From patchwork Fri Mar 1 13:04:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 208827 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2097:b0:108:e6aa:91d0 with SMTP id gs23csp1061066dyb; Fri, 1 Mar 2024 05:04:32 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUFB5tKl2bIsV4qan5wo8A4A63krY9mGUY+4nno+iHfEPytz3wkUGblrlfdW8NgyzPuLT8ODfv4SJklrltT+g1ksBuM6g== X-Google-Smtp-Source: AGHT+IEWxOXE0lPnddHz4MCvlsSOEtF6VDfhM6gR0yRFu2Cl9ZYVw6ez84Rmc4VEZkKKho++VFuS X-Received: by 2002:a17:906:84e:b0:a43:b269:d27f with SMTP id f14-20020a170906084e00b00a43b269d27fmr1063731ejd.64.1709298272292; Fri, 01 Mar 2024 05:04:32 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709298272; cv=pass; d=google.com; s=arc-20160816; b=mOhJFIL57hEeGKGdBwZipKbbP3HWE31AzNW84DUTMRzEYJ9NVcAqzlfM76x6QPspR9 hpJgLYYAjenjm99wAfHuKaHu2W5Mxd6eP+GMBGnlJneSAIW45UWWuQB8eqJA3pO13FtT 4a2FTf4LfA4lEH8cv3LLau68imSiaE1dsr78i0+NDE0OHd5hElFtz6A12Z4ZFZhfgkd4 ig23MOBMd2qodAQdHlw6Trh3NSJzEtv7FeFH0nK0/YylcNphNhxK7r3bS45yme6deggc QjVImSHi90pyy11VXGJm3oatOEciVsl+z70Mbv/UC8XA+8sTSfYHmr4AjmBa7Jfe+hLt ZZfA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=zXI2Pt1V7gesKpEerLi9+TGNV889tUn1ID/mewhNy68=; fh=x1P3J4qxOssnnr7CcZE4wt2j4JFr1PHzoNOW/2iv/CE=; b=Z4rHXrdL5DeLzBTMWt/7ov9agRsFBjtSWJz82coQMmqlMkHG/mA8vAkacUIoAM2uh8 5cmEciyN8knaYfARNpQEueYkdnuuplNCcSXiwHKez0PIA6iTwpGA1ftBnk8JlyqX3/Pn 7AjK0mTMWjFAcjZjV8O/5/oxEdRg28c9Wo5GxB4yATL4gY+OmgaUsjjjzvzcOJB4cYvj 1aQ2Z2JUM5Tah7VwADWHMbByHqeVagFKlNlCfM3y56tAsxKeAre6qi/MhsGZpDwZQZn9 yeZw1p0gHbESROpRgCX4LsADO+VB4fuLsVAH4MgggsRaApl5/mzDbBmJEgs/V66Ck+kj ydAQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-88429-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-88429-ouuuleilei=gmail.com@vger.kernel.org" Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id lx26-20020a170906af1a00b00a449a040234si357907ejb.5.2024.03.01.05.04.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Mar 2024 05:04:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-88429-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-88429-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-88429-ouuuleilei=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id E2D261F23068 for ; Fri, 1 Mar 2024 13:04:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2DDC86A8D9; Fri, 1 Mar 2024 13:04:19 +0000 (UTC) Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E552638FBE for ; Fri, 1 Mar 2024 13:04:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709298257; cv=none; b=X567dpHQyONrJmffvPaRUOOCjCnQdJy+OCh6VUYIFu9AN4XMt/jj3CGUxcevVWN8+6W6/VvkKiO6KHTMveWrMjRaHg8BnMwY7P0Dm8BrgdPfmeNFu8KYNKBxOWVDBQYQv+btOQZZSwJZJ4sLXwJRrPiC1Bx8VZH7fYWf7uMTum4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709298257; c=relaxed/simple; bh=0ndBKkzJP+ZMoxO9U7QYSs+Fbh76QQrdNHEic+5wGnc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Imz20Y4uyfGltY1QKE6NHbR5bviX5lv8OAv8dOMLcKBenRX8JIA1ja9DYc61hNVbXUq8helhqilaGopgk+jI49XsM0iljhR2/nR8h3jlJimj9q7u6bK3czWUxsfVyORvXN2jFoNhtqaelqnybm74fn0ixQ2JsUjvl3/zMc1mAYQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp Received: from fsav413.sakura.ne.jp (fsav413.sakura.ne.jp [133.242.250.112]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 421D46Sd054249; Fri, 1 Mar 2024 22:04:06 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav413.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav413.sakura.ne.jp); Fri, 01 Mar 2024 22:04:06 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav413.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 421D46jq054245 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Mar 2024 22:04:06 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <70bfa1c9-6790-4537-bdc5-5d633c6ea806@I-love.SAKURA.ne.jp> Date: Fri, 1 Mar 2024 22:04:06 +0900 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH for 6.8] tomoyo: fix UAF write bug in tomoyo_write_control() Content-Language: en-US To: Sam Sun , paul@paul-moore.com, Linus Torvalds Cc: syzkaller@googlegroups.com, takedakn@nttdata.co.jp, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org References: From: Tetsuo Handa In-Reply-To: X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1792329145439686457 X-GMAIL-MSGID: 1792329145439686457 Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: stable@vger.kernel.org # Linux 3.1+ Signed-off-by: Tetsuo Handa --- I couldn't reproduce this problem in my environment, but I believe this does fix a bug. Linus, can you directly apply to linux.git ? If Linus wants a GIT PULL request, can Paul send this patch via LSM tree because TOMOYO's git tree is not working? security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 57ee70ae50f2..ea3140d510ec 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2649,13 +2649,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */