selinux_msg_queue_msgrcv() oops

selinux_msg_queue_msgrcv() oops

[Tommi Rantala]

Hello,

I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
Trinity as the root user (in a qemu VM):

[12578.053111] BUG: unable to handle kernel NULL pointer dereference
at           (null)
[12578.054025] IP: [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
[12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
[12578.054025] Oops: 0000 [#2] SMP
[12578.054025] CPU 1
[12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G      D W
 3.8.0-rc6+ #31 Bochs Bochs
[12578.054025] RIP: 0010:[<ffffffff8131e1da>]  [<ffffffff8131e1da>]
selinux_msg_queue_msgrcv+0xda/0x1e0
[12578.054025] RSP: 0018:ffff88002b6b5e18  EFLAGS: 00010246
[12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX: 0000000000000001
[12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI: 0000000000000246
[12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09: 0000000000000000
[12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12: 0000000000000001
[12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15: ffff88003132d410
[12578.054025] FS:  00007f7385059700(0000) GS:ffff88003e200000(0000)
knlGS:0000000000000000
[12578.054025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4: 00000000000006e0
[12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[12578.054025] Process trinity-child23 (pid: 23453, threadinfo
ffff88002b6b4000, task ffff88000e8bc560)
[12578.054025] Stack:
[12578.054025]  ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
ffffffff00000000
[12578.054025]  ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
0000000000000001
[12578.054025]  0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
ffffffff81314086
[12578.054025] Call Trace:
[12578.054025]  [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
[12578.054025]  [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
[12578.054025]  [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
[12578.054025]  [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
[12578.054025]  [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
[12578.054025]  [<ffffffff812fe340>] ? load_msg+0x180/0x180
[12578.054025]  [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
[12578.054025]  [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
[12578.054025]  [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[12578.054025]  [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
[12578.054025]  [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
[12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
00 00
[12578.054025] RIP  [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
[12578.054025]  RSP <ffff88002b6b5e18>
[12578.054025] CR2: 0000000000000000
[12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---


After adding:

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 54aaa72..20cec57 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
msg_queue *msq, struct msg_msg *msg,

        rc = avc_has_perm(sid, isec->sid,
                          SECCLASS_MSGQ, MSGQ__READ, &ad);
-       if (!rc)
+       if (!rc) {
+               WARN(msec == NULL, "msec is NULL!");
+
                rc = avc_has_perm(sid, msec->sid,
                                  SECCLASS_MSG, MSG__RECEIVE, &ad);
+       }
        return rc;
 }


I see:

