[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhSk1_fWooexHK0+5cKum55qTvj3uv5sRE=aJ4mv2GHJZg@mail.gmail.com>
Date: Mon, 15 Apr 2019 12:20:08 -0400
From: Paul Moore <paul@...l-moore.com>
To: Oleg Nesterov <oleg@...hat.com>
Cc: Casey Schaufler <casey@...aufler-ca.com>,
"chengjian (D)" <cj.chengjian@...wei.com>, neilb@...e.com,
Anna.Schumaker@...app.com, keescook@...omium.org,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
viro@...iv.linux.org.uk,
"Xiexiuqi (Xie XiuQi)" <xiexiuqi@...wei.com>,
Li Bin <huawei.libin@...wei.com>, yanaijie@...wei.com,
peterz@...radead.org, mingo@...hat.com,
Linux Security Module list
<linux-security-module@...r.kernel.org>, selinux@...r.kernel.org
Subject: Re: kernel BUG at kernel/cred.c:434!
On Mon, Apr 15, 2019 at 11:05 AM Oleg Nesterov <oleg@...hat.com> wrote:
> On 04/15, Paul Moore wrote:
> >
> > On Mon, Apr 15, 2019 at 9:43 AM Oleg Nesterov <oleg@...hat.com> wrote:
> > > Well, acct("/proc/self/attr/current") doesn't look like a good idea, but I do
> > > not know where should we put the additional check... And probably
> > > "echo /proc/self/attr/current > /proc/sys/kernel/core_pattern" can hit the
> > > same problem, do_coredump() does override_creds() too.
> > >
> > > May be just add
> > >
> > > if (current->cred != current->real_cred)
> > > return -EACCES;
> > >
> > > into proc_pid_attr_write(), I dunno.
> >
> > Is the problem that do_acct_process() is calling override_creds() and
> > the returned/old credentials are being freed before do_acct_process()
> > can reinstall the creds via revert_creds()? Presumably because the
> > process accounting is causing the credentials to be replaced?
>
> Afaics, the problem is that do_acct_process() does override_creds() and
> then __kernel_write(). Which calls proc_pid_attr_write(), which in turn calls
> selinux_setprocattr(), which does another prepare_creds() + commit_creds();
> and commit_creds() hits
>
> BUG_ON(task->cred != old);
Gotcha. In the process of looking at the backtrace I forgot about the
BUG_ON() at the top of the oops message.
I wonder what terrible things would happen if we changed the BUG_ON()
in commit_creds to simple returning an error an error code to the
caller. There is a warning/requirement in commit_creds() function
header comment that it should always return 0.
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists