Re: selinux_msg_queue_msgrcv() oops

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: James Morris <james.l.morris@oracle.com>,
	Eric Paris <eparis@parisplace.org>,
	linux-security-module@vger.kernel.org,
	Dave Jones <davej@redhat.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: selinux_msg_queue_msgrcv() oops
Date: Wed, 06 Feb 2013 09:18:21 -0500	[thread overview]
Message-ID: <5112662D.1010406@tycho.nsa.gov> (raw)
In-Reply-To: <CA+ydwtqgnMGuuHHWwj7jZh14WNdCFW_KA_APH-XZYX+RA-Ls1Q@mail.gmail.com>

On 02/06/2013 07:56 AM, Tommi Rantala wrote:
> Hello,
>
> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
> Trinity as the root user (in a qemu VM):

NULL msg->security at that point is a bug in the ipc subsystem; SELinux 
is just the messenger.  Normally msg->security is set for every 
allocated msg by load_msg() -> security_msg_msg_alloc() -> 
selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() -> 
security_msg_msg_free() -> selinux_msg_msg_free_security().  Looking 
around, I see copy_msg() introduced for checkpoint-restore initializes 
dst->security to NULL but never sets it properly?

>
> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [12578.054025] IP: [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
> [12578.054025] Oops: 0000 [#2] SMP
> [12578.054025] CPU 1
> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G      D W
>   3.8.0-rc6+ #31 Bochs Bochs
> [12578.054025] RIP: 0010:[<ffffffff8131e1da>]  [<ffffffff8131e1da>]
> selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025] RSP: 0018:ffff88002b6b5e18  EFLAGS: 00010246
> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX: 0000000000000001
> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI: 0000000000000246
> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09: 0000000000000000
> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12: 0000000000000001
> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15: ffff88003132d410
> [12578.054025] FS:  00007f7385059700(0000) GS:ffff88003e200000(0000)
> knlGS:0000000000000000
> [12578.054025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4: 00000000000006e0
> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
> ffff88002b6b4000, task ffff88000e8bc560)
> [12578.054025] Stack:
> [12578.054025]  ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
> ffffffff00000000
> [12578.054025]  ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
> 0000000000000001
> [12578.054025]  0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
> ffffffff81314086
> [12578.054025] Call Trace:
> [12578.054025]  [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
> [12578.054025]  [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
> [12578.054025]  [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
> [12578.054025]  [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
> [12578.054025]  [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
> [12578.054025]  [<ffffffff812fe340>] ? load_msg+0x180/0x180
> [12578.054025]  [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
> [12578.054025]  [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
> [12578.054025]  [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [12578.054025]  [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
> [12578.054025]  [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
> 00 00
> [12578.054025] RIP  [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025]  RSP <ffff88002b6b5e18>
> [12578.054025] CR2: 0000000000000000
> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>
>
> After adding:
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 54aaa72..20cec57 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
> msg_queue *msq, struct msg_msg *msg,
>
>          rc = avc_has_perm(sid, isec->sid,
>                            SECCLASS_MSGQ, MSGQ__READ, &ad);
> -       if (!rc)
> +       if (!rc) {
> +               WARN(msec == NULL, "msec is NULL!");
> +
>                  rc = avc_has_perm(sid, msec->sid,
>                                    SECCLASS_MSG, MSG__RECEIVE, &ad);
> +       }
>          return rc;
>   }
>
>
> I see:
>
> [   43.103283] ------------[ cut here ]------------
> [   43.104236] WARNING: at
> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
> selinux_msg_queue_msgrcv+0x1ff/0x210()
> [   43.106088] Hardware name: Bochs
> [   43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
> tainted 3.8.0-rc6+ #37
> [   43.107950] Call Trace:
> [   43.108393]  [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
> [   43.109534]  [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
> [   43.110565]  [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
> [   43.111561]  [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
> [   43.112677]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [   43.113808]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [   43.114919]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [   43.115817]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [   43.116929]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [   43.117909]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [   43.118850]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [   43.120019]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [   43.121126]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [   43.122001]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [   43.123044] ---[ end trace db5952f0fa3bedc7 ]---
