Re: [PATCH] fix security_release_secctx seems broken
From: James Morris
Date: Wed Oct 04 2017 - 18:11:19 EST
On Wed, 4 Oct 2017, Konstantin Khlebnikov wrote:
> Just "getcap /bin/ping" is enough to tigger leak if file has capabilities.
> Selinux shouldn't be loaded because its release_secctx hook call kfree.
Ahh, makes sense.
>
> But sometimes it takes some time for kmemleak to find leak. Presumably
> because stale poiner stays on stack which could be reused nowdays.
Thanks for finding this!
--
James Morris
<jmorris@xxxxxxxxx>