From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
stable inclusion from stable-v5.10.212 commit a23ac1788e2c828c097119e9a3178f0b7e503fee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95LPF CVE: CVE-2024-26622
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 upstream.
Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems.
Reported-by: Sam Sun samsun1006219@gmail.com Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8... Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: stable@vger.kernel.org # Linux 3.1+ Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Conflicts: security/tomoyo/common.c
Signed-off-by: Felix Fu fuzhen5@huawei.com --- security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index e6970a69c20c..cf3f90ed7838 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2586,7 +2586,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -ENOSYS; @@ -2594,6 +2594,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, return -EFAULT; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */