lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <511284B2.2070402@tycho.nsa.gov>
Date:	Wed, 06 Feb 2013 11:28:34 -0500
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	Tommi Rantala <tt.rantala@...il.com>
CC:	James Morris <james.l.morris@...cle.com>,
	Eric Paris <eparis@...isplace.org>,
	linux-security-module@...r.kernel.org,
	Dave Jones <davej@...hat.com>,
	LKML <linux-kernel@...r.kernel.org>,
	Stanislav Kinsbursky <skinsbursky@...allels.com>
Subject: Re: selinux_msg_queue_msgrcv() oops

On 02/06/2013 10:21 AM, Tommi Rantala wrote:
> 2013/2/6 Stephen Smalley <sds@...ho.nsa.gov>:
>> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>>
>>> Hello,
>>>
>>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>>> Trinity as the root user (in a qemu VM):
>>
>>
>> NULL msg->security at that point is a bug in the ipc subsystem; SELinux is
>> just the messenger.  Normally msg->security is set for every allocated msg
>> by load_msg() -> security_msg_msg_alloc() ->
>> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
>> security_msg_msg_free() -> selinux_msg_msg_free_security().  Looking around,
>> I see copy_msg() introduced for checkpoint-restore initializes dst->security
>> to NULL but never sets it properly?
>
> I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
> analysis seems to be correct.

(cc originator of the bug)

If I am reading this correctly, then when the copy msg was created, a 
msg security struct was already allocated 
(prepare_copy->load_msg->security_msg_msg_alloc).  So having copy_msg() 
clear dst->security is also a memory leak in addition to leading to this 
oops.  Attached is a possible, un-tested fix.

