redonkable
/
remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/security
History
Igor Zhbanov cdb56b6088 Fix NULL pointer dereference in smack_inode_unlink() and smack_inode_rmdir() 
This patch fixes kernel Oops because of wrong common_audit_data type
in smack_inode_unlink() and smack_inode_rmdir().

When SMACK security module is enabled and SMACK logging is on (/smack/logging
is not zero) and you try to delete the file which
1) you cannot delete due to SMACK rules and logging of failures is on
or
2) you can delete and logging of success is on,

you will see following:

	Unable to handle kernel NULL pointer dereference at virtual address 000002d7

	[<...>] (strlen+0x0/0x28)
	[<...>] (audit_log_untrustedstring+0x14/0x28)
	[<...>] (common_lsm_audit+0x108/0x6ac)
	[<...>] (smack_log+0xc4/0xe4)
	[<...>] (smk_curacc+0x80/0x10c)
	[<...>] (smack_inode_unlink+0x74/0x80)
	[<...>] (security_inode_unlink+0x2c/0x30)
	[<...>] (vfs_unlink+0x7c/0x100)
	[<...>] (do_unlinkat+0x144/0x16c)

The function smack_inode_unlink() (and smack_inode_rmdir()) need
to log two structures of different types. First of all it does:

	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);

This will set common audit data type to LSM_AUDIT_DATA_DENTRY
and store dentry for auditing (by function smk_curacc(), which in turn calls
dump_common_audit_data(), which is actually uses provided data and logs it).

	/*
	 * You need write access to the thing you're unlinking
	 */
	rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
	if (rc == 0) {
		/*
		 * You also need write access to the containing directory
		 */

Then this function wants to log anoter data:

		smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
		smk_ad_setfield_u_fs_inode(&ad, dir);

The function sets inode field, but don't change common_audit_data type.

		rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
	}

So the dump_common_audit() function incorrectly interprets inode structure
as dentry, and Oops will happen.

This patch reinitializes common_audit_data structures with correct type.
Also I removed unneeded
	smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
initialization, because both dentry and inode pointers are stored
in the same union.

Signed-off-by: Igor Zhbanov <i.zhbanov@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
 		2013-03-19 14:38:17 -07:00
..
apparmor new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
integrity hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
keys userns: Stop oopsing in key_change_session_keyring 2013-03-03 19:35:38 -08:00
selinux Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-03-03 13:23:03 -08:00
smack Fix NULL pointer dereference in smack_inode_unlink() and smack_inode_rmdir() 2013-03-19 14:38:17 -07:00
tomoyo tomoyo: use DEFINE_SRCU() to define tomoyo_ss 2013-03-18 23:51:31 +11:00
yama Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-12-17 15:44:47 -08:00
Kconfig KEYS: Move the key config into security/keys/Kconfig 2012-05-11 10:56:56 +01:00
Makefile security: Yama LSM 2012-02-10 09:18:52 +11:00
capability.c tun: fix LSM/SELinux labeling of tun/tap devices 2013-01-14 18:16:59 -05:00
commoncap.c kill f_vfsmnt 2013-02-26 02:46:10 -05:00
device_cgroup.c device_cgroup: don't grab mutex in rcu callback 2013-02-21 17:22:15 -08:00
inode.c securityfs: fix object creation races 2012-01-10 10:20:35 -05:00
lsm_audit.c LSM: BUILD_BUG_ON if the common_audit_data union ever grows 2012-04-09 12:23:03 -04:00
min_addr.c mmap_min_addr check CAP_SYS_RAWIO only for write 2010-04-23 08:56:31 +10:00
security.c tun: fix LSM/SELinux labeling of tun/tap devices 2013-01-14 18:16:59 -05:00