search

SELinuxProject / selinux-kernel

GitHub mirror of the SELinux kernel repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
Other
149 stars 60 forks source link

BUG: memory leaks in selinux_sb_eat_lsm_opts() #62

Closed cgzones closed 2 years ago

cgzones commented 2 years ago

Version: 5.19.0-rc2

After running the SELinux testsuite:

unreferenced object 0xffff888114dfd140 (size 64):
  comm "mount", pid 15182, jiffies 4295687028 (age 796.340s)
  hex dump (first 32 bytes):
    73 79 73 74 65 6d 5f 75 3a 6f 62 6a 65 63 74 5f  system_u:object_
    72 3a 74 65 73 74 5f 66 69 6c 65 73 79 73 74 65  r:test_filesyste
  backtrace:
    [<ffffffffa07dbef4>] kmemdup_nul+0x24/0x80
    [<ffffffffa0d34253>] selinux_sb_eat_lsm_opts+0x293/0x560
    [<ffffffffa0d13f08>] security_sb_eat_lsm_opts+0x58/0x80
    [<ffffffffa0af1eb2>] generic_parse_monolithic+0x82/0x180
    [<ffffffffa0a9c1a5>] do_new_mount+0x1f5/0x550
    [<ffffffffa0a9eccb>] path_mount+0x2ab/0x1570
    [<ffffffffa0aa019e>] __x64_sys_mount+0x20e/0x280
    [<ffffffffa1f47124>] do_syscall_64+0x34/0x80
    [<ffffffffa200007e>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
unreferenced object 0xffff88810a958840 (size 64):                                                                                                                                                                                                                             
  comm "mount", pid 11288, jiffies 4295609595 (age 1105.612s)                                                                                                                                                                                                                 
  hex dump (first 32 bytes):                                                                                                                                                                                                                                                  
    73 79 73 74 65 6d 5f 75 3a 6f 62 6a 65 63 74 5f  system_u:object_                                                                                                                                                                                                         
    72 3a 74 65 73 74 5f 66 69 6c 65 73 79 73 74 65  r:test_filesyste                                                                                                                                                                                                         
  backtrace:                                                                                                                                                                                                                                                                  
    [<ffffffffa07dbef4>] kmemdup_nul+0x24/0x80                                                                                                                                                                                                                                
    [<ffffffffa0d34253>] selinux_sb_eat_lsm_opts+0x293/0x560                                                                                                                                                                                                                  
    [<ffffffffa0d13f08>] security_sb_eat_lsm_opts+0x58/0x80                                                                                                                                                                                                                   
    [<ffffffffa07c46df>] shmem_parse_options+0x2f/0x1c0                                                                                                                                                                                                                       
    [<ffffffffa0a9c1a5>] do_new_mount+0x1f5/0x550                                                                                                                                                                                                                             
    [<ffffffffa0a9eccb>] path_mount+0x2ab/0x1570                                                                                                                                                                                                                              
    [<ffffffffa0aa019e>] __x64_sys_mount+0x20e/0x280                                                                                                                                                                                                                          
    [<ffffffffa1f47124>] do_syscall_64+0x34/0x80                                                                                                                                                                                                                              
    [<ffffffffa200007e>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
pcmoore commented 2 years ago

Hi @cgzones,

I believe the issue is that selinux_sb_eat_lsm_opts() generates a standalone string label from the mount option using kmemdup_nul() and never frees that memory after the call to selinux_add_opt(). I'm guessing something like the following should work, want to give it a try?

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index beceb89f68d9..3cfaf8bbd14d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2600,10 +2600,10 @@ static int selinux_sb_eat_lsm_opts(char *options, void >
                                }
                        }
                        rc = selinux_add_opt(token, arg, mnt_opts);
-                       if (unlikely(rc)) {
-                               kfree(arg);
+                       kfree(arg);
+                       arg = NULL;
+                       if (unlikely(rc))
                                goto free_opt;
-                       }
                } else {
                        if (!first) {   // copy with preceding comma
                                from--;
cgzones commented 2 years ago

https://github.com/torvalds/linux/commit/cad140d00899e7a9cb6fe93b282051df589e671c