>
>>>
>>> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
>>> at           (null)
>>> [12578.054025] IP: [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
>>> [12578.054025] Oops: 0000 [#2] SMP
>>> [12578.054025] CPU 1
>>> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G      D W
>>>    3.8.0-rc6+ #31 Bochs Bochs
>>> [12578.054025] RIP: 0010:[<ffffffff8131e1da>]  [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025] RSP: 0018:ffff88002b6b5e18  EFLAGS: 00010246
>>> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX:
>>> 0000000000000001
>>> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI:
>>> 0000000000000246
>>> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09:
>>> 0000000000000000
>>> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12:
>>> 0000000000000001
>>> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15:
>>> ffff88003132d410
>>> [12578.054025] FS:  00007f7385059700(0000) GS:ffff88003e200000(0000)
>>> knlGS:0000000000000000
>>> [12578.054025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4:
>>> 00000000000006e0
>>> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>> 0000000000000000
>>> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>> 0000000000000400
>>> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
>>> ffff88002b6b4000, task ffff88000e8bc560)
>>> [12578.054025] Stack:
>>> [12578.054025]  ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
>>> ffffffff00000000
>>> [12578.054025]  ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
>>> 0000000000000001
>>> [12578.054025]  0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
>>> ffffffff81314086
>>> [12578.054025] Call Trace:
>>> [12578.054025]  [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
>>> [12578.054025]  [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
>>> [12578.054025]  [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
>>> [12578.054025]  [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
>>> [12578.054025]  [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
>>> [12578.054025]  [<ffffffff812fe340>] ? load_msg+0x180/0x180
>>> [12578.054025]  [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
>>> [12578.054025]  [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
>>> [12578.054025]  [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [12578.054025]  [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
>>> [12578.054025]  [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
>>> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
>>> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
>>> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>> 00 00
>>> [12578.054025] RIP  [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025]  RSP <ffff88002b6b5e18>
>>> [12578.054025] CR2: 0000000000000000
>>> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>>>
>>>
>>> After adding:
>>>
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 54aaa72..20cec57 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
>>> msg_queue *msq, struct msg_msg *msg,
>>>
>>>           rc = avc_has_perm(sid, isec->sid,
>>>                             SECCLASS_MSGQ, MSGQ__READ, &ad);
>>> -       if (!rc)
>>> +       if (!rc) {
>>> +               WARN(msec == NULL, "msec is NULL!");
>>> +
>>>                   rc = avc_has_perm(sid, msec->sid,
>>>                                     SECCLASS_MSG, MSG__RECEIVE, &ad);
>>> +       }
>>>           return rc;
>>>    }
>>>
>>>
>>> I see:
>>>
>>> [   43.103283] ------------[ cut here ]------------
>>> [   43.104236] WARNING: at
>>> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
>>> selinux_msg_queue_msgrcv+0x1ff/0x210()
>>> [   43.106088] Hardware name: Bochs
>>> [   43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
>>> tainted 3.8.0-rc6+ #37
>>> [   43.107950] Call Trace:
>>> [   43.108393]  [<ffffffff8131e12f>] ?
>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [   43.109534]  [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
>>> [   43.110565]  [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
>>> [   43.111561]  [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [   43.112677]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [   43.113808]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [   43.114919]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [   43.115817]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [   43.116929]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [   43.117909]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [   43.118850]  [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [   43.120019]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [   43.121126]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [   43.122001]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [   43.123044] ---[ end trace db5952f0fa3bedc7 ]---
>>> [   43.123815]
>>> [   43.124096] ===============================
>>> [   43.124804] [ INFO: suspicious RCU usage. ]
>>> [   43.125531] 3.8.0-rc6+ #37 Tainted: G        W
>>> [   43.126344] -------------------------------
>>> [   43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
>>> Illegal context switch in RCU read-side critical section!
>>> [   43.129015]
>>> [   43.129015] other info that might help us debug this:
>>> [   43.129015]
>>> [   43.130367]
>>> [   43.130367] rcu_scheduler_active = 1, debug_locks = 0
>>> [   43.131481] 3 locks held by trinity-child9/2387:
>>> [   43.132266]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
>>> ipc_lock+0x5/0x1c0
>>> [   43.133709]  #1:  (&(&new->lock)->rlock){+.+...}, at:
>>> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
>>> [   43.135294]  #2:  (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
>>> __do_page_fault+0x114/0x4e0
>>> [   43.136864]
>>> [   43.136864] stack backtrace:
>>> [   43.137619] Pid: 2387, comm: trinity-child9 Tainted: G        W
>>> 3.8.0-rc6+ #37
>>> [   43.138897] Call Trace:
>>> [   43.139338]  [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
>>> [   43.140417]  [<ffffffff81cfb783>] __schedule+0x543/0x900
>>> [   43.141342]  [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
>>> [   43.142291]  [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
>>> [   43.143440]  [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
>>> [   43.144362]  [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
>>> [   43.145362]  [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
>>> [   43.146316]  [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
>>> [   43.147386]  [<ffffffff8108e5de>] do_page_fault+0xe/0x10
>>> [   43.148254]  [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
>>> [   43.149239]  [<ffffffff81cfe138>] async_page_fault+0x28/0x30
>>> [   43.150167]  [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
>>> [   43.151263]  [<ffffffff8131e12f>] ?
>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [   43.152357]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [   43.153475]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [   43.154828]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [   43.156052]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [   43.157586]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [   43.158830]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [   43.160131]  [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [   43.161736]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [   43.163238]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [   43.164453]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [   43.176035] BUG: unable to handle kernel NULL pointer dereference
>>> at           (null)
>>> [   43.177016] IP: [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [   43.177016] PGD 3189b067 PUD 3189c067 PMD 0
>>> [   43.177016] Oops: 0000 [#1] SMP
>>> [   43.177016] CPU 0
>>> [   43.177016] Pid: 2387, comm: trinity-child9 Tainted: G        W
>>> 3.8.0-rc6+ #37 Bochs Bochs
>>> [   43.177016] RIP: 0010:[<ffffffff8131e017>]  [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [   43.177016] RSP: 0018:ffff8800318a7e18  EFLAGS: 00010296
>>> [   43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX:
>>> 0000000000000006
>>> [   43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI:
>>> 0000000000000009
>>> [   43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09:
>>> 0000000000000000
>>> [   43.177016] R10: 0000000000000000 R11: 0000000000000288 R12:
>>> 0000000000000001
>>> [   43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15:
>>> ffff880032e0e810
>>> [   43.177016] FS:  00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
>>> knlGS:0000000000000000
>>> [   43.177016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [   43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4:
>>> 00000000000006f0
>>> [   43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>> 0000000000000000
>>> [   43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>> 0000000000000400
>>> [   43.177016] Process trinity-child9 (pid: 2387, threadinfo
>>> ffff8800318a6000, task ffff88003b7c4560)
>>> [   43.177016] Stack:
>>> [   43.177016]  ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
>>> ffffffff5d6d982a
>>> [   43.177016]  ffffffff812fd725 ffff880039c675c0 0000000000000000
>>> 0000000000000001
>>> [   43.177016]  0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
>>> ffffffff813140b6
>>> [   43.177016] Call Trace:
>>> [   43.177016]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [   43.177016]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [   43.177016]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [   43.177016]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [   43.177016]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [   43.177016]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [   43.177016]  [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [   43.177016]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [   43.177016]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [   43.177016]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [   43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
>>> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
>>> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>> 00 00
>>> [   43.177016] RIP  [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [   43.177016]  RSP <ffff8800318a7e18>
>>> [   43.177016] CR2: 0000000000000000
>>> [   43.228535] ---[ end trace db5952f0fa3bedc8 ]---
>>> [   68.106008] BUG: soft lockup - CPU#0 stuck for 22s!
>>> [trinity-child8:2382]
>>>
>>> Tommi
>>>
>>


View attachment "0001-Fix-selinux_msg_queue_msgrcv-oops.patch" of type "text/x-patch" (4636 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