> [   43.123815]
> [   43.124096] ===============================
> [   43.124804] [ INFO: suspicious RCU usage. ]
> [   43.125531] 3.8.0-rc6+ #37 Tainted: G        W
> [   43.126344] -------------------------------
> [   43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
> Illegal context switch in RCU read-side critical section!
> [   43.129015]
> [   43.129015] other info that might help us debug this:
> [   43.129015]
> [   43.130367]
> [   43.130367] rcu_scheduler_active = 1, debug_locks = 0
> [   43.131481] 3 locks held by trinity-child9/2387:
> [   43.132266]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
> ipc_lock+0x5/0x1c0
> [   43.133709]  #1:  (&(&new->lock)->rlock){+.+...}, at:
> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
> [   43.135294]  #2:  (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
> __do_page_fault+0x114/0x4e0
> [   43.136864]
> [   43.136864] stack backtrace:
> [   43.137619] Pid: 2387, comm: trinity-child9 Tainted: G        W
> 3.8.0-rc6+ #37
> [   43.138897] Call Trace:
> [   43.139338]  [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
> [   43.140417]  [<ffffffff81cfb783>] __schedule+0x543/0x900
> [   43.141342]  [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
> [   43.142291]  [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
> [   43.143440]  [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
> [   43.144362]  [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
> [   43.145362]  [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
> [   43.146316]  [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
> [   43.147386]  [<ffffffff8108e5de>] do_page_fault+0xe/0x10
> [   43.148254]  [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
> [   43.149239]  [<ffffffff81cfe138>] async_page_fault+0x28/0x30
> [   43.150167]  [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
> [   43.151263]  [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
> [   43.152357]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [   43.153475]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [   43.154828]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [   43.156052]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [   43.157586]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [   43.158830]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [   43.160131]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [   43.161736]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [   43.163238]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [   43.164453]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [   43.176035] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [   43.177016] IP: [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
> [   43.177016] PGD 3189b067 PUD 3189c067 PMD 0
> [   43.177016] Oops: 0000 [#1] SMP
> [   43.177016] CPU 0
> [   43.177016] Pid: 2387, comm: trinity-child9 Tainted: G        W
> 3.8.0-rc6+ #37 Bochs Bochs
> [   43.177016] RIP: 0010:[<ffffffff8131e017>]  [<ffffffff8131e017>]
> selinux_msg_queue_msgrcv+0xe7/0x210
> [   43.177016] RSP: 0018:ffff8800318a7e18  EFLAGS: 00010296
> [   43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX: 0000000000000006
> [   43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI: 0000000000000009
> [   43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09: 0000000000000000
> [   43.177016] R10: 0000000000000000 R11: 0000000000000288 R12: 0000000000000001
> [   43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15: ffff880032e0e810
> [   43.177016] FS:  00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
> knlGS:0000000000000000
> [   43.177016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4: 00000000000006f0
> [   43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [   43.177016] Process trinity-child9 (pid: 2387, threadinfo
> ffff8800318a6000, task ffff88003b7c4560)
> [   43.177016] Stack:
> [   43.177016]  ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
> ffffffff5d6d982a
> [   43.177016]  ffffffff812fd725 ffff880039c675c0 0000000000000000
> 0000000000000001
> [   43.177016]  0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
> ffffffff813140b6
> [   43.177016] Call Trace:
> [   43.177016]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [   43.177016]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [   43.177016]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [   43.177016]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [   43.177016]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [   43.177016]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [   43.177016]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [   43.177016]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [   43.177016]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [   43.177016]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [   43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
> 00 00
> [   43.177016] RIP  [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
> [   43.177016]  RSP <ffff8800318a7e18>
> [   43.177016] CR2: 0000000000000000
> [   43.228535] ---[ end trace db5952f0fa3bedc8 ]---
> [   68.106008] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child8:2382]
>
> Tommi
>