lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACYkzJ6486mzW97LF+QrHhM9-pZt0QPWFH+oCrTmubGkJVvGhw@mail.gmail.com>
Date: Tue, 6 Aug 2024 01:29:37 +0200
From: KP Singh <kpsingh@...nel.org>
To: Paul Moore <paul@...l-moore.com>
Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, 
	bp@...en8.de, sfr@...b.auug.org.au, peterz@...radead.org, nathan@...nel.org
Subject: Re: [PATCH] init/main.c: Initialize early LSMs after arch code

On Mon, Aug 5, 2024 at 9:58 PM Paul Moore <paul@...l-moore.com> wrote:
>
> On Thu, Aug 1, 2024 at 1:17 PM KP Singh <kpsingh@...nel.org> wrote:
> >
> > With LSMs using static calls, early_lsm_init needs to wait for setup_arch
> > for architecture specific functionality which includes jump tables and
> > static calls to be initialized.
> >
> > This only affects "early LSMs" i.e. only lockdown when
> > CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is set.
> >
> > Fixes: 2732ad5ecd5b ("lsm: replace indirect LSM hook calls with static calls")
> > Signed-off-by: KP Singh <kpsingh@...nel.org>
> > ---
> >  init/main.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> Considering the problems we've had, I'd like to hear more about how

Sure, the first patch I sent while I had enabled
CONFIG_SECURITY_LOCDOWN_EARLY_INIT, I missed setting it in the command
line i.e CONFIG_LSM. Thus I thought the crash was fixed and I did not
check ARM. But then here's what I did and I will paste outputs for
posterity:

kpsingh@...ingh:~/projects/linux$ cat .config | grep -i LOCKDOWN
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,bpf"

I first tested with the commands that Nathan had given me:

kpsingh@...ingh:~/projects/linux$ make -skj"$(nproc)" ARCH=arm
CROSS_COMPILE=arm-linux-gnueabi- defconfig repro.config zImage

and I was able to reproduce the issue:

kpsingh@...ingh:~/projects/linux$ qemu-system-arm       -display none
     -nodefaults       -no-reboot       -machine virt       -append
'console=ttyAMA0 earlycon'       -kernel arch/arm/boot/zImage
-initrd rootfs.cpio       -m 512m       -serial mon:stdio
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 6.11.0-rc1-00011-g269d5c03e612
(kpsingh@...ingh.zrh.corp.google.com) (arm-linux-gnueabi-gcc (Debian
13.2.0-7) 13.2.0, GNU ld (GNU Binutils for Debian) 2.42) #7 SMP Tue
Aug  6 01:20:11 CEST 2024
[    0.000000] ------------[ cut here ]------------
[    0.000000] WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:199
static_key_enable_cpuslocked+0xb8/0xf4
[    0.000000] static_key_enable_cpuslocked(): static key '0xc1fb4cb0'
used before call to jump_label_init()
[    0.000000] Modules linked in:
[    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted
6.11.0-rc1-00011-g269d5c03e612 #7
[    0.000000] Call trace:
[    0.000000]  unwind_backtrace from show_stack+0x10/0x14
[    0.000000]  show_stack from dump_stack_lvl+0x54/0x68
[    0.000000]  dump_stack_lvl from __warn+0x78/0x114
[    0.000000]  __warn from warn_slowpath_fmt+0x124/0x18c
[    0.000000]  warn_slowpath_fmt from static_key_enable_cpuslocked+0xb8/0xf4
[    0.000000]  static_key_enable_cpuslocked from static_key_enable+0x14/0x1c
[    0.000000]  static_key_enable from security_add_hooks+0xc4/0xfc
[    0.000000]  security_add_hooks from lockdown_lsm_init+0x18/0x24
[    0.000000]  lockdown_lsm_init from initialize_lsm+0x44/0x7c
[    0.000000]  initialize_lsm from early_security_init+0x44/0x50
[    0.000000]  early_security_init from start_kernel+0x64/0x6bc
[    0.000000]  start_kernel from 0x0
[    0.000000] ---[ end trace 0000000000000000 ]---

and with my patch:

