lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87sip15iy5.fsf@x220.int.ebiederm.org>
Date:	Fri, 25 Apr 2014 12:04:50 -0700
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	Dmitry Kasatkin <d.kasatkin@...sung.com>,
	linux-security-module <linux-security-module@...r.kernel.org>,
	john.johansen@...onical.com, Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	James Morris <jmorris@...ei.org>, viro@...IV.linux.org.uk,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	kernel-team@...ts.ubuntu.com
Subject: Re: Kernel panic at Ubuntu: IMA + Apparmor

Oleg Nesterov <oleg@...hat.com> writes:

> On 04/25, Dmitry Kasatkin wrote:
>>
>> On 25/04/14 16:00, Dmitry Kasatkin wrote:
>> > Hello,
>> >
>> > I discovered a kernel panic on system running Ubuntu when IMA is enabled.
>> > It happens on reboot.
>> >
>> > ----------------------
>> > [  106.750100] NSPROXY is NULL: error.log (/var/log/mysql/error.log)
>> > [  106.750167] BUG: unable to handle kernel NULL pointer dereference at
>> > 0000000000000018
>> > [  106.750221] IP: [<ffffffff811ec7da>] our_mnt+0x1a/0x30
> ...
>> > [  106.751149] Call Trace:
>> > [  106.751172]  [<ffffffff813434eb>] ? aa_path_name+0x2ab/0x430
>> > [  106.751199]  [<ffffffff8101b9b9>] ? sched_clock+0x9/0x10
>> > [  106.751225]  [<ffffffff8134a68d>] aa_path_perm+0x7d/0x170
>> > [  106.751250]  [<ffffffff8101b945>] ? native_sched_clock+0x15/0x80
>> > [  106.751276]  [<ffffffff8134aa73>] aa_file_perm+0x33/0x40
>> > [  106.751301]  [<ffffffff81348c5e>] common_file_perm+0x8e/0xb0
>> > [  106.751327]  [<ffffffff81348d78>] apparmor_file_permission+0x18/0x20
>> > [  106.751355]  [<ffffffff8130c853>] security_file_permission+0x23/0xa0
>> > [  106.751382]  [<ffffffff811c77a2>] rw_verify_area+0x52/0xe0
>> > [  106.751407]  [<ffffffff811c789d>] vfs_read+0x6d/0x170
>> > [  106.751432]  [<ffffffff811cda31>] kernel_read+0x41/0x60
>> > [  106.751457]  [<ffffffff8134fd45>] ima_calc_file_hash+0x225/0x280
>> > [  106.751483]  [<ffffffff8134fb52>] ? ima_calc_file_hash+0x32/0x280
>> > [  106.751509]  [<ffffffff8135022d>] ima_collect_measurement+0x9d/0x160
>> > [  106.751536]  [<ffffffff810b552d>] ? trace_hardirqs_on+0xd/0x10
>> > [  106.751562]  [<ffffffff8134f07c>] ? ima_file_free+0x6c/0xd0
>> > [  106.751587]  [<ffffffff81352824>] ima_update_xattr+0x34/0x60
>> > [  106.751612]  [<ffffffff8134f0d0>] ima_file_free+0xc0/0xd0
>> > [  106.751637]  [<ffffffff811c9635>] __fput+0xd5/0x300
>
> fantastic ;)
>
>> > [  106.751662]  [<ffffffff811c98ae>] ____fput+0xe/0x10
>> > [  106.751687]  [<ffffffff81086774>] task_work_run+0xc4/0xe0
>> > [  106.751712]  [<ffffffff81066fad>] do_exit+0x2bd/0xa90
>> > [  106.751738]  [<ffffffff8173c958>] ? retint_swapgs+0x13/0x1b
>> > [  106.751763]  [<ffffffff8106780c>] do_group_exit+0x4c/0xc0
> ...
>> It seems the problem is the order of functions in do_exit
>>
>> do_exit()
>> {
>>     ...
>>     exit_task_namespaces(tsk);
>>     exit_task_work(tsk);
>
> Yes.
>
> Eric, this makes me think again that we should do exit_task_namespaces()
> after exit_task_work(). We already discussed this before, but this looks
> like another indication this change makes sense.

I know you mentioned something about that.  I haven't actually had much
time to think about it.

> The problem with fput() from free_nsproxy() was hopefully also fixed by
> e7b2c4069252. The main motivation for "move" was "outside of exit_notify".
> Even if we fix the paths above task_work_add() can have another user which
> wants ->nsproxy.
>
> What do you think?

I am scratching my head.  Delayed work that depends on current sort of
blows my mind. 

As I read this it is coming from __fput.  Hmm.

So I think the blinkered thing is having a security_file_permission
inside of kernel_read.  That is utter nonsense.  At least for a
kernel_read we are doing from ima.

apparmor should not be trying to limit ima.

Show me a legitimate bug caused by the ordering and we can discuss
reordering.


Looking at kernel_read it is used elsewhere by the binfmt routines, and
doing permissions checks there on the part of the user that is doing
exec seems appropriate.

So I think the deep bug here is ima is using kernel_read which is
inappropriate for what it is trying to do.   Permission checks on an
integrity mechanism?

Even if we ignore insane the security_file_permission in rw_verify_area
we still have mandatory locks that could cause this to fail.  Which
looks like an evil user could bypass ima by simply setting a mandatory
lock on a file and not letting anyone else read it.  Which makes
vfs_read and thus kernel_read wildly inappropriate for what ima is
trying to do.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