From patchwork Mon Apr 1 14:19:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1918492 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V7Y6y5RFPz23h8 for ; Tue, 2 Apr 2024 01:19:38 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rrIVV-0005dl-A5; Mon, 01 Apr 2024 14:19:29 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rrIVT-0005Z3-1b for kernel-team@lists.ubuntu.com; Mon, 01 Apr 2024 14:19:27 +0000 Received: from mail-il1-f197.google.com (mail-il1-f197.google.com [209.85.166.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DC4AB3F285 for ; Mon, 1 Apr 2024 14:19:26 +0000 (UTC) Received: by mail-il1-f197.google.com with SMTP id e9e14a558f8ab-368c8628504so29580065ab.2 for ; Mon, 01 Apr 2024 07:19:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711981165; x=1712585965; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xCNeh1lVsT7uQiNjfHSL6aNyfc0XQjqBBGALNkkWyaw=; b=T2NmBhOCG7Fg0oa+CArUy2dsG/mnc7ZRTVGI9nhpjJg79sLQ69ygkKWw9VwZ23D5PW WK3DcxDm7cUdMr1LmlkaEryVgzr22YoywAgJFi0MhKGD7E6NmqAoOIJCWIssVDWck9o4 F2kGNKK0qquT47IHybGv71QdSOa/gcm4sgsGkupxTn6dagn4uRjffxexyQgb0xLkhuLf 6Lml23FEiJx2/LLTAlzUOg+F7DWSapuli5doMoxZA0g4wmoRbU2k9dDa4yXc6qRzpipg AqfpfC4T5INYiBVH7btHESXcLTAdGoQKfVloR4x/c3xYB8lMAMhN/uTWPTLxrlMTZ/gv aZxw== X-Gm-Message-State: AOJu0YxQ0FyeqrKuL675ojsqLCwpfCpWIgCLUme1D13fAnwngOxSJneY e+KqAG8NrohiovohcfmD8eSJ/b1Z5VPQaNHn1ptpjSWl5qCBYuNy78k+enLrIu9UWqm+rnO+V78 0yAI7mOJ6G/8rQ3O2JPuTD9wCuHw0BZ4z68pardnqh7LN/F8LyHheV/IMl9f7Nk+xpVfnMA07Hy +9f9yh+BkQpQ== X-Received: by 2002:a05:6e02:180d:b0:369:8eb6:4583 with SMTP id a13-20020a056e02180d00b003698eb64583mr10473666ilv.13.1711981165056; Mon, 01 Apr 2024 07:19:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE0tkoh5nkjTMzqk+h3Sqc29SKkm1C9KI8KOAUOxg4jn5gm/gSXXPhGMHKzduPoK7KYz3aWaw== X-Received: by 2002:a05:6e02:180d:b0:369:8eb6:4583 with SMTP id a13-20020a056e02180d00b003698eb64583mr10473646ilv.13.1711981164773; Mon, 01 Apr 2024 07:19:24 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id b6-20020a92ce06000000b003689b15b6efsm2796776ilo.15.2024.04.01.07.19.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Apr 2024 07:19:24 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M/J/F][PATCH 1/1] tomoyo: fix UAF write bug in tomoyo_write_control() Date: Mon, 1 Apr 2024 09:19:19 -0500 Message-Id: <20240401141919.34578-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240401141919.34578-1-bethany.jamison@canonical.com> References: <20240401141919.34578-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Tetsuo Handa Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: # Linux 3.1+ Signed-off-by: Tetsuo Handa Signed-off-by: Linus Torvalds (cherry picked from commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815) CVE-2024-26622 Signed-off-by: Bethany Jamison --- security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 969d4aa6fd556..2a71e246d49e5 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2648,13 +2648,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */