diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2019-11-25 10:46:51 +0900 |
---|---|---|
committer | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2019-12-11 19:54:10 +0900 |
commit | 6f7c41374b62fd80bbd8aae3536c43688c54d95e (patch) | |
tree | 84da6139d6f939e7b3eb7db171c2c391c3cdebd2 /security/tomoyo/util.c | |
parent | 6794862a16ef41f753abd75c03a152836e4c8028 (diff) | |
download | linux-6f7c41374b62fd80bbd8aae3536c43688c54d95e.tar.gz linux-6f7c41374b62fd80bbd8aae3536c43688c54d95e.tar.bz2 linux-6f7c41374b62fd80bbd8aae3536c43688c54d95e.zip |
tomoyo: Don't use nifty names on sockets.
syzbot is reporting that use of SOCKET_I()->sk from open() can result in
use after free problem [1], for socket's inode is still reachable via
/proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed.
At first I thought that this race condition applies to only open/getattr
permission checks. But James Morris has pointed out that there are more
permission checks where this race condition applies to. Thus, get rid of
tomoyo_get_socket_name() instead of conditionally bypassing permission
checks on sockets. As a side effect of this patch,
"socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be
rewritten to "socket:[\$]".
[1] https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com>
Reported-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/util.c')
0 files changed, 0 insertions, 0 deletions