[   43.103283] ------------[ cut here ]------------
[   43.104236] WARNING: at
/home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
selinux_msg_queue_msgrcv+0x1ff/0x210()
[   43.106088] Hardware name: Bochs
[   43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
tainted 3.8.0-rc6+ #37
[   43.107950] Call Trace:
[   43.108393]  [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
[   43.109534]  [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
[   43.110565]  [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
[   43.111561]  [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
[   43.112677]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
[   43.113808]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
[   43.114919]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
[   43.115817]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
[   43.116929]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
[   43.117909]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
[   43.118850]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
[   43.120019]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[   43.121126]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
[   43.122001]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
[   43.123044] ---[ end trace db5952f0fa3bedc7 ]---
[   43.123815]
[   43.124096] ===============================
[   43.124804] [ INFO: suspicious RCU usage. ]
[   43.125531] 3.8.0-rc6+ #37 Tainted: G        W
[   43.126344] -------------------------------
[   43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
Illegal context switch in RCU read-side critical section!
[   43.129015]
[   43.129015] other info that might help us debug this:
[   43.129015]
[   43.130367]
[   43.130367] rcu_scheduler_active = 1, debug_locks = 0
[   43.131481] 3 locks held by trinity-child9/2387:
[   43.132266]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
ipc_lock+0x5/0x1c0
[   43.133709]  #1:  (&(&new->lock)->rlock){+.+...}, at:
[<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
[   43.135294]  #2:  (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
__do_page_fault+0x114/0x4e0
[   43.136864]
[   43.136864] stack backtrace:
[   43.137619] Pid: 2387, comm: trinity-child9 Tainted: G        W
3.8.0-rc6+ #37
[   43.138897] Call Trace:
[   43.139338]  [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
[   43.140417]  [<ffffffff81cfb783>] __schedule+0x543/0x900
[   43.141342]  [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
[   43.142291]  [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
[   43.143440]  [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
[   43.144362]  [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
[   43.145362]  [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
[   43.146316]  [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
[   43.147386]  [<ffffffff8108e5de>] do_page_fault+0xe/0x10
[   43.148254]  [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
[   43.149239]  [<ffffffff81cfe138>] async_page_fault+0x28/0x30
[   43.150167]  [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
[   43.151263]  [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
[   43.152357]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
[   43.153475]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
[   43.154828]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
[   43.156052]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
[   43.157586]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
[   43.158830]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
[   43.160131]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
[   43.161736]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[   43.163238]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
[   43.164453]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
[   43.176035] BUG: unable to handle kernel NULL pointer dereference
at           (null)
[   43.177016] IP: [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
[   43.177016] PGD 3189b067 PUD 3189c067 PMD 0
[   43.177016] Oops: 0000 [#1] SMP
[   43.177016] CPU 0
[   43.177016] Pid: 2387, comm: trinity-child9 Tainted: G        W
3.8.0-rc6+ #37 Bochs Bochs
[   43.177016] RIP: 0010:[<ffffffff8131e017>]  [<ffffffff8131e017>]
selinux_msg_queue_msgrcv+0xe7/0x210
[   43.177016] RSP: 0018:ffff8800318a7e18  EFLAGS: 00010296
[   43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX: 0000000000000006
[   43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI: 0000000000000009
[   43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09: 0000000000000000
[   43.177016] R10: 0000000000000000 R11: 0000000000000288 R12: 0000000000000001
[   43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15: ffff880032e0e810
[   43.177016] FS:  00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[   43.177016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4: 00000000000006f0
[   43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   43.177016] Process trinity-child9 (pid: 2387, threadinfo
ffff8800318a6000, task ffff88003b7c4560)
[   43.177016] Stack:
[   43.177016]  ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
ffffffff5d6d982a
[   43.177016]  ffffffff812fd725 ffff880039c675c0 0000000000000000
0000000000000001
[   43.177016]  0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
ffffffff813140b6
[   43.177016] Call Trace:
[   43.177016]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
[   43.177016]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
[   43.177016]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
[   43.177016]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
[   43.177016]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
[   43.177016]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
[   43.177016]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
[   43.177016]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[   43.177016]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
[   43.177016]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
[   43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
00 00
[   43.177016] RIP  [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
[   43.177016]  RSP <ffff8800318a7e18>
[   43.177016] CR2: 0000000000000000
[   43.228535] ---[ end trace db5952f0fa3bedc8 ]---
[   68.106008] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child8:2382]

Tommi

Re: selinux_msg_queue_msgrcv() oops

[Stephen Smalley]

On 02/06/2013 07:56 AM, Tommi Rantala wrote:
> Hello,
>
> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
> Trinity as the root user (in a qemu VM):

NULL msg->security at that point is a bug in the ipc subsystem; SELinux 
is just the messenger.  Normally msg->security is set for every 
allocated msg by load_msg() -> security_msg_msg_alloc() -> 
selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() -> 
security_msg_msg_free() -> selinux_msg_msg_free_security().  Looking 
around, I see copy_msg() introduced for checkpoint-restore initializes 
dst->security to NULL but never sets it properly?

