[PATCH 5/9] LSM: Manage remaining security blobs
From: penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa)
Date: 2017-11-29 11:21:33
Hello. I browsed https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734686 and found a problem with how security blob is initialized. Casey Schaufler wrote:
+/**
+ * lsm_sock_alloc - allocate a composite sock blob
+ * @sock: the sock that needs a blob
+ * @priority: allocation mode
+ *
+ * Allocate the sock blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_sock_alloc(struct sock *sock, gfp_t priority)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (sock->sk_security)
+ pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
+#endifIf none of LSM modules use sock->sk_security, sock->sk_security is not initialized to NULL (and sk_prot_alloc() does not always use __GFP_ZERO).
+ if (blob_sizes.lbs_sock == 0) + return 0; + + sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority); + if (sock->sk_security == NULL) + return -ENOMEM; + return 0; +}
quoted hunk ↗ jump to hunk
@@ -1609,12 +1851,18 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram); int security_sk_alloc(struct sock *sk, int family, gfp_t priority) { + int rc = lsm_sock_alloc(sk, priority); + + if (rc) + return rc;
In that report, no major LSMs are active because apparmor=0 is passed at kernel command line. Thus, security_sk_alloc() does not initialize sk->sk_security field and
return call_int_hook(sk_alloc_security, 0, sk, family, priority);
}
void security_sk_free(struct sock *sk)
{
call_void_hook(sk_free_security, sk);causes random oops at kfree().
+ kfree(sk->sk_security); + sk->sk_security = NULL; }
-- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html