[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACYkzJ6TUki=14-gPBCQL3wcFGvZF2STTzDzZ_Hfd-G_2V5sEw@mail.gmail.com>
Date: Tue, 30 Jul 2024 19:40:11 +0200
From: KP Singh <kpsingh@...nel.org>
To: Paul Moore <paul@...l-moore.com>
Cc: linux-security-module@...r.kernel.org, James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>, Narasimhan V <Narasimhan.V@....com>,
lkml <linux-kernel@...r.kernel.org>, Borislav Petkov <bp@...en8.de>
Subject: Re: static_key_enable_cpuslocked(): static key 'security_hook_active_locked_down_0+0x0/0x10'
used before call to jump_label_init()
On Tue, Jul 30, 2024 at 5:03 PM Paul Moore <paul@...l-moore.com> wrote:
>
> On Tue, Jul 30, 2024 at 7:34 AM Borislav Petkov <bp@...en8.de> wrote:
> >
> > Hi,
> >
> > this is with today's linux-next:
> >
> > ...
> >
> > 09:44:13 [console-expect]#kexec -e
> > 09:44:13 kexec -e
> > 09:44:16 ^[[?2004l^M[ 0.000000] Linux version 6.11.0-rc1-next-20240730-1722324631886 (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #1 SMP PREEMPT_DYNAMIC Tue Jul 30 07:40:55 UTC 2024
> > 09:44:16 [ 0.000000] ------------[ cut here ]------------
> > 09:44:16 [ 0.000000] WARNING: CPU: 0 PID: 0 at kernel/static_call_inline.c:153 __static_call_update+0x1c6/0x220
> > 09:44:16 [ 0.000000] Modules linked in:
> > 09:44:16 [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.11.0-rc1-next-20240730-1722324631886 #1
> > 09:44:16 [ 0.000000] RIP: 0010:__static_call_update+0x1c6/0x220
> > 09:44:16 [ 0.000000] Code: 87 5b eb d9 00 a8 01 0f 85 6c ff ff ff 4c 89 ee 48 c7 c7 e0 fb a2 8c c6 05 44 63 2b 02 01 e8 b1 00 d9 ff 0f 0b e9 4f ff ff ff <0f> 0b 48 c7 c7 40 fc 40 8d e8 dc 52 e1 00 e8 a7 23 d9 ff 48 8b 45
> > 09:44:16 [ 0.000000] RSP: 0000:ffffffff8d203dd0 EFLAGS: 00010046 ORIG_RAX: 0000000000000000
> > 09:44:16 [ 0.000000] RAX: 0000000000000000 RBX: ffffffff8b7e3250 RCX: 000000006690cbe9
> > 09:44:16 [ 0.000000] RDX: 0000000000000000 RSI: ffffffff8dbae58c RDI: ffffffff8d2867a0
> > 09:44:16 [ 0.000000] RBP: ffffffff8d203e38 R08: 00000000ff6690cb R09: 2035353a30343a37
> > 09:44:16 [ 0.000000] R10: 3230322043545520 R11: 35353a30343a3730 R12: ffffffff8c17a180
> > 09:44:16 [ 0.000000] R13: ffffffff8c48db10 R14: ffffffff8d4c7030 R15: 0000000000000000
> > 09:44:16 [ 0.000000] FS: 0000000000000000(0000) GS:ffffffff8d69c000(0000) knlGS:0000000000000000
> > 09:44:16 [ 0.000000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > 09:44:16 [ 0.000000] CR2: ff1100007047d000 CR3: 00000000745c2000 CR4: 00000000000010b0
> > 09:44:16 [ 0.000000] Call Trace:
> > 09:44:16 [ 0.000000] <TASK>
> > 09:44:16 [ 0.000000] ? show_regs+0x6d/0x80
> > 09:44:16 [ 0.000000] ? __warn+0x91/0x140
> > 09:44:16 [ 0.000000] ? __static_call_update+0x1c6/0x220
> > 09:44:16 [ 0.000000] ? report_bug+0x193/0x1a0
> > 09:44:16 [ 0.000000] ? __pfx_lockdown_is_locked_down+0x10/0x10
> > 09:44:16 [ 0.000000] ? early_fixup_exception+0xa6/0xd0
> > 09:44:16 [ 0.000000] ? do_early_exception+0x27/0x70
> > 09:44:16 [ 0.000000] ? __SCT__lsm_static_call_bpf_token_capable_11+0x8/0x8
> > 09:44:17 [ 0.000000] ? early_idt_handler_common+0x2f/0x3a
> > 09:44:17 [ 0.000000] ? __SCT__lsm_static_call_bpf_token_capable_11+0x8/0x8
> > 09:44:17 [ 0.000000] ? __pfx_lockdown_is_locked_down+0x10/0x10
> > 09:44:17 [ 0.000000] ? __static_call_update+0x1c6/0x220
> > 09:44:17 [ 0.000000] ? __pfx_lockdown_is_locked_down+0x10/0x10
> > 09:44:17 [ 0.000000] ? vprintk_emit+0xb5/0x410
> > 09:44:17 [ 0.000000] security_add_hooks+0xbd/0x150
> > 09:44:17 [ 0.000000] lockdown_lsm_init+0x25/0x30
> > 09:44:17 [ 0.000000] initialize_lsm+0x38/0x90
> > 09:44:17 [ 0.000000] early_security_init+0x36/0x70
> > 09:44:17 [ 0.000000] start_kernel+0x5f/0xb50
> > 09:44:17 [ 0.000000] x86_64_start_reservations+0x1c/0x30
> > 09:44:17 [ 0.000000] x86_64_start_kernel+0xbf/0x110
> > 09:44:17 [ 0.000000] ? setup_ghcb+0x12/0x130
> > 09:44:17 [ 0.000000] common_startup_64+0x13e/0x141
> > 09:44:17 [ 0.000000] </TASK>
