OpenE2K/linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
890,022 Commits 4 Branches 0 Tags 2 GiB
C 97.7%
Assembly 1.3%
Makefile 0.4%
Shell 0.3%
Python 0.1%
Other 0.1%
b06b1f4630
Go to file
Ondrej Mosnacek b06b1f4630 selinux: fix race condition when computing ocontext SIDs 
commit cbfcd13be5cb2a07868afe67520ed181956579a7 upstream.

Current code contains a lot of racy patterns when converting an
ocontext's context structure to an SID. This is being done in a "lazy"
fashion, such that the SID is looked up in the SID table only when it's
first needed and then cached in the "sid" field of the ocontext
structure. However, this is done without any locking or memory barriers
and is thus unsafe.

Between commits 24ed7fdae6 ("selinux: use separate table for initial
SID lookup") and 66f8e2f03c ("selinux: sidtab reverse lookup hash
table"), this race condition lead to an actual observable bug, because a
pointer to the shared sid field was passed directly to
sidtab_context_to_sid(), which was using this location to also store an
intermediate value, which could have been read by other threads and
interpreted as an SID. In practice this caused e.g. new mounts to get a
wrong (seemingly random) filesystem context, leading to strange denials.
This bug has been spotted in the wild at least twice, see [1] and [2].

Fix the race condition by making all the racy functions use a common
helper that ensures the ocontext::sid accesses are made safely using the
appropriate SMP constructs.

Note that security_netif_sid() was populating the sid field of both
contexts stored in the ocontext, but only the first one was actually
used. The SELinux wiki's documentation on the "netifcon" policy
statement [3] suggests that using only the first context is intentional.
I kept only the handling of the first context here, as there is really
no point in doing the SID lookup for the unused one.

I wasn't able to reproduce the bug mentioned above on any kernel that
includes commit 66f8e2f03c, even though it has been reported that the
issue occurs with that commit, too, just less frequently. Thus, I wasn't
able to verify that this patch fixes the issue, but it makes sense to
avoid the race condition regardless.

[1] https://github.com/containers/container-selinux/issues/89
[2] https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/thread/6DMTAMHIOAOEMUAVTULJD45JZU7IBAFM/
[3] https://selinuxproject.org/page/NetworkStatements#netifcon

Cc: stable@vger.kernel.org
Cc: Xinjie Zheng <xinjie@google.com>
Reported-by: Sujithra Periasamy <sujithra@google.com>
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
[vijayb: Backport contextual differences are due to v5.10 RCU related
 changes are not in 5.4]
Signed-off-by: Vijay Balakrishna <vijayb@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-17 10:12:24 +01:00
arch KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req 2021-12-17 10:12:24 +01:00
block block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) 2021-12-14 14:49:02 +01:00
certs
crypto
Documentation dt-bindings: net: Reintroduce PHY no lane swap binding 2021-12-14 14:49:03 +01:00
drivers drm/amd/display: add connector type check for CRC source set 2021-12-17 10:12:24 +01:00
fs tracefs: Set all files to the same group ownership as the mount option 2021-12-14 14:49:02 +01:00
include aio: fix use-after-free due to missing POLLFREE handling 2021-12-14 14:49:02 +01:00
init
ipc shm: extend forced shm destroy to support objects from several IPC nses 2021-12-01 09:23:35 +01:00
kernel tracing: Fix a kmemleak false positive in tracing_map 2021-12-17 10:12:24 +01:00
lib siphash: use _unaligned version by default 2021-12-08 09:01:12 +01:00
LICENSES
mm mm: bdi: initialize bdi_min_ratio when bdi is unregistered 2021-12-14 14:49:00 +01:00
net net: netlink: af_netlink: Prevent empty skb by adding a check on len. 2021-12-17 10:12:23 +01:00
samples
scripts
security selinux: fix race condition when computing ocontext SIDs 2021-12-17 10:12:24 +01:00
sound ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer 2021-12-14 14:49:03 +01:00
tools netfilter: selftest: conntrack_vrf.sh: fix file permission 2021-12-16 16:41:08 +01:00
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile Linux 5.4.166 2021-12-16 16:41:34 +01:00
README

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.