>
> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [12578.054025] IP: [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
> [12578.054025] Oops: 0000 [#2] SMP
> [12578.054025] CPU 1
> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G      D W
>   3.8.0-rc6+ #31 Bochs Bochs
> [12578.054025] RIP: 0010:[<ffffffff8131e1da>]  [<ffffffff8131e1da>]
> selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025] RSP: 0018:ffff88002b6b5e18  EFLAGS: 00010246
> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX: 0000000000000001
> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI: 0000000000000246
> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09: 0000000000000000
> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12: 0000000000000001
> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15: ffff88003132d410
> [12578.054025] FS:  00007f7385059700(0000) GS:ffff88003e200000(0000)
> knlGS:0000000000000000
> [12578.054025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4: 00000000000006e0
> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
> ffff88002b6b4000, task ffff88000e8bc560)
> [12578.054025] Stack:
> [12578.054025]  ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
> ffffffff00000000
> [12578.054025]  ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
> 0000000000000001
> [12578.054025]  0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
> ffffffff81314086
> [12578.054025] Call Trace:
> [12578.054025]  [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
> [12578.054025]  [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
> [12578.054025]  [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
> [12578.054025]  [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
> [12578.054025]  [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
> [12578.054025]  [<ffffffff812fe340>] ? load_msg+0x180/0x180
> [12578.054025]  [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
> [12578.054025]  [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
> [12578.054025]  [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [12578.054025]  [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
> [12578.054025]  [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
> 00 00
> [12578.054025] RIP  [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025]  RSP <ffff88002b6b5e18>
> [12578.054025] CR2: 0000000000000000
> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>
>
> After adding:
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 54aaa72..20cec57 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
> msg_queue *msq, struct msg_msg *msg,
>
>          rc = avc_has_perm(sid, isec->sid,
>                            SECCLASS_MSGQ, MSGQ__READ, &ad);
> -       if (!rc)
> +       if (!rc) {
> +               WARN(msec == NULL, "msec is NULL!");
> +
>                  rc = avc_has_perm(sid, msec->sid,
>                                    SECCLASS_MSG, MSG__RECEIVE, &ad);
> +       }
>          return rc;
>   }
>
>
> I see:
>
> [   43.103283] ------------[ cut here ]------------
> [   43.104236] WARNING: at
> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
> selinux_msg_queue_msgrcv+0x1ff/0x210()
> [   43.106088] Hardware name: Bochs
> [   43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
> tainted 3.8.0-rc6+ #37
> [   43.107950] Call Trace:
> [   43.108393]  [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
> [   43.109534]  [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
> [   43.110565]  [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
> [   43.111561]  [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
> [   43.112677]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [   43.113808]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [   43.114919]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [   43.115817]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [   43.116929]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [   43.117909]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [   43.118850]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [   43.120019]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [   43.121126]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [   43.122001]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [   43.123044] ---[ end trace db5952f0fa3bedc7 ]---
> [   43.123815]
> [   43.124096] ===============================
> [   43.124804] [ INFO: suspicious RCU usage. ]
> [   43.125531] 3.8.0-rc6+ #37 Tainted: G        W
> [   43.126344] -------------------------------
> [   43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
> Illegal context switch in RCU read-side critical section!
> [   43.129015]
> [   43.129015] other info that might help us debug this:
> [   43.129015]
> [   43.130367]
> [   43.130367] rcu_scheduler_active = 1, debug_locks = 0
> [   43.131481] 3 locks held by trinity-child9/2387:
> [   43.132266]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
> ipc_lock+0x5/0x1c0
> [   43.133709]  #1:  (&(&new->lock)->rlock){+.+...}, at:
> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
> [   43.135294]  #2:  (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
> __do_page_fault+0x114/0x4e0
> [   43.136864]
> [   43.136864] stack backtrace:
> [   43.137619] Pid: 2387, comm: trinity-child9 Tainted: G        W
> 3.8.0-rc6+ #37
> [   43.138897] Call Trace:
> [   43.139338]  [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
> [   43.140417]  [<ffffffff81cfb783>] __schedule+0x543/0x900
> [   43.141342]  [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
> [   43.142291]  [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
> [   43.143440]  [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
> [   43.144362]  [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
> [   43.145362]  [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
> [   43.146316]  [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
> [   43.147386]  [<ffffffff8108e5de>] do_page_fault+0xe/0x10
> [   43.148254]  [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
> [   43.149239]  [<ffffffff81cfe138>] async_page_fault+0x28/0x30
> [   43.150167]  [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
> [   43.151263]  [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
> [   43.152357]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [   43.153475]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [   43.154828]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [   43.156052]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [   43.157586]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [   43.158830]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [   43.160131]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [   43.161736]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [   43.163238]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [   43.164453]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [   43.176035] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [   43.177016] IP: [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
> [   43.177016] PGD 3189b067 PUD 3189c067 PMD 0
> [   43.177016] Oops: 0000 [#1] SMP
> [   43.177016] CPU 0
> [   43.177016] Pid: 2387, comm: trinity-child9 Tainted: G        W
> 3.8.0-rc6+ #37 Bochs Bochs
> [   43.177016] RIP: 0010:[<ffffffff8131e017>]  [<ffffffff8131e017>]
> selinux_msg_queue_msgrcv+0xe7/0x210
> [   43.177016] RSP: 0018:ffff8800318a7e18  EFLAGS: 00010296
> [   43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX: 0000000000000006
> [   43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI: 0000000000000009
> [   43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09: 0000000000000000
> [   43.177016] R10: 0000000000000000 R11: 0000000000000288 R12: 0000000000000001
> [   43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15: ffff880032e0e810
> [   43.177016] FS:  00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
> knlGS:0000000000000000
> [   43.177016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4: 00000000000006f0
> [   43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [   43.177016] Process trinity-child9 (pid: 2387, threadinfo
> ffff8800318a6000, task ffff88003b7c4560)
> [   43.177016] Stack:
> [   43.177016]  ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
> ffffffff5d6d982a
> [   43.177016]  ffffffff812fd725 ffff880039c675c0 0000000000000000
> 0000000000000001
> [   43.177016]  0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
> ffffffff813140b6
> [   43.177016] Call Trace:
> [   43.177016]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [   43.177016]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [   43.177016]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [   43.177016]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [   43.177016]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [   43.177016]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [   43.177016]  [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [   43.177016]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [   43.177016]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [   43.177016]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [   43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
> 00 00
> [   43.177016] RIP  [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
> [   43.177016]  RSP <ffff8800318a7e18>
> [   43.177016] CR2: 0000000000000000
> [   43.228535] ---[ end trace db5952f0fa3bedc8 ]---
> [   68.106008] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child8:2382]
>
> Tommi
>

