lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2f2d07c33170b6ed06f72e927a0d31989bca7c85.camel@linux.ibm.com>
Date: Thu, 07 Mar 2024 14:42:39 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Roberto Sassu <roberto.sassu@...weicloud.com>, corbet@....net,
        dmitry.kasatkin@...il.com, eric.snowberg@...cle.com,
        paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com
Cc: linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
        wufan@...ux.microsoft.com, pbrobinson@...il.com, zbyszek@...waw.pl,
        hch@....de, mjg59@...f.ucam.org, pmatilai@...hat.com, jannh@...gle.com,
        dhowells@...hat.com, jikos@...nel.org, mkoutny@...e.com,
        ppavlu@...e.com, petr.vorel@...il.com, petrtesarik@...weicloud.com,
        mzerqung@...inter.de, kgold@...ux.ibm.com,
        Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [RFC][PATCH 2/8] ima: Nest iint mutex for DIGEST_LIST_CHECK hook

On Wed, 2024-02-14 at 15:35 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@...wei.com>
> 
> Invoking digest_cache_get() inside the iint->mutex critical region can
> cause deadlocks due to the fact that IMA can be recursively invoked for
> reading the digest list. The deadlock would occur if the digest_cache LSM
> attempts to read the same inode that is already locked by IMA.
> 
> However, since the digest_cache LSM makes sure that the above situation
> never happens, as it checks the inodes, it is safe to call
> digest_cache_get() inside the critical region and nest the iint->mutex
> when the DIGEST_LIST_CHECK hook is executed.
> 
> Add a lockdep subclass to the iint->mutex, that is 0 if the IMA hook
> executed is not DIGEST_LIST_CHECK, and 1 when it is. Since lockdep allows
> nesting with higher classes and subclasses, that effectively eliminates the
> warning about the unsafe lock.
> 
> Pass the new lockdep subclass (nested variable) from ima_inode_get() to
> ima_iint_init_always() and ima_iint_lockdep_annotate().
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> ---
>  security/integrity/ima/ima.h      |  2 +-
>  security/integrity/ima/ima_iint.c | 11 ++++++-----
>  security/integrity/ima/ima_main.c |  6 +++---
>  3 files changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index cea4517e73ab..c9140a57b591 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -216,7 +216,7 @@ static inline void ima_inode_set_iint(const struct inode
> *inode,
>  }
>  
>  struct ima_iint_cache *ima_iint_find(struct inode *inode);
> -struct ima_iint_cache *ima_inode_get(struct inode *inode);
> +struct ima_iint_cache *ima_inode_get(struct inode *inode, bool nested);
>  void ima_inode_free(struct inode *inode);
>  void __init ima_iintcache_init(void);
>  
> diff --git a/security/integrity/ima/ima_iint.c
> b/security/integrity/ima/ima_iint.c
> index e7c9c216c1c6..b4f476fae437 100644
> --- a/security/integrity/ima/ima_iint.c
> +++ b/security/integrity/ima/ima_iint.c
> @@ -41,7 +41,7 @@ struct ima_iint_cache *ima_iint_find(struct inode *inode)
>   * See ovl_lockdep_annotate_inode_mutex_key() for more details.
>   */
>  static inline void ima_iint_lockdep_annotate(struct ima_iint_cache *iint,
> -					     struct inode *inode)
> +					     struct inode *inode, bool nested)
>  {
>  #ifdef CONFIG_LOCKDEP
>  	static struct lock_class_key ima_iint_mutex_key[IMA_MAX_NESTING];


"nested" is being pushed all the way down to here, perhaps I'm missing
something, but I don't see it being used in any of the patches.

Mimi

> @@ -56,7 +56,7 @@ static inline void ima_iint_lockdep_annotate(struct
> ima_iint_cache *iint,
>  }
>  
>  static void ima_iint_init_always(struct ima_iint_cache *iint,
> -				 struct inode *inode)
> +				 struct inode *inode, bool nested)
>  {
>  	iint->ima_hash = NULL;
>  	iint->version = 0;
> @@ -69,7 +69,7 @@ static void ima_iint_init_always(struct ima_iint_cache
> *iint,
>  	iint->ima_creds_status = INTEGRITY_UNKNOWN;
>  	iint->measured_pcrs = 0;
>  	mutex_init(&iint->mutex);
> -	ima_iint_lockdep_annotate(iint, inode);
> +	ima_iint_lockdep_annotate(iint, inode, nested);
>  }
>  
>  static void ima_iint_free(struct ima_iint_cache *iint)
> @@ -82,13 +82,14 @@ static void ima_iint_free(struct ima_iint_cache *iint)
>  /**
>   * ima_inode_get - Find or allocate an iint associated with an inode
>   * @inode: Pointer to the inode
> + * @nested: Whether or not the iint->mutex lock can be nested
>   *
>   * Find an iint associated with an inode, and allocate a new one if not
> found.
>   * Caller must lock i_mutex.
>   *
>   * Return: An iint on success, NULL on error.
>   */
> -struct ima_iint_cache *ima_inode_get(struct inode *inode)
> +struct ima_iint_cache *ima_inode_get(struct inode *inode, bool nested)
>  {
>  	struct ima_iint_cache *iint;
>  
> @@ -100,7 +101,7 @@ struct ima_iint_cache *ima_inode_get(struct inode *inode)
>  	if (!iint)
>  		return NULL;
>  
> -	ima_iint_init_always(iint, inode);
> +	ima_iint_init_always(iint, inode, nested);
>  
>  	inode->i_flags |= S_IMA;
>  	ima_inode_set_iint(inode, iint);
> diff --git a/security/integrity/ima/ima_main.c
> b/security/integrity/ima/ima_main.c
> index 780627b0cde7..18285fc8ac07 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -248,7 +248,7 @@ static int process_measurement(struct file *file, const
> struct cred *cred,
>  	inode_lock(inode);
>  
>  	if (action) {
> -		iint = ima_inode_get(inode);
> +		iint = ima_inode_get(inode, func == DIGEST_LIST_CHECK);
>  		if (!iint)
>  			rc = -ENOMEM;
>  	}
> @@ -699,7 +699,7 @@ static void ima_post_create_tmpfile(struct mnt_idmap
> *idmap,
>  		return;
>  
>  	/* Nothing to do if we can't allocate memory */
> -	iint = ima_inode_get(inode);
> +	iint = ima_inode_get(inode, false);
>  	if (!iint)
>  		return;
>  
> @@ -731,7 +731,7 @@ static void ima_post_path_mknod(struct mnt_idmap *idmap,
> struct dentry *dentry)
>  		return;
>  
>  	/* Nothing to do if we can't allocate memory */
> -	iint = ima_inode_get(inode);
> +	iint = ima_inode_get(inode, false);
>  	if (!iint)
>  		return;
>  


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