc) {
> +		*buffer = kstrdup(isp->smk_known, GFP_KERNEL);
> +		if (*buffer == NULL)
> +			return -ENOMEM;
>   	}
>   
> -	return rc;
> +	return strlen(isp->smk_known);
>   }
>   
>   
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

James Morris Oct. 4, 2017, 6:17 a.m. UTC | #2

On Tue, 19 Sep 2017, Casey Schaufler wrote:

> Subject: [PATCH] fix security_release_secctx seems broken
> 
> security_inode_getsecurity() provides the text string value
> of a security attribute. It does not provide a "secctx".
> The code in xattr_getsecurity() that calls security_inode_getsecurity()
> and then calls security_release_secctx() happened to work because
> SElinux and Smack treat the attribute and the secctx the same way.
> It fails for cap_inode_getsecurity(), because that module has no
> secctx that ever needs releasing. It turns out that Smack is the
> one that's doing things wrong by not allocating memory when instructed
> to do so by the "alloc" parameter.
> 
> The fix is simple enough. Change the security_release_secctx() to
> kfree() because it isn't a secctx being returned by
> security_inode_getsecurity(). Change Smack to allocate the string when
> told to do so.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Looks good to me.  I wonder why security_release_secctx was used in the 
first place? (it arrived via commit 42492594)

Konstantin: how did you trigger this?

I plan to send this to Linus for -rc4 unless anyone has objections.

Konstantin Khlebnikov Oct. 4, 2017, 9:29 a.m. UTC | #3

On 04.10.2017 09:17, James Morris wrote:
> On Tue, 19 Sep 2017, Casey Schaufler wrote:
> 
>> Subject: [PATCH] fix security_release_secctx seems broken
>>
>> security_inode_getsecurity() provides the text string value
>> of a security attribute. It does not provide a "secctx".
>> The code in xattr_getsecurity() that calls security_inode_getsecurity()
>> and then calls security_release_secctx() happened to work because
>> SElinux and Smack treat the attribute and the secctx the same way.
>> It fails for cap_inode_getsecurity(), because that module has no
>> secctx that ever needs releasing. It turns out that Smack is the
>> one that's doing things wrong by not allocating memory when instructed
>> to do so by the "alloc" parameter.
>>
>> The fix is simple enough. Change the security_release_secctx() to
>> kfree() because it isn't a secctx being returned by
>> security_inode_getsecurity(). Change Smack to allocate the string when
>> told to do so.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> 
> Looks good to me.  I wonder why security_release_secctx was used in the
> first place? (it arrived via commit 42492594)
>  > Konstantin: how did you trigger this?

Just "getcap /bin/ping" is enough to tigger leak if file has capabilities.
Selinux shouldn't be loaded because its release_secctx hook call kfree.

But sometimes it takes some time for kmemleak to find leak. Presumably
because stale poiner stays on stack which could be reused nowdays.

> 
> I plan to send this to Linus for -rc4 unless anyone has objections.
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

James Morris Oct. 4, 2017, 10:10 p.m. UTC | #4

On Wed, 4 Oct 2017, Konstantin Khlebnikov wrote:

> Just "getcap /bin/ping" is enough to tigger leak if file has capabilities.
> Selinux shouldn't be loaded because its release_secctx hook call kfree.

Ahh, makes sense.

> 
> But sometimes it takes some time for kmemleak to find leak. Presumably
> because stale poiner stays on stack which could be reused nowdays.

Thanks for finding this!

diff --git a/fs/xattr.c b/fs/xattr.c
index 4424f7fecf14..61cd28ba25f3 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -250,7 +250,7 @@  xattr_getsecurity(struct inode *inode, const char *name, void *value,
 	}
 	memcpy(value, buffer, len);
 out:
-	security_release_secctx(buffer, len);
+	kfree(buffer);
 out_noalloc:
 	return len;
 }
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 319add31b4a4..286171a16ed2 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1473,7 +1473,7 @@  static int smack_inode_removexattr(struct dentry *dentry, const char *name)
  * @inode: the object
  * @name: attribute name
  * @buffer: where to put the result
- * @alloc: unused
+ * @alloc: duplicate memory
  *
  * Returns the size of the attribute or an error code
  */
@@ -1486,43 +1486,38 @@  static int smack_inode_getsecurity(struct inode *inode,
 	struct super_block *sbp;
 	struct inode *ip = (struct inode *)inode;
 	struct smack_known *isp;
-	int ilen;
-	int rc = 0;
 
-	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
 		isp = smk_of_inode(inode);
-		ilen = strlen(isp->smk_known);
-		*buffer = isp->smk_known;
-		return ilen;
-	}
+	else {
+		/*
+		 * The rest of the Smack xattrs are only on sockets.
+		 */
+		sbp = ip->i_sb;
+		if (sbp->s_magic != SOCKFS_MAGIC)
+			return -EOPNOTSUPP;
 
-	/*
-	 * The rest of the Smack xattrs are only on sockets.
-	 */
-	sbp = ip->i_sb;
-	if (sbp->s_magic != SOCKFS_MAGIC)
-		return -EOPNOTSUPP;
+		sock = SOCKET_I(ip);
+		if (sock == NULL || sock->sk == NULL)
+			return -EOPNOTSUPP;
 
-	sock = SOCKET_I(ip);
-	if (sock == NULL || sock->sk == NULL)
-		return -EOPNOTSUPP;
-
-	ssp = sock->sk->sk_security;
+		ssp = sock->sk->sk_security;
 
-	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
-		isp = ssp->smk_in;
-	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
-		isp = ssp->smk_out;
-	else
-		return -EOPNOTSUPP;
+		if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+			isp = ssp->smk_in;
+		else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+			isp = ssp->smk_out;
+		else
+			return -EOPNOTSUPP;
+	}
 
-	ilen = strlen(isp->smk_known);
-	if (rc == 0) {
-		*buffer = isp->smk_known;
-		rc = ilen;
+	if (alloc) {
+		*buffer = kstrdup(isp->smk_known, GFP_KERNEL);
+		if (*buffer == NULL)
+			return -ENOMEM;
 	}
 
-	return rc;
+	return strlen(isp->smk_known);
 }

fix security_release_secctx seems broken

Commit Message

Comments

Patch