Re: selinux_msg_queue_msgrcv() oops

[Tommi Rantala]

2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>
>> Hello,
>>
>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>> Trinity as the root user (in a qemu VM):
>
>
> NULL msg->security at that point is a bug in the ipc subsystem; SELinux is
> just the messenger.  Normally msg->security is set for every allocated msg
> by load_msg() -> security_msg_msg_alloc() ->
> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
> security_msg_msg_free() -> selinux_msg_msg_free_security().  Looking around,
> I see copy_msg() introduced for checkpoint-restore initializes dst->security
> to NULL but never sets it properly?

I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
analysis seems to be correct.

>>
>> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
>> at           (null)
>> [12578.054025] IP: [<ffffffff8131e1da>]
>> selinux_msg_queue_msgrcv+0xda/0x1e0
>> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
>> [12578.054025] Oops: 0000 [#2] SMP
>> [12578.054025] CPU 1
>> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G      D W
>>   3.8.0-rc6+ #31 Bochs Bochs
>> [12578.054025] RIP: 0010:[<ffffffff8131e1da>]  [<ffffffff8131e1da>]
>> selinux_msg_queue_msgrcv+0xda/0x1e0
>> [12578.054025] RSP: 0018:ffff88002b6b5e18  EFLAGS: 00010246
>> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX:
>> 0000000000000001
>> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI:
>> 0000000000000246
>> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09:
>> 0000000000000000
>> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12:
>> 0000000000000001
>> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15:
>> ffff88003132d410
>> [12578.054025] FS:  00007f7385059700(0000) GS:ffff88003e200000(0000)
>> knlGS:0000000000000000
>> [12578.054025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4:
>> 00000000000006e0
>> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>> 0000000000000400
>> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
>> ffff88002b6b4000, task ffff88000e8bc560)
>> [12578.054025] Stack:
>> [12578.054025]  ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
>> ffffffff00000000
>> [12578.054025]  ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
>> 0000000000000001
>> [12578.054025]  0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
>> ffffffff81314086
>> [12578.054025] Call Trace:
>> [12578.054025]  [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
>> [12578.054025]  [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
>> [12578.054025]  [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
>> [12578.054025]  [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
>> [12578.054025]  [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
>> [12578.054025]  [<ffffffff812fe340>] ? load_msg+0x180/0x180
>> [12578.054025]  [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
>> [12578.054025]  [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
>> [12578.054025]  [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [12578.054025]  [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
>> [12578.054025]  [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
>> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
>> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
>> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>> 00 00
>> [12578.054025] RIP  [<ffffffff8131e1da>]
>> selinux_msg_queue_msgrcv+0xda/0x1e0
>> [12578.054025]  RSP <ffff88002b6b5e18>
>> [12578.054025] CR2: 0000000000000000
>> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>>
>>
>> After adding:
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 54aaa72..20cec57 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
>> msg_queue *msq, struct msg_msg *msg,
>>
>>          rc = avc_has_perm(sid, isec->sid,
>>                            SECCLASS_MSGQ, MSGQ__READ, &ad);
>> -       if (!rc)
>> +       if (!rc) {
>> +               WARN(msec == NULL, "msec is NULL!");
>> +
>>                  rc = avc_has_perm(sid, msec->sid,
>>                                    SECCLASS_MSG, MSG__RECEIVE, &ad);
>> +       }
>>          return rc;
>>   }
>>
>>
>> I see:
>>
>> [   43.103283] ------------[ cut here ]------------
>> [   43.104236] WARNING: at
>> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
>> selinux_msg_queue_msgrcv+0x1ff/0x210()
>> [   43.106088] Hardware name: Bochs
>> [   43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
>> tainted 3.8.0-rc6+ #37
>> [   43.107950] Call Trace:
>> [   43.108393]  [<ffffffff8131e12f>] ?
>> selinux_msg_queue_msgrcv+0x1ff/0x210
>> [   43.109534]  [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
>> [   43.110565]  [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
>> [   43.111561]  [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
>> [   43.112677]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>> [   43.113808]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>> [   43.114919]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>> [   43.115817]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>> [   43.116929]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>> [   43.117909]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>> [   43.118850]  [<ffffffff810fb35d>] ?
>> trace_hardirqs_on_caller+0x10d/0x1a0
>> [   43.120019]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [   43.121126]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>> [   43.122001]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>> [   43.123044] ---[ end trace db5952f0fa3bedc7 ]---
>> [   43.123815]
>> [   43.124096] ===============================
