| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Sep 2014 15:43:10 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Kees Cook <keescook@...omium.org>
Cc: Jet Chen <jet.chen@...el.com>, Su Tao <tao.su@...el.com>,
Yuanhan Liu <yuanhan.liu@...el.com>, LKP <lkp@...org>,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: [LSM] Kernel panic - not syncing: Could not register security module
Hi Kees,
0day kernel testing robot got the below dmesg and the first bad commit is
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git lsm/mnt-restrict
commit d9df832e0cc059bc6f94ee6ea5286fdd1efac503
Author: Kees Cook <keescook@...omium.org>
AuthorDate: Sat Sep 21 15:52:51 2013 -0700
Commit: Kees Cook <keescook@...omium.org>
CommitDate: Tue Sep 2 14:23:48 2014 -0700
LSM: MntRestrict blocks mounts on symlink targets
On systems where certain filesystem contents cannot be entirely trusted,
it is beneficial to block mounts on symlinks. This makes sure that
malicious filesystem contents cannot trigger the over-mounting of trusted
filesystems. (For example, a bind-mounted subdirectory of /var cannot be
redirected to mount on /etc via a symlink: a daemon cannot elevate privs
to uid-0.)
Signed-off-by: Kees Cook <keescook@...omium.org>
+-------------------------------------------------------------+------------+------------+------------------+
| | 7505ceaf86 | d9df832e0c | v3.17-rc3_090307 |
+-------------------------------------------------------------+------------+------------+------------------+
| boot_successes | 183 | 0 | 0 |
| boot_failures | 57 | 20 | 21 |
| BUG:kernel_boot_hang | 57 | | |
| Kernel_panic-not_syncing:Could_not_register_security_module | 0 | 20 | 21 |
| backtrace:panic | 0 | 20 | 21 |
| backtrace:mntrestrict_init | 0 | 20 | 21 |
| backtrace:security_init | 0 | 20 | 21 |
+-------------------------------------------------------------+------------+------------+------------------+
[ 0.008000] ACPI: Core revision 20140724
[ 0.009549] ACPI: All ACPI Tables successfully acquired
[ 0.010749] Security Framework initialized
[ 0.012012] Kernel panic - not syncing: Could not register security module
[ 0.013779] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.17.0-rc3-00003-gd9df832 #6
[ 0.016000] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 0.016000] 0000000000000000 ffffffff81a03eb0 ffffffff81563273 ffffffff817aad75
[ 0.016000] ffffffff81a03f28 ffffffff8155e113 ffffffff00000008 ffffffff81a03f38
[ 0.016000] ffffffff81a03ed8 00000000000143c0 ffffffff81b4d998 0000000080000000
[ 0.016000] Call Trace:
[ 0.016000] [<ffffffff81563273>] dump_stack+0x4e/0x7a
[ 0.016000] [<ffffffff8155e113>] panic+0xc6/0x1d8
[ 0.016000] [<ffffffff81ae197b>] mntrestrict_init+0x37/0x49
[ 0.016000] [<ffffffff81adf754>] security_init+0x3c/0x47
[ 0.016000] [<ffffffff81ac0e30>] start_kernel+0x38d/0x3c7
[ 0.016000] [<ffffffff81ac08a0>] ? set_init_arg+0x53/0x53
[ 0.016000] [<ffffffff81ac0120>] ? early_idt_handlers+0x120/0x120
[ 0.016000] [<ffffffff81ac04a2>] x86_64_start_reservations+0x2a/0x2c
[ 0.016000] [<ffffffff81ac0592>] x86_64_start_kernel+0xee/0xfb
Elapsed time: 5
