mirror of
https://github.com/torvalds/linux.git
synced 2024-11-27 14:41:39 +00:00
6f7c41374b
syzbot is reporting that use of SOCKET_I()->sk from open() can result in use after free problem [1], for socket's inode is still reachable via /proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed. At first I thought that this race condition applies to only open/getattr permission checks. But James Morris has pointed out that there are more permission checks where this race condition applies to. Thus, get rid of tomoyo_get_socket_name() instead of conditionally bypassing permission checks on sockets. As a side effect of this patch, "socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be rewritten to "socket:[\$]". [1] https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reported-by: syzbot <syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com> Reported-by: James Morris <jmorris@namei.org> |
||
|---|---|---|
| .. | ||
| policy | ||
| .gitignore | ||
| audit.c | ||
| common.c | ||
| common.h | ||
| condition.c | ||
| domain.c | ||
| environ.c | ||
| file.c | ||
| gc.c | ||
| group.c | ||
| Kconfig | ||
| load_policy.c | ||
| Makefile | ||
| memory.c | ||
| mount.c | ||
| network.c | ||
| realpath.c | ||
| securityfs_if.c | ||
| tomoyo.c | ||
| util.c | ||