kpsingh@...ingh:~/projects/linux$ git lg -1
48ad43fb07be - init/main.c: Initialize early LSMs after arch code
(HEAD -> fix_jump_table_init) (2024-08-01 KP Singh)
kpsingh@...ingh:~/projects/linux$ qemu-system-arm       -display none
     -nodefaults       -no-reboot       -machine virt       -append
'console=ttyAMA0 earlycon'       -kernel arch/arm/boot/zImage
-initrd rootfs.cpio       -m 512m       -serial mon:stdio
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 6.11.0-rc1-00012-g48ad43fb07be
(kpsingh@...ingh.zrh.corp.google.com) (arm-linux-gnueabi-gcc (Debian
13.2.0-7) 13.2.0, GNU ld (GNU Binutils for Debian) 2.42) #8 SMP Tue
Aug  6 01:22:00 CEST 2024
[    0.000000] CPU: ARMv7 Processor [414fc0f0] revision 0 (ARMv7), cr=10c5387d
[    0.000000] CPU: div instructions available: patching division code
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache
[    0.000000] OF: fdt: Machine model: linux,dummy-virt
[    0.000000] random: crng init done
[    0.000000] earlycon: pl11 at MMIO 0x09000000 (options '')
[    0.000000] printk: legacy bootconsole [pl11] enabled
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] efi: UEFI not found.
[    0.000000] cma: Reserved 64 MiB at 0x5c000000 on node -1

Then I went ahead and confirmed this on x86 too:

Before the patch, repro:

/usr/bin/qemu-system-x86_64 -nographic -s -bios qboot.rom -machine q35
-enable-kvm -cpu host -net nic,model=virtio-net-pci -net
user,hostfwd=tcp::5555-:22 -virtfs
local,path=/,mount_tag=hostfs,security_model=none,multidevs=remap
-append "console=ttyS0,115200 root=/dev/sda rw nokaslr
init=/lib/systemd/systemd debug systemd.log_level=info
sysctl.vm.dirty_bytes=2147483647" -smp 24 -m 64G -drive
file=/usr/local/google/home/kpsingh/.vmcli/debian-x86_64.img -qmp
tcp:localhost:4444,server,nowait -serial mon:stdio -kernel
/usr/local/google/home/kpsingh/projects/linux/arch/x86_64/boot/bzImage

[    0.000000] Linux version 6.11.0-rc1-00011-g269d5c03e612
(kpsingh@...ingh.zrh.corp.google.com) (clang version 19.0.0git
(https://github.com/llvm/llvm-project.git
502e77df1fc4aa859db6709e14e93af6207e4dc4), Debian LLD 16.0.6) #9 SMP
PREEMPT_DYNAMIC Tue Aug  6 01:25:06 CEST 2024
[    0.000000] ------------[ cut here ]------------
[    0.000000] WARNING: CPU: 0 PID: 0 at
kernel/static_call_inline.c:153 __static_call_update+0x29f/0x310
[    0.000000] Modules linked in:
[    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted
6.11.0-rc1-00011-g269d5c03e612 #9
[    0.000000] RIP: 0010:__static_call_update+0x29f/0x310
[    0.000000] Code: c1 02 75 9d 80 3d 90 3c 89 03 00 75 94 c6 05 87
3c 89 03 01 48 c7 c7 00 11 0e 83 4c 89 ee e8 c8 d6 c9 ff 0f 0b e9 77
ff ff ff <0f> 0b 48 c7 c7 60 e9 6c 84 e8 b3 24 86 01 e8 0e eb c9 ff 48
c7 44
[    0.000000] RSP: 0000:ffffffff84407d60 EFLAGS: 00010046 ORIG_RAX:
0000000000000000
[    0.000000] RAX: 0000000000000000 RBX: ffffffff8196cf30 RCX: ffffffff82caf1c6
[    0.000000] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff84407ce0
[    0.000000] RBP: ffffffff84407e60 R08: ffffffff84407ce7 R09: 1ffffffff0880f9c
[    0.000000] R10: dffffc0000000000 R11: fffffbfff0880f9d R12: 0000000000000010
[    0.000000] R13: ffffffff848157a0 R14: ffffffff83b69cb0 R15: ffffffff82cc05e8
[    0.000000] FS:  0000000000000000(0000) GS:ffffffff85403000(0000)
knlGS:0000000000000000
[    0.000000] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    0.000000] CR2: ffff888000014700 CR3: 0000000005504000 CR4: 00000000000000b0
[    0.000000] Call Trace:
[    0.000000]  <TASK>
[    0.000000]  ? __warn+0xff/0x2d0
[    0.000000]  ? __static_call_update+0x29f/0x310
[    0.000000]  ? report_bug+0x12f/0x1c0
[    0.000000]  ? early_fixup_exception+0x8a/0x100
[    0.000000]  ? __pfx_lockdown_is_locked_down+0x10/0x10
[    0.000000]  ? __SCT__lsm_static_call_bpf_token_capable_5+0x8/0x8
[    0.000000]  ? early_idt_handler_common+0x2f/0x40
[    0.000000]  ? __SCT__lsm_static_call_bpf_token_capable_5+0x8/0x8
[    0.000000]  ? __pfx_lockdown_is_locked_down+0x10/0x10
[    0.000000]  ? __mutex_unlock_slowpath+0x156/0x400
[    0.000000]  ? __static_call_update+0x29f/0x310
[    0.000000]  ? __pfx_lockdown_is_locked_down+0x10/0x10
[    0.000000]  ? __pfx_vprintk_emit+0x10/0x10
[    0.000000]  ? __asan_memset+0x22/0x50
[    0.000000]  ? __pfx___static_call_update+0x10/0x10
[    0.000000]  ? _printk+0xd4/0x120
[    0.000000]  ? __SCT__lsm_static_call_bpf_token_capable_5+0x8/0x8
[    0.000000]  ? lsm_static_call_init+0x99/0xd0
[    0.000000]  ? security_add_hooks+0x86/0xf0
[    0.000000]  ? lockdown_lsm_init+0x21/0x30
[    0.000000]  ? initialize_lsm+0x48/0x90
[    0.000000]  ? early_security_init+0x52/0x70
[    0.000000]  ? start_kernel+0x6b/0x3d0
[    0.000000]  ? x86_64_start_reservations+0x24/0x30
[    0.000000]  ? x86_64_start_kernel+0xa9/0xb0
[    0.000000]  ? common_startup_64+0x12c/0x137
[    0.000000]  </TASK>
[    0.000000] irq event stamp: 0
[    0.000000] hardirqs last  enabled at (0): [<0000000000000000>] 0x0
[    0.000000] hardirqs last disabled at (0): [<0000000000000000>] 0x0
[    0.000000] softirqs last  enabled at (0): [<0000000000000000>] 0x0
[    0.000000] softirqs last disabled at (0): [<0000000000000000>] 0x0
[    0.000000] ---[ end trace 0000000000000000 ]---
[    0.000000] ------------[ cut here ]------------

