From f57b7133bd8c7ac6eef7288e18669bbef55978e9 Mon Sep 17 00:00:00 2001
From: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Date: Tue, 24 Sep 2013 15:23:48 -0700
Subject: [PATCH] selinux: Fix Kernel panic due to NULL pointer dereference

Below Kernel panic is observed due to race condition, where
sock_has_perm called in a thread and is trying to access sksec->sid
without checking sksec. Just before that, sk->sk_security was set
to NULL by selinux_sk_free_security through sk_free in other thread.

31704.949269:   <3> IPv4: Attempt to release alive inet socket dd81b200
31704.959049:   <1> Unable to handle kernel NULL pointer dereference at \
                        virtual address 00000000
31704.983562:   <1> pgd = c6b74000
31704.985248:   <1> [00000000] *pgd=00000000
31704.996591:   <0> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
31705.001016:   <6> Modules linked in: adsprpc [last unloaded: wlan]
31705.006659:   <6> CPU: 1    Tainted: G           O  \
                        (3.4.0-g837ab9b-00003-g6bcd9c6 #1)
31705.014042:   <6> PC is at sock_has_perm+0x58/0xd4
31705.018292:   <6> LR is at sock_has_perm+0x58/0xd4
31705.022546:   <6> pc : [<c0341e8c>]    lr : [<c0341e8c>]    \
                                                  psr: 60000013
31705.022549:   <6> sp : dda27f00  ip : 00000000  fp : 5f36fc84
31705.034002:   <6> r10: 00004000  r9 : 0000009d  r8 : e8c2b700
31705.039211:   <6> r7 : dda27f24  r6 : dd81b200  r5 : 00000000  \
                                                  r4 : 00000000
31705.045721:   <6> r3 : 00000000  r2 : dda27ef8  r1 : 00000000  \
                                                  r0 : dda27f54
31705.052232:   <6> Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM \
                        Segment user
31705.059349:   <6> Control: 10c5787d  Table: 10d7406a  DAC: 00000015
.
.
.
.
31705.697816:   <6> [<c0341e8c>] (sock_has_perm+0x58/0xd4) from \
                    [<c033ed10>] (security_socket_getsockopt+0x14/0x1c)
31705.707534:   <6> [<c033ed10>] (security_socket_getsockopt+0x14/0x1c) \
                           from [<c0745c18>] (sys_getsockopt+0x34/0xa8)
31705.717343:   <6> [<c0745c18>] (sys_getsockopt+0x34/0xa8) from \
                    [<c0106140>] (ret_fast_syscall+0x0/0x30)
31705.726193:   <0> Code: e59832e8 e5933058 e5939004 ebfac736 (e5953000)
31705.732635:   <4> ---[ end trace 22889004dafd87bd ]---

Change-Id: I79c3fb525f35ea2494d53788788cd71a38a32d6b
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
Signed-off-by: Osvaldo Banuelos <osvaldob@codeaurora.org>
---
 security/selinux/hooks.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 393e59a67381dc..6956b4a9503cdf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3839,6 +3839,11 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
 	struct lsm_network_audit net = {0,};
 	u32 tsid = task_sid(task);
 
+	if (unlikely(!sksec)) {
+		pr_warn("SELinux: sksec is NULL, socket is already freed\n");
+		return -EINVAL;
+	}
+
 	if (sksec->sid == SECINITSID_KERNEL)
 		return 0;