From 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Fri, 1 Mar 2024 22:04:06 +0900
Subject: [PATCH] tomoyo: fix UAF write bug in tomoyo_write_control()
Git-commit: 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815
Patch-mainline: v6.8-rc7
References: bsc#1220825 CVE-2024-26622
Since tomoyo_write_control() updates head->write_buf when write()
of long lines is requested, we need to fetch head->write_buf after
head->io_sem is held. Otherwise, concurrent write() requests can
cause use-after-free-write and double-free problems.
Reported-by: Sam Sun <samsun1006219@gmail.com>
Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji8g@mail.gmail.com
Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.")
Cc: <stable@vger.kernel.org> # Linux 3.1+
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Anthony Iliopoulos <ailiop@suse.com>
---
security/tomoyo/common.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2585,7 +2585,7 @@ ssize_t tomoyo_write_control(struct tomo
{
int error = buffer_len;
size_t avail_len = buffer_len;
- char *cp0 = head->write_buf;
+ char *cp0;
int idx;
if (!head->write)
return -ENOSYS;
@@ -2593,6 +2593,7 @@ ssize_t tomoyo_write_control(struct tomo
return -EFAULT;
if (mutex_lock_interruptible(&head->io_sem))
return -EINTR;
+ cp0 = head->write_buf;
head->read_user_buf_avail = 0;
idx = tomoyo_read_lock();
/* Read a line and dispatch it to the policy handler. */