• Eric Biggers's avatar
    Smack: fix use-after-free in smk_write_relabel_self() · beb4ee67
    Eric Biggers authored
    smk_write_relabel_self() frees memory from the task's credentials with
    no locking, which can easily cause a use-after-free because multiple
    tasks can share the same credentials structure.
    
    Fix this by using prepare_creds() and commit_creds() to correctly modify
    the task's credentials.
    
    Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":
    
    	#include <fcntl.h>
    	#include <pthread.h>
    	#include <unistd.h>
    
    	static void *thrproc(void *arg)
    	{
    		int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
    		for (;;) write(fd, "foo", 3);
    	}
    
    	int main()
    	{
    		pthread_t t;
    		pthread_create(&t, NULL, thrproc, NULL);
    		thrproc(NULL);
    	}
    
    Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com
    Fixes: 38416e53 ("Smack: limited capability for changing process label")
    Cc: <stable@vger.kernel.org> # v4.4+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    beb4ee67
smackfs.c 69.1 KB