The patch titled Subject: sysv, ipc: fix security-layer leaking has been added to the -mm tree. Its filename is sysv-ipc-fix-security-layer-leaking.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/sysv-ipc-fix-security-layer-leaking.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/sysv-ipc-fix-security-layer-leaking.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Fabian Frederick <fabf@xxxxxxxxx> Subject: sysv, ipc: fix security-layer leaking 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref() to receive rcu freeing function but used generic ipc_rcu_free() instead of msg_rcu_free() which does security cleaning. Running LTP msgsnd06 with kmemleak gives the following: cat /sys/kernel/debug/kmemleak unreferenced object 0xffff88003c0a11f8 (size 8): comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s) hex dump (first 8 bytes): 1b 00 00 00 01 00 00 00 ........ backtrace: [<ffffffff818e2c43>] kmemleak_alloc+0x23/0x40 [<ffffffff81177f31>] kmem_cache_alloc_trace+0xe1/0x180 [<ffffffff812d42af>] selinux_msg_queue_alloc_security+0x3f/0xd0 [<ffffffff812cc6be>] security_msg_queue_alloc+0x2e/0x40 [<ffffffff812b94ee>] newque+0x4e/0x150 [<ffffffff812b8cb9>] ipcget+0x159/0x1b0 [<ffffffff812b98d9>] SyS_msgget+0x39/0x40 [<ffffffff818e7bdb>] entry_SYSCALL_64_fastpath+0x13/0x8f [<ffffffffffffffff>] 0xffffffffffffffff Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to only use ipc_rcu_free in case of security allocation failure in newary() Fixes: 53dad6d3a8e ("ipc: fix race with LSMs") Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@xxxxxxxxx Signed-off-by: Fabian Frederick <fabf@xxxxxxxxx> Cc: Davidlohr Bueso <dbueso@xxxxxxx> Cc: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> [3.12+] Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- ipc/msg.c | 2 +- ipc/sem.c | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff -puN ipc/msg.c~sysv-ipc-fix-security-layer-leaking ipc/msg.c --- a/ipc/msg.c~sysv-ipc-fix-security-layer-leaking +++ a/ipc/msg.c @@ -680,7 +680,7 @@ long do_msgsnd(int msqid, long mtype, vo rcu_read_lock(); ipc_lock_object(&msq->q_perm); - ipc_rcu_putref(msq, ipc_rcu_free); + ipc_rcu_putref(msq, msg_rcu_free); /* raced with RMID? */ if (!ipc_valid_object(&msq->q_perm)) { err = -EIDRM; diff -puN ipc/sem.c~sysv-ipc-fix-security-layer-leaking ipc/sem.c --- a/ipc/sem.c~sysv-ipc-fix-security-layer-leaking +++ a/ipc/sem.c @@ -438,7 +438,7 @@ static inline struct sem_array *sem_obta static inline void sem_lock_and_putref(struct sem_array *sma) { sem_lock(sma, NULL, -1); - ipc_rcu_putref(sma, ipc_rcu_free); + ipc_rcu_putref(sma, sem_rcu_free); } static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) @@ -1381,7 +1381,7 @@ static int semctl_main(struct ipc_namesp rcu_read_unlock(); sem_io = ipc_alloc(sizeof(ushort)*nsems); if (sem_io == NULL) { - ipc_rcu_putref(sma, ipc_rcu_free); + ipc_rcu_putref(sma, sem_rcu_free); return -ENOMEM; } @@ -1415,20 +1415,20 @@ static int semctl_main(struct ipc_namesp if (nsems > SEMMSL_FAST) { sem_io = ipc_alloc(sizeof(ushort)*nsems); if (sem_io == NULL) { - ipc_rcu_putref(sma, ipc_rcu_free); + ipc_rcu_putref(sma, sem_rcu_free); return -ENOMEM; } } if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) { - ipc_rcu_putref(sma, ipc_rcu_free); + ipc_rcu_putref(sma, sem_rcu_free); err = -EFAULT; goto out_free; } for (i = 0; i < nsems; i++) { if (sem_io[i] > SEMVMX) { - ipc_rcu_putref(sma, ipc_rcu_free); + ipc_rcu_putref(sma, sem_rcu_free); err = -ERANGE; goto out_free; } @@ -1720,7 +1720,7 @@ static struct sem_undo *find_alloc_undo( /* step 2: allocate new undo structure */ new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); if (!new) { - ipc_rcu_putref(sma, ipc_rcu_free); + ipc_rcu_putref(sma, sem_rcu_free); return ERR_PTR(-ENOMEM); } _ Patches currently in -mm which might be from fabf@xxxxxxxxx are sysv-ipc-fix-security-layer-leaking.patch treewide-replace-obsolete-_refok-by-__ref.patch ipc-msgc-fix-memory-leak-in-do_msgsnd.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html