>> [   43.124804] [ INFO: suspicious RCU usage. ]
>> [   43.125531] 3.8.0-rc6+ #37 Tainted: G        W
>> [   43.126344] -------------------------------
>> [   43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
>> Illegal context switch in RCU read-side critical section!
>> [   43.129015]
>> [   43.129015] other info that might help us debug this:
>> [   43.129015]
>> [   43.130367]
>> [   43.130367] rcu_scheduler_active = 1, debug_locks = 0
>> [   43.131481] 3 locks held by trinity-child9/2387:
>> [   43.132266]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
>> ipc_lock+0x5/0x1c0
>> [   43.133709]  #1:  (&(&new->lock)->rlock){+.+...}, at:
>> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
>> [   43.135294]  #2:  (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
>> __do_page_fault+0x114/0x4e0
>> [   43.136864]
>> [   43.136864] stack backtrace:
>> [   43.137619] Pid: 2387, comm: trinity-child9 Tainted: G        W
>> 3.8.0-rc6+ #37
>> [   43.138897] Call Trace:
>> [   43.139338]  [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
>> [   43.140417]  [<ffffffff81cfb783>] __schedule+0x543/0x900
>> [   43.141342]  [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
>> [   43.142291]  [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
>> [   43.143440]  [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
>> [   43.144362]  [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
>> [   43.145362]  [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
>> [   43.146316]  [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
>> [   43.147386]  [<ffffffff8108e5de>] do_page_fault+0xe/0x10
>> [   43.148254]  [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
>> [   43.149239]  [<ffffffff81cfe138>] async_page_fault+0x28/0x30
>> [   43.150167]  [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
>> [   43.151263]  [<ffffffff8131e12f>] ?
>> selinux_msg_queue_msgrcv+0x1ff/0x210
>> [   43.152357]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>> [   43.153475]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>> [   43.154828]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>> [   43.156052]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>> [   43.157586]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>> [   43.158830]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>> [   43.160131]  [<ffffffff810fb35d>] ?
>> trace_hardirqs_on_caller+0x10d/0x1a0
>> [   43.161736]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [   43.163238]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>> [   43.164453]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>> [   43.176035] BUG: unable to handle kernel NULL pointer dereference
>> at           (null)
>> [   43.177016] IP: [<ffffffff8131e017>]
>> selinux_msg_queue_msgrcv+0xe7/0x210
>> [   43.177016] PGD 3189b067 PUD 3189c067 PMD 0
>> [   43.177016] Oops: 0000 [#1] SMP
>> [   43.177016] CPU 0
>> [   43.177016] Pid: 2387, comm: trinity-child9 Tainted: G        W
>> 3.8.0-rc6+ #37 Bochs Bochs
>> [   43.177016] RIP: 0010:[<ffffffff8131e017>]  [<ffffffff8131e017>]
>> selinux_msg_queue_msgrcv+0xe7/0x210
>> [   43.177016] RSP: 0018:ffff8800318a7e18  EFLAGS: 00010296
>> [   43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX:
>> 0000000000000006
>> [   43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI:
>> 0000000000000009
>> [   43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09:
>> 0000000000000000
>> [   43.177016] R10: 0000000000000000 R11: 0000000000000288 R12:
>> 0000000000000001
>> [   43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15:
>> ffff880032e0e810
>> [   43.177016] FS:  00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
>> knlGS:0000000000000000
>> [   43.177016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4:
>> 00000000000006f0
>> [   43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [   43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>> 0000000000000400
>> [   43.177016] Process trinity-child9 (pid: 2387, threadinfo
>> ffff8800318a6000, task ffff88003b7c4560)
>> [   43.177016] Stack:
>> [   43.177016]  ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
>> ffffffff5d6d982a
>> [   43.177016]  ffffffff812fd725 ffff880039c675c0 0000000000000000
>> 0000000000000001
>> [   43.177016]  0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
>> ffffffff813140b6
>> [   43.177016] Call Trace:
>> [   43.177016]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>> [   43.177016]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>> [   43.177016]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>> [   43.177016]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>> [   43.177016]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>> [   43.177016]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>> [   43.177016]  [<ffffffff810fb35d>] ?
>> trace_hardirqs_on_caller+0x10d/0x1a0
>> [   43.177016]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [   43.177016]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>> [   43.177016]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>> [   43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
>> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
>> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>> 00 00
>> [   43.177016] RIP  [<ffffffff8131e017>]
>> selinux_msg_queue_msgrcv+0xe7/0x210
>> [   43.177016]  RSP <ffff8800318a7e18>
>> [   43.177016] CR2: 0000000000000000
>> [   43.228535] ---[ end trace db5952f0fa3bedc8 ]---
>> [   68.106008] BUG: soft lockup - CPU#0 stuck for 22s!
>> [trinity-child8:2382]
>>
>> Tommi
>>
>