qemu-system-x86_64 -cpu kvm64 -enable-kvm -kernel /kernel/x86_64-randconfig-hsxa1-09030805/d9df832e0cc059bc6f94ee6ea5286fdd1efac503/vmlinuz-3.17.0-rc3-00003-gd9df832 -append 'hung_task_panic=1 earlyprintk=ttyS0,115200 debug apic=debug sysrq_always_enabled rcupdate.rcu_cpu_stall_timeout=100 panic=-1 softlockup_panic=1 nmi_watchdog=panic oops=panic load_ramdisk=2 prompt_ramdisk=0 console=ttyS0,115200 console=tty0 vga=normal root=/dev/ram0 rw link=/kbuild-tests/run-queue/kvm/x86_64-randconfig-hsxa1-09030805/linux-devel:devel-hourly-2014090307:d9df832e0cc059bc6f94ee6ea5286fdd1efac503:bisect-linux-6/.vmlinuz-d9df832e0cc059bc6f94ee6ea5286fdd1efac503-20140903092602-20-vp branch=linux-devel/devel-hourly-2014090307 BOOT_IMAGE=/kernel/x86_64-randconfig-hsxa1-09030805/d9df832e0cc059bc6f94ee6ea5286fdd1efac503/vmlinuz-3.17.0-rc3-00003-gd9df832 drbd.minor_count=8' -initrd /kernel-tests/initrd/yocto-minimal-x86_64.cgz -m 320 -smp 1 -net nic,vlan=1,model=e1000 -net user,vlan=1 -boot order=nc -no-reboot -watchdog i6300esb -rtc base=localtime -drive file=/fs/LABEL=KVM/disk0-yocto-vp-25,media=disk,if=virtio -drive file=/fs/LABEL=KVM/disk1-yocto-vp-25,media=disk,if=virtio -drive file=/fs/LABEL=KVM/disk2-yocto-vp-25,media=disk,if=virtio -drive file=/fs/LABEL=KVM/disk3-yocto-vp-25,media=disk,if=virtio -drive file=/fs/LABEL=KVM/disk4-yocto-vp-25,media=disk,if=virtio -drive file=/fs/LABEL=KVM/disk5-yocto-vp-25,media=disk,if=virtio -pidfile /dev/shm/kboot/pid-yocto-vp-25 -serial file:/dev/shm/kboot/serial-yocto-vp-25 -daemonize -display none -monitor null
git bisect start 548c845e0c12d446fbcd0cfc042b14075b7e8ca8 69e273c0b0a3c337a521d083374c918dc52c666f --
git bisect good eade7959972091def889e2e9b3f01ef254e20ac0 # 14:39 20+ 0 Merge 'spi/topic/of-guard' into devel-hourly-2014090307
git bisect bad 0b58f7b34051d9685dbce8e967014ca9e7057c76 # 14:39 0- 20 Merge 'kees/arm/ro-nx' into devel-hourly-2014090307
git bisect bad 424e081d63cbcab953f96eb9a06a7458e6eb0645 # 14:39 0- 20 Merge 'kees/lsm/mnt-restrict' into devel-hourly-2014090307
git bisect good 241aae727b8fd58a9f4bdf4919817957f4f64152 # 14:39 20+ 0 Merge 'renesas/devel' into devel-hourly-2014090307
git bisect good 4caa05c6584e62f376c5153c12d5f6de10a7571a # 14:39 20+ 0 Merge 'kvm/nsvm-fixes' into devel-hourly-2014090307
git bisect good 44a883de40cd921a99bf5e60b9fcce20b5b4c194 # 14:39 20+ 0 Merge 'kees/typos' into devel-hourly-2014090307
git bisect good ea9c715254f99adc3b8a52bbc71bfcb3f329a16c # 14:39 20+ 0 Merge 'staging/staging-next' into devel-hourly-2014090307
git bisect bad d9df832e0cc059bc6f94ee6ea5286fdd1efac503 # 14:41 0- 20 LSM: MntRestrict blocks mounts on symlink targets
# first bad commit: [d9df832e0cc059bc6f94ee6ea5286fdd1efac503] LSM: MntRestrict blocks mounts on symlink targets
git bisect good 7505ceaf863590b24a4c0c83b64817d26e0d51e3 # 14:45 60+ 30 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad 548c845e0c12d446fbcd0cfc042b14075b7e8ca8 # 14:45 0- 21 0day head guard for 'devel-hourly-2014090307'
git bisect good 7505ceaf863590b24a4c0c83b64817d26e0d51e3 # 15:00 60+ 57 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 40e569af89a97a775e918713e2f08fa5ce5f1bb4 # 15:01 60+ 0 Add linux-next specific files for 20140902
This script may reproduce the error.
----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
kvm=(
qemu-system-x86_64
-cpu kvm64
-enable-kvm
-kernel $kernel
-m 320
-smp 1
-net nic,vlan=1,model=e1000
-net user,vlan=1
-boot order=nc
-no-reboot
-watchdog i6300esb
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
hung_task_panic=1
earlyprintk=ttyS0,115200
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
drbd.minor_count=8
)
"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------
Thanks,
Fengguang
View attachment "dmesg-yocto-vp-25:20140903092640:x86_64-randconfig-hsxa1-09030805:3.17.0-rc3-00003-gd9df832:6" of type "text/plain" (24367 bytes)
Powered by blists - more mailing lists