> > 09:44:17 [ 0.000000] ---[ end trace 0000000000000000 ]---
> > 09:44:17 [ 0.000000] ------------[ cut here ]------------
> > 09:44:17 [ 0.000000] static_key_enable_cpuslocked(): static key 'security_hook_active_locked_down_0+0x0/0x10' used before call to jump_label_init()
> > 09:44:17 [ 0.000000] WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:199 static_key_enable_cpuslocked+0x99/0xb0
> > 09:44:17 [ 0.000000] Modules linked in:
> > 09:44:17 [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 6.11.0-rc1-next-20240730-1722324631886 #1
> > 09:44:17 [ 0.000000] Tainted: [W]=WARN
> > 09:44:17 [ 0.000000] RIP: 0010:static_key_enable_cpuslocked+0x99/0xb0
> > 09:44:17 [ 0.000000] Code: ff ff ff ff 48 89 df e8 45 fd ff ff c7 03 01 00 00 00 eb d5 48 89 da 48 c7 c6 e0 0a 44 8c 48 c7 c7 b8 00 a3 8c e8 87 f6 d6 ff <0f> 0b eb 8e 0f 0b eb 9c 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
> > 09:44:17 [ 0.000000] RSP: 0000:ffffffff8d203e10 EFLAGS: 00010086 ORIG_RAX: 0000000000000000
> > 09:44:17 [ 0.000000] RAX: 0000000000000000 RBX: ffffffff8dd6aaf0 RCX: 0000000000000084
> > 09:44:17 [ 0.000000] RDX: ffffffff8d349400 RSI: 00000000ffffe02c RDI: ffffffff8d203cb0
> > 09:44:17 [ 0.000000] RBP: ffffffff8d203e20 R08: 000000000000007e R09: 6562616c5f706d75
> > 09:44:17 [ 0.000000] R10: 6a206f74206c6c61 R11: 632065726f666562 R12: 0000000000000000
> > 09:44:17 [ 0.000000] R13: ffffffff8c48db10 R14: ffffffff8cb0e2f8 R15: 0000000000000000
> > 09:44:17 [ 0.000000] FS: 0000000000000000(0000) GS:ffffffff8d69c000(0000) knlGS:0000000000000000
> > 09:44:17 [ 0.000000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > 09:44:17 [ 0.000000] CR2: ff1100007047d000 CR3: 00000000745c2000 CR4: 00000000000010b0
> > 09:44:17 [ 0.000000] Call Trace:
> > 09:44:17 [ 0.000000] <TASK>
> > 09:44:17 [ 0.000000] ? show_regs+0x6d/0x80
> > 09:44:17 [ 0.000000] ? __warn+0x91/0x140
> > 09:44:17 [ 0.000000] ? static_key_enable_cpuslocked+0x99/0xb0
> > 09:44:17 [ 0.000000] ? report_bug+0x193/0x1a0
> > 09:44:17 [ 0.000000] ? fixup_exception+0x2b/0x340
> > 09:44:17 [ 0.000000] ? early_fixup_exception+0xa6/0xd0
> > 09:44:17 [ 0.000000] ? do_early_exception+0x27/0x70
> > 09:44:17 [ 0.000000] ? early_idt_handler_common+0x2f/0x3a
> > 09:44:17 [ 0.000000] ? static_key_enable_cpuslocked+0x99/0xb0
> > 09:44:17 [ 0.000000] static_key_enable+0x1f/0x30
> > 09:44:17 [ 0.000000] security_add_hooks+0xce/0x150
> > 09:44:17 [ 0.000000] lockdown_lsm_init+0x25/0x30
> > 09:44:17 [ 0.000000] initialize_lsm+0x38/0x90
> > 09:44:17 [ 0.000000] early_security_init+0x36/0x70
> > 09:44:17 [ 0.000000] start_kernel+0x5f/0xb50
> > 09:44:17 [ 0.000000] x86_64_start_reservations+0x1c/0x30
> > 09:44:17 [ 0.000000] x86_64_start_kernel+0xbf/0x110
> > 09:44:17 [ 0.000000] ? setup_ghcb+0x12/0x130
> > 09:44:17 [ 0.000000] common_startup_64+0x13e/0x141
> > 09:44:17 [ 0.000000] </TASK>
> > 09:44:17 [ 0.000000] ---[ end trace 0000000000000000 ]---
>
> KP, please take a look at this as soon as you can (lore link below for
> those who aren't on the list). One obvious first thing to look at is
> simply moving the call to early_security_init(), but that requires
> some code audit to make sure it is safe and doesn't break something
> else. Of course, if we can do something with how we setup/use static
> calls that is even better. I'll take a look at it myself later today,
> but I'm busy with meetings for the next several hours.
>
> If we can't resolve this in the next day or two I'm going to
Thanks for the ping.
Taking a look, yeah it's possible that we need to move jump_label_init
before early_security_init / inside it.
I will do a repro and test my change and reply back.
- KP
> bounce/revert the LSM static-call patchset from lsm/dev; not ideal,
> but we can't break linux-next.
>
> https://lore.kernel.org/linux-security-module/20240730113419.GBZqjPu6SdAt5qZKnh@fat_crate.local/
>
> --
> paul-moore.com
Powered by blists - more mailing lists