[tomoyo-users-en 260] Memory leak bug in TOMOYO 2.3

Back to archive index
Tetsuo Handa from-****@I-lov*****
Wed Mar 2 16:45:21 JST 2011


Memory leak was found in TOMOYO 2.3 which is included in 2.6.36 and later.

In tomoyo_check_open_permission() which checks permissions upon file open,
TOMOYO was by error recalculating already calculated pathname when checking
allow_rewrite permission.

int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
				 struct path *path, const int flag)
{
	const u8 acc_mode = ACC_MODE(flag);
	int error = -ENOMEM;
	struct tomoyo_path_info buf;
	struct tomoyo_request_info r;
	int idx;

	if (!path->mnt ||
	    (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)))
		return 0;
	buf.name = NULL;
	r.mode = TOMOYO_CONFIG_DISABLED;
	idx = tomoyo_read_lock();
	if (!tomoyo_get_realpath(&buf, path))
		goto out;
	error = 0;
	/*
	 * If the filename is specified by "deny_rewrite" keyword,
	 * we need to check "allow_rewrite" permission when the filename is not
	 * opened for append mode or the filename is truncated at open time.
	 */
	if ((acc_mode & MAY_WRITE) && !(flag & O_APPEND)
	    && tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_REWRITE)
	    != TOMOYO_CONFIG_DISABLED) {
		if (!tomoyo_get_realpath(&buf, path)) {
			error = -ENOMEM;
			goto out;
		}
		if (tomoyo_no_rewrite_file(&buf))
			error = tomoyo_path_permission(&r, TOMOYO_TYPE_REWRITE,
						       &buf);
	}
	(...snipped...)
}

As a result, memory will leak whenever a file is opened for writing without
O_APPEND flag. Also, performance will degrade because TOMOYO is calculating
pathname regardless of profile configuration (i.e. calculates pathname even
for CONFIG={ mode=disabled } case.)

To fix the leak and degrade, please apply below patch and recompile and reboot.

---
 security/tomoyo/file.c |    5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- linux-2.6.38-rc7.orig/security/tomoyo/file.c
+++ linux-2.6.38-rc7/security/tomoyo/file.c
@@ -927,7 +927,7 @@ int tomoyo_check_open_permission(struct 
 				 struct path *path, const int flag)
 {
 	const u8 acc_mode = ACC_MODE(flag);
-	int error = -ENOMEM;
+	int error = 0;
 	struct tomoyo_path_info buf;
 	struct tomoyo_request_info r;
 	int idx;
@@ -938,9 +938,6 @@ int tomoyo_check_open_permission(struct 
 	buf.name = NULL;
 	r.mode = TOMOYO_CONFIG_DISABLED;
 	idx = tomoyo_read_lock();
-	if (!tomoyo_get_realpath(&buf, path))
-		goto out;
-	error = 0;
 	/*
 	 * If the filename is specified by "deny_rewrite" keyword,
 	 * we need to check "allow_rewrite" permission when the filename is not

If you cannot reboot soon, you can append below entries to
/etc/tomoyo/profile.conf and /sys/kernel/security/tomoyo/profile
(i.e. disable allow_rewrite permission checking) in order to avoid the leak.

0-CONFIG::file::rewrite={ mode=disabled }
1-CONFIG::file::rewrite={ mode=disabled }
2-CONFIG::file::rewrite={ mode=disabled }
3-CONFIG::file::rewrite={ mode=disabled }

Regards.




More information about the tomoyo-users-en mailing list
Back to archive index