Re: selinux_msg_queue_msgrcv() oops

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 12427 bytes --]

On 02/06/2013 10:21 AM, Tommi Rantala wrote:
> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>>
>>> Hello,
>>>
>>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>>> Trinity as the root user (in a qemu VM):
>>
>>
>> NULL msg->security at that point is a bug in the ipc subsystem; SELinux is
>> just the messenger.  Normally msg->security is set for every allocated msg
>> by load_msg() -> security_msg_msg_alloc() ->
>> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
>> security_msg_msg_free() -> selinux_msg_msg_free_security().  Looking around,
>> I see copy_msg() introduced for checkpoint-restore initializes dst->security
>> to NULL but never sets it properly?
>
> I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
> analysis seems to be correct.

(cc originator of the bug)

If I am reading this correctly, then when the copy msg was created, a 
msg security struct was already allocated 
(prepare_copy->load_msg->security_msg_msg_alloc).  So having copy_msg() 
clear dst->security is also a memory leak in addition to leading to this 
oops.  Attached is a possible, un-tested fix.

>
>>>
>>> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
>>> at           (null)
>>> [12578.054025] IP: [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
>>> [12578.054025] Oops: 0000 [#2] SMP
>>> [12578.054025] CPU 1
>>> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G      D W
>>>    3.8.0-rc6+ #31 Bochs Bochs
>>> [12578.054025] RIP: 0010:[<ffffffff8131e1da>]  [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025] RSP: 0018:ffff88002b6b5e18  EFLAGS: 00010246
>>> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX:
>>> 0000000000000001
>>> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI:
>>> 0000000000000246
>>> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09:
>>> 0000000000000000
>>> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12:
>>> 0000000000000001
>>> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15:
>>> ffff88003132d410
>>> [12578.054025] FS:  00007f7385059700(0000) GS:ffff88003e200000(0000)
>>> knlGS:0000000000000000
>>> [12578.054025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4:
>>> 00000000000006e0
>>> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>> 0000000000000000
>>> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>> 0000000000000400
>>> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
>>> ffff88002b6b4000, task ffff88000e8bc560)
>>> [12578.054025] Stack:
>>> [12578.054025]  ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
>>> ffffffff00000000
>>> [12578.054025]  ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
>>> 0000000000000001
>>> [12578.054025]  0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
>>> ffffffff81314086
>>> [12578.054025] Call Trace:
>>> [12578.054025]  [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
>>> [12578.054025]  [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
>>> [12578.054025]  [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
>>> [12578.054025]  [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
>>> [12578.054025]  [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
>>> [12578.054025]  [<ffffffff812fe340>] ? load_msg+0x180/0x180
>>> [12578.054025]  [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
>>> [12578.054025]  [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
>>> [12578.054025]  [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [12578.054025]  [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
>>> [12578.054025]  [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
>>> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
>>> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
>>> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>> 00 00
>>> [12578.054025] RIP  [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025]  RSP <ffff88002b6b5e18>
>>> [12578.054025] CR2: 0000000000000000
>>> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>>>
>>>
>>> After adding:
>>>
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 54aaa72..20cec57 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
>>> msg_queue *msq, struct msg_msg *msg,
>>>
>>>           rc = avc_has_perm(sid, isec->sid,
>>>                             SECCLASS_MSGQ, MSGQ__READ, &ad);
>>> -       if (!rc)
>>> +       if (!rc) {
>>> +               WARN(msec == NULL, "msec is NULL!");
>>> +
>>>                   rc = avc_has_perm(sid, msec->sid,
>>>                                     SECCLASS_MSG, MSG__RECEIVE, &ad);
>>> +       }
>>>           return rc;
>>>    }
>>>
>>>
>>> I see:
>>>
>>> [   43.103283] ------------[ cut here ]------------
>>> [   43.104236] WARNING: at
>>> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
>>> selinux_msg_queue_msgrcv+0x1ff/0x210()
>>> [   43.106088] Hardware name: Bochs
>>> [   43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
>>> tainted 3.8.0-rc6+ #37
>>> [   43.107950] Call Trace:
>>> [   43.108393]  [<ffffffff8131e12f>] ?
>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [   43.109534]  [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
>>> [   43.110565]  [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
>>> [   43.111561]  [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [   43.112677]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [   43.113808]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [   43.114919]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [   43.115817]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [   43.116929]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [   43.117909]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [   43.118850]  [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [   43.120019]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [   43.121126]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [   43.122001]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [   43.123044] ---[ end trace db5952f0fa3bedc7 ]---
