| Message ID | 70bfa1c9-6790-4537-bdc5-5d633c6ea806@I-love.SAKURA.ne.jp (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [for,6.8] tomoyo: fix UAF write bug in tomoyo_write_control() | expand |
On Fri, 1 Mar 2024 at 05:04, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > I couldn't reproduce this problem in my environment, but I believe > this does fix a bug. Linus, can you directly apply to linux.git ? Thanks. Applied, Linus
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 57ee70ae50f2..ea3140d510ec 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2649,13 +2649,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */
Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun <samsun1006219@gmail.com> Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: stable@vger.kernel.org # Linux 3.1+ Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --- I couldn't reproduce this problem in my environment, but I believe this does fix a bug. Linus, can you directly apply to linux.git ? If Linus wants a GIT PULL request, can Paul send this patch via LSM tree because TOMOYO's git tree is not working? security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)