seccomp fixes for v5.9-rc5

- Fix memory resource leak of user_notif under TSYNC race (Tycho Andersen)
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAl9cE6IWHGtlZXNjb29r
 QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJuHfD/9CrUBQl1A4ZuvRjJEiP9V/7g/B
 JKDoU+VY3j4B7adFypol2atXmrpcFRUY8FfZYLY4lJtl30YUTC5mxTeQpXjH71p2
 PVSHUc1eKGFgThgcGaGs8qRGDctvLJTX9KnRRfYX6UGo5fsbyJBTDJMWZ00+87Ia
 3cgCo60Q/107KiDDfb4D8rROG9uKkTaa+icZPjCzGAOlBOZhWX2y5ViT0KvEre/r
 ObaCHAs4JIIyqTTrPUTLeOqjzIjp0yYZ/FmyJOQZ8cSA1HezbxHU9kgi6d69QaZB
 natXjarHmU5/eUBjbQ95jH324qamoLq++ch/sL4NiitjboAmAxZrIZ80Ir4qOrcU
 6ddTr0jhzKsfGzibZKI6g3fYCJJ38DJl/JaiADeySovdEaf7h3cs85WjXK2nVuZR
 uKI5heaK/4tumIBqTBSo4cU7Bk9hSOXtoAUloiIem/jXZYS4Atl5WbXynAI4fM3b
 FO1PwKm3LBX5Ua1cjOHRydFZ1qZB90TvzoylLWXOSJ+ThmKOWfxtk98G6C7l/AY5
 18FjYjQxn8NT1AFBoRyFB+0Jf0KPrkqr0un1BdWt+B8hNMovEn7PHvAFJ1tJOQic
 8TnbGtDYO58kkMsdSSFATwquzo31yu1epXXUtviR/cJVanY/dhGuCtgamXwrUhVa
 ElFPQaO0W5DgBAxXUA==
 =I7rD
 -----END PGP SIGNATURE-----

Merge tag 'seccomp-v5.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull seccomp fixes from Kees Cook:
 "This fixes a rare race condition in seccomp when using TSYNC and
  USER_NOTIF together where a memory allocation would not get freed
  (found by syzkaller, fixed by Tycho).

  Additionally updates Tycho's MAINTAINERS and .mailmap entries for his
  new address"

* tag 'seccomp-v5.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  seccomp: don't leave dangling ->notif if file allocation fails
  mailmap, MAINTAINERS: move to tycho.pizza
  seccomp: don't leak memory when filter install races
This commit is contained in:
Linus Torvalds 2020-09-12 12:58:01 -07:00
commit ef2e9a563b
3 changed files with 20 additions and 7 deletions

View File

@ -308,6 +308,7 @@ Tony Luck <tony.luck@intel.com>
TripleX Chung <xxx.phy@gmail.com> <triplex@zh-kernel.org> TripleX Chung <xxx.phy@gmail.com> <triplex@zh-kernel.org>
TripleX Chung <xxx.phy@gmail.com> <zhongyu@18mail.cn> TripleX Chung <xxx.phy@gmail.com> <zhongyu@18mail.cn>
Tsuneo Yoshioka <Tsuneo.Yoshioka@f-secure.com> Tsuneo Yoshioka <Tsuneo.Yoshioka@f-secure.com>
Tycho Andersen <tycho@tycho.pizza> <tycho@tycho.ws>
Uwe Kleine-König <ukleinek@informatik.uni-freiburg.de> Uwe Kleine-König <ukleinek@informatik.uni-freiburg.de>
Uwe Kleine-König <ukl@pengutronix.de> Uwe Kleine-König <ukl@pengutronix.de>
Uwe Kleine-König <Uwe.Kleine-Koenig@digi.com> Uwe Kleine-König <Uwe.Kleine-Koenig@digi.com>

View File

@ -9800,7 +9800,7 @@ F: drivers/scsi/53c700*
LEAKING_ADDRESSES LEAKING_ADDRESSES
M: Tobin C. Harding <me@tobin.cc> M: Tobin C. Harding <me@tobin.cc>
M: Tycho Andersen <tycho@tycho.ws> M: Tycho Andersen <tycho@tycho.pizza>
L: kernel-hardening@lists.openwall.com L: kernel-hardening@lists.openwall.com
S: Maintained S: Maintained
T: git git://git.kernel.org/pub/scm/linux/kernel/git/tobin/leaks.git T: git git://git.kernel.org/pub/scm/linux/kernel/git/tobin/leaks.git

View File

@ -1109,13 +1109,18 @@ static long seccomp_set_mode_strict(void)
} }
#ifdef CONFIG_SECCOMP_FILTER #ifdef CONFIG_SECCOMP_FILTER
static int seccomp_notify_release(struct inode *inode, struct file *file) static void seccomp_notify_free(struct seccomp_filter *filter)
{
kfree(filter->notif);
filter->notif = NULL;
}
static void seccomp_notify_detach(struct seccomp_filter *filter)
{ {
struct seccomp_filter *filter = file->private_data;
struct seccomp_knotif *knotif; struct seccomp_knotif *knotif;
if (!filter) if (!filter)
return 0; return;
mutex_lock(&filter->notify_lock); mutex_lock(&filter->notify_lock);
@ -1139,9 +1144,15 @@ static int seccomp_notify_release(struct inode *inode, struct file *file)
complete(&knotif->ready); complete(&knotif->ready);
} }
kfree(filter->notif); seccomp_notify_free(filter);
filter->notif = NULL;
mutex_unlock(&filter->notify_lock); mutex_unlock(&filter->notify_lock);
}
static int seccomp_notify_release(struct inode *inode, struct file *file)
{
struct seccomp_filter *filter = file->private_data;
seccomp_notify_detach(filter);
__put_seccomp_filter(filter); __put_seccomp_filter(filter);
return 0; return 0;
} }
@ -1488,7 +1499,7 @@ static struct file *init_listener(struct seccomp_filter *filter)
out_notif: out_notif:
if (IS_ERR(ret)) if (IS_ERR(ret))
kfree(filter->notif); seccomp_notify_free(filter);
out: out:
return ret; return ret;
} }
@ -1581,6 +1592,7 @@ static long seccomp_set_mode_filter(unsigned int flags,
listener_f->private_data = NULL; listener_f->private_data = NULL;
fput(listener_f); fput(listener_f);
put_unused_fd(listener); put_unused_fd(listener);
seccomp_notify_detach(prepared);
} else { } else {
fd_install(listener, listener_f); fd_install(listener, listener_f);
ret = listener; ret = listener;