>>> [   43.123815]
>>> [   43.124096] ===============================
>>> [   43.124804] [ INFO: suspicious RCU usage. ]
>>> [   43.125531] 3.8.0-rc6+ #37 Tainted: G        W
>>> [   43.126344] -------------------------------
>>> [   43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
>>> Illegal context switch in RCU read-side critical section!
>>> [   43.129015]
>>> [   43.129015] other info that might help us debug this:
>>> [   43.129015]
>>> [   43.130367]
>>> [   43.130367] rcu_scheduler_active = 1, debug_locks = 0
>>> [   43.131481] 3 locks held by trinity-child9/2387:
>>> [   43.132266]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
>>> ipc_lock+0x5/0x1c0
>>> [   43.133709]  #1:  (&(&new->lock)->rlock){+.+...}, at:
>>> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
>>> [   43.135294]  #2:  (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
>>> __do_page_fault+0x114/0x4e0
>>> [   43.136864]
>>> [   43.136864] stack backtrace:
>>> [   43.137619] Pid: 2387, comm: trinity-child9 Tainted: G        W
>>> 3.8.0-rc6+ #37
>>> [   43.138897] Call Trace:
>>> [   43.139338]  [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
>>> [   43.140417]  [<ffffffff81cfb783>] __schedule+0x543/0x900
>>> [   43.141342]  [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
>>> [   43.142291]  [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
>>> [   43.143440]  [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
>>> [   43.144362]  [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
>>> [   43.145362]  [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
>>> [   43.146316]  [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
>>> [   43.147386]  [<ffffffff8108e5de>] do_page_fault+0xe/0x10
>>> [   43.148254]  [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
>>> [   43.149239]  [<ffffffff81cfe138>] async_page_fault+0x28/0x30
>>> [   43.150167]  [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
>>> [   43.151263]  [<ffffffff8131e12f>] ?
>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [   43.152357]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [   43.153475]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [   43.154828]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [   43.156052]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [   43.157586]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [   43.158830]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [   43.160131]  [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [   43.161736]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [   43.163238]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [   43.164453]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [   43.176035] BUG: unable to handle kernel NULL pointer dereference
>>> at           (null)
>>> [   43.177016] IP: [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [   43.177016] PGD 3189b067 PUD 3189c067 PMD 0
>>> [   43.177016] Oops: 0000 [#1] SMP
>>> [   43.177016] CPU 0
>>> [   43.177016] Pid: 2387, comm: trinity-child9 Tainted: G        W
>>> 3.8.0-rc6+ #37 Bochs Bochs
>>> [   43.177016] RIP: 0010:[<ffffffff8131e017>]  [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [   43.177016] RSP: 0018:ffff8800318a7e18  EFLAGS: 00010296
>>> [   43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX:
>>> 0000000000000006
>>> [   43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI:
>>> 0000000000000009
>>> [   43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09:
>>> 0000000000000000
>>> [   43.177016] R10: 0000000000000000 R11: 0000000000000288 R12:
>>> 0000000000000001
>>> [   43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15:
>>> ffff880032e0e810
>>> [   43.177016] FS:  00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
>>> knlGS:0000000000000000
>>> [   43.177016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [   43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4:
>>> 00000000000006f0
>>> [   43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>> 0000000000000000
>>> [   43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>> 0000000000000400
>>> [   43.177016] Process trinity-child9 (pid: 2387, threadinfo
>>> ffff8800318a6000, task ffff88003b7c4560)
>>> [   43.177016] Stack:
>>> [   43.177016]  ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
>>> ffffffff5d6d982a
>>> [   43.177016]  ffffffff812fd725 ffff880039c675c0 0000000000000000
>>> 0000000000000001
>>> [   43.177016]  0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
>>> ffffffff813140b6
>>> [   43.177016] Call Trace:
>>> [   43.177016]  [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [   43.177016]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [   43.177016]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [   43.177016]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [   43.177016]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [   43.177016]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [   43.177016]  [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [   43.177016]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [   43.177016]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [   43.177016]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [   43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
>>> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
>>> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>> 00 00
>>> [   43.177016] RIP  [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [   43.177016]  RSP <ffff8800318a7e18>
>>> [   43.177016] CR2: 0000000000000000
>>> [   43.228535] ---[ end trace db5952f0fa3bedc8 ]---
>>> [   68.106008] BUG: soft lockup - CPU#0 stuck for 22s!
>>> [trinity-child8:2382]
>>>
>>> Tommi
>>>
>>


