From: "Jiao, Joey" <quic_jiangenj@xxxxxxxxxxx>
BUG: KASAN: slab-out-of-bounds in avc_lookup+0x174/0x298
Read of size 8 at addr ffffff8846ef70b1 by task spdaemon/1037
Call trace:
dump_backtrace+0xf0/0x13c
show_stack+0x18/0x28
dump_stack_lvl+0xd0/0x128
print_report+0x13c/0x6f8
kasan_report+0xe8/0x148
__asan_load8+0x98/0xa0
avc_lookup+0x174/0x298
avc_has_perm_noaudit+0x60/0x12c
selinux_inode_permission+0x278/0x3cc
security_inode_permission+0x84/0xc8
inode_permission+0xb8/0x2b8
link_path_walk+0x178/0x7c0
path_lookupat+0x6c/0x298
filename_lookup+0x11c/0x2e4
vfs_statx+0xb4/0x3f0
vfs_fstatat+0xfc/0x3e4
__arm64_sys_newfstatat+0x88/0x340
invoke_syscall+0x6c/0x17c
el0_svc_common+0xf8/0x138
do_el0_svc+0x30/0x40
el0_svc+0x3c/0x70
el0t_64_sync_handler+0x68/0xbc
el0t_64_sync+0x19c/0x1a0
To fix this, protect the rcu read access
Signed-off-by: Jiao, Joey <quic_jiangenj@xxxxxxxxxxx>
---
security/selinux/avc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 32eb67fb3e42..ded3823d4451 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -528,6 +528,7 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
hvalue = avc_hash(ssid, tsid, tclass);
head = &selinux_avc.avc_cache.slots[hvalue];
+ rcu_read_lock();
hlist_for_each_entry_rcu(node, head, list) {
if (ssid == node->ae.ssid &&
tclass == node->ae.tclass &&
@@ -536,6 +537,7 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
break;
}
}
+ rcu_read_unlock();
return ret;
}
--
2.47.1
