From eabc10e60dac08b9f4f05872d785532d0856e09f Mon Sep 17 00:00:00 2001 From: GiSeong Ji Date: Thu, 22 Aug 2024 18:18:06 +0900 Subject: [PATCH 1/2] security: smack: Fix indentation in smack_netfilter.c Aligned parameters in the function declaration of smack_ip_output to adhere to the Linux kernel coding style guidelines. The parameters of the smack_ip_output function were previously misaligned, with the second and third parameters not aligned under the first parameter. This change corrects the indentation, improving code readability and maintaining consistency with the rest of the codebase. Signed-off-by: GiSeong Ji Signed-off-by: Casey Schaufler --- security/smack/smack_netfilter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index b945c1d3a743..709b1fcff514 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -19,8 +19,8 @@ #include "smack.h" static unsigned int smack_ip_output(void *priv, - struct sk_buff *skb, - const struct nf_hook_state *state) + struct sk_buff *skb, + const struct nf_hook_state *state) { struct sock *sk = skb_to_full_sk(skb); struct socket_smack *ssp; From 2749749afa071f8a0e405605de9da615e771a7ce Mon Sep 17 00:00:00 2001 From: Jiawei Ye Date: Mon, 2 Sep 2024 08:47:26 +0000 Subject: [PATCH 2/2] smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso In the `smk_set_cipso` function, the `skp->smk_netlabel.attr.mls.cat` field is directly assigned to a new value without using the appropriate RCU pointer assignment functions. According to RCU usage rules, this is illegal and can lead to unpredictable behavior, including data inconsistencies and impossible-to-diagnose memory corruption issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the assignment is now done using rcu_assign_pointer(), which ensures that the pointer assignment is done safely, with the necessary memory barriers and synchronization. This change prevents potential RCU dereference issues by ensuring that the `cat` field is safely updated while still adhering to RCU's requirements. Fixes: 0817534ff9ea ("smackfs: Fix use-after-free in netlbl_catmap_walk()") Signed-off-by: Jiawei Ye Signed-off-by: Casey Schaufler --- security/smack/smackfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index e22aad7604e8..5dd1e164f9b1 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -932,7 +932,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, } if (rc >= 0) { old_cat = skp->smk_netlabel.attr.mls.cat; - skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; + rcu_assign_pointer(skp->smk_netlabel.attr.mls.cat, ncats.attr.mls.cat); skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; synchronize_rcu(); netlbl_catmap_free(old_cat);