lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 08 Aug 2012 12:14:42 -0700
From:	John Stultz <johnstul@...ibm.com>
To:	"Serge E. Hallyn" <serge@...lyn.com>
CC:	Paul Moore <paul@...l-moore.com>,
	lkml <linux-kernel@...r.kernel.org>,
	James Morris <james.l.morris@...cle.com>,
	selinux@...ho.nsa.gov, Eric Dumazet <edumazet@...gle.com>,
	john.johansen@...onical.com
Subject: Re: NULL pointer dereference in selinux_ip_postroute_compat

On 08/07/2012 03:37 PM, John Stultz wrote:
> On 08/07/2012 03:17 PM, Serge E. Hallyn wrote:
>> Quoting Paul Moore (paul@...l-moore.com):
>>> On Tue, Aug 7, 2012 at 5:58 PM, John Stultz <john.stultz@...aro.org> 
>>> wrote:
>>>> On 08/07/2012 02:50 PM, Paul Moore wrote:
>>>>> On Tue, Aug 7, 2012 at 2:12 PM, John Stultz <john.stultz@...aro.org>
>>>>> wrote:
>>>>>> Hi,
>>>>>>       With my kvm environment using 3.6-rc1+, I'm seeing NULL 
>>>>>> pointer
>>>>>> dereferences in selinux_ip_postroute_compat(). It looks like the 
>>>>>> sksec
>>>>>> value
>>>>>> is null and we die in the following line:
>>>>>>
>>>>>>       if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
>>>>>>
>>>>>> This triggers every time I shutdown the machine, but has also 
>>>>>> triggered
>>>>>> randomly after a few hours.
[snip]
>> The problem seems to be that selinux_nf_ip_init() was called, which
>> registers the selinux_ipv4_ops (and ipv6).  Those should not get 
>> registered
>> if selinux ends up not being loaded (as in, if apparmor is loaded 
>> first),
>> since as you've found here the selinux lsm hooks won't be called to set
>> call selinux_sk_alloc_security().
> This sounds about right:
> root@...tvm:~# dmesg | grep SELinux
> [    0.004578] SELinux:  Initializing.
> [    0.005704] SELinux:  Starting in permissive mode
> [    2.235034] SELinux:  Registering netfilter hooks
>
>> I assume what's happening is that 
>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE was
>> set to 1, but selinux ended up being set to disabled after the
>> __initcall(selinux_nf_ip_init) ran?  Weird.
> This looks right as well:
>
> # zcat config.gz | grep SELINUX
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
> CONFIG_SECURITY_SELINUX_DISABLE=y
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
> CONFIG_DEFAULT_SECURITY_SELINUX=y
>
>
> Since the problem isn't completely obvious, I'm starting a bisection 
> to narrow this down some more.

So I bisected this down and it seems to be the following commit:

commit be9f4a44e7d41cee50ddb5f038fc2391cbbb4046
Author: Eric Dumazet <edumazet@...gle.com>
Date:   Thu Jul 19 07:34:03 2012 +0000

     ipv4: tcp: remove per net tcp_sock


It doesn't revert totally cleanly, but after fixing up the rejections 
and booting with this patch removed on top of Linus' head the oops on 
shutdown goes away.

thanks
-john


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