and with the patch:

/usr/bin/qemu-system-x86_64 -nographic -s -bios qboot.rom -machine q35
-enable-kvm -cpu host -net nic,model=virtio-net-pci -net
user,hostfwd=tcp::5555-:22 -virtfs
local,path=/,mount_tag=hostfs,security_model=none,multidevs=remap
-append "console=ttyS0,115200 root=/dev/sda rw nokaslr
init=/lib/systemd/systemd debug systemd.log_level=info
sysctl.vm.dirty_bytes=2147483647" -smp 24 -m 64G -drive
file=/usr/local/google/home/kpsingh/.vmcli/debian-x86_64.img -qmp
tcp:localhost:4444,server,nowait -serial mon:stdio -kernel
/usr/local/google/home/kpsingh/projects/linux/arch/x86_64/boot/bzImage

[    0.000000] Linux version 6.11.0-rc1-00012-g48ad43fb07be
(kpsingh@...ingh.zrh.corp.google.com) (clang version 19.0.0git
(https://github.com/llvm/llvm-project.git
502e77df1fc4aa859db6709e14e93af6207e4dc4), Debian LLD 16.0.6) #10 SMP
PREEMPT_DYNAMIC Tue Aug  6 01:27:35 CEST 2024
[    0.000000] Command line: console=ttyS0,115200 root=/dev/sda rw
nokaslr init=/lib/systemd/systemd debug systemd.log_level=info
sysctl.vm.dirty_bytes=2147483647
[    0.000000] BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000d0000-0x00000000000effff] ACPI NVS
[    0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000007fffffff] usable
[    0.000000] BIOS-e820: [mem 0x00000000b0000000-0x00000000bfffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000107fffffff] usable
[    0.000000] BIOS-e820: [mem 0x000000fd00000000-0x000000ffffffffff] reserved
[    0.000000] NX (Execute Disable) protection: active

I then left this VM (well a previous instance, I had to redo the tests
to prove that I did them and save the logs) running and using it for
some of my dev work and did not see any crashes since.

> you've tested this and I'd like to see some reviews/ACKs from some
> arch people too.

This is not the same patch as the previous one, it does not change
anything for arch, rather the decision is LSM okay waiting for arch to
initialize. arch never depended on the LSM code, early LSM was done as
early as possible and now, because of static calls it needs to wait
for setup_arch, it's mostly an LSM decision here.

I guess it would not harm Boris, Nathan and others to look at it as
well and see if it breaks any of their tests.

- KP

>
> > diff --git a/init/main.c b/init/main.c
> > index 206acdde51f5..a0e3f3c720e6 100644
> > --- a/init/main.c
> > +++ b/init/main.c
> > @@ -922,8 +922,8 @@ void start_kernel(void)
> >         boot_cpu_init();
> >         page_address_init();
> >         pr_notice("%s", linux_banner);
> > -       early_security_init();
> >         setup_arch(&command_line);
> > +       early_security_init();
> >         setup_boot_config();
> >         setup_command_line(command_line);
> >         setup_nr_cpu_ids();
> > --
> > 2.46.0.rc2.264.g509ed76dc8-goog
>
> --
> paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