[PATCH] seccomp: don't leak memory when filter install races

From: Tycho Andersen
Date: Mon Aug 31 2020 - 19:55:07 EST

Next message: kernel test robot: "Re: [PATCH] scsi: ibmvfc: interface updates for future FPIN and MQ support"
Previous message: Kees Cook: "Re: [PATCH] Documentation: kunit: Add naming guidelines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
the listener fd, then check to see if we can actually use it later in
seccomp_may_assign_mode(), which can fail if anyone else in our thread
group has installed a filter and caused some divergence. If we can't, we
partially clean up the newly allocated file: we put the fd, put the file,
but don't actually clean up the *memory* that was allocated at
filter->notif. Let's clean that up too.

Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
Reported-by: syzbot+3ad9614a12f80994c32e@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
---
kernel/seccomp.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 3ee59ce0a323..21a76127833f 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
listener_f->private_data = NULL;
fput(listener_f);
put_unused_fd(listener);
+ kfree(filter->notif);
+ filter->notif = NULL;
} else {
fd_install(listener, listener_f);
ret = listener;

base-commit: b51594df17d0ce80b9f9f35394a1f42d7ac94472
--
2.25.1

Next message: kernel test robot: "Re: [PATCH] scsi: ibmvfc: interface updates for future FPIN and MQ support"
Previous message: Kees Cook: "Re: [PATCH] Documentation: kunit: Add naming guidelines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]