[-- Attachment #2: 0001-Fix-selinux_msg_queue_msgrcv-oops.patch --]
[-- Type: text/x-patch, Size: 4635 bytes --]

>From 694502e960af954c4203d1b76837e51ce6720576 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 6 Feb 2013 11:15:08 -0500
Subject: [PATCH] Fix selinux_msg_queue_msgrcv() oops.

Fix an oops in selinux_msg_queue_msgrcv() by ensuring that
copied messages preserve security information.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Reported-by: Tommi Rantala <tt.rantala@gmail.com>
---
 include/linux/security.h | 12 ++++++++++++
 ipc/msgutil.c            |  6 +++++-
 security/security.c      |  5 +++++
 security/selinux/hooks.c | 10 ++++++++++
 4 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index eee7478..4737635 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1126,6 +1126,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	created.
  *	@msg contains the message structure to be modified.
  *	Return 0 if operation was successful and permission is granted.
+ * @msg_msg_copy_security:
+ *	Propagate security information on a msg copy operation.
+ *	@src contains the source message structure.
+ *	@dst contains the destination message structure.
+ *	Return 0 if operation was successful.
  * @msg_msg_free_security:
  *	Deallocate the security structure for this message.
  *	@msg contains the message structure to be modified.
@@ -1553,6 +1558,7 @@ struct security_operations {
 	void (*ipc_getsecid) (struct kern_ipc_perm *ipcp, u32 *secid);
 
 	int (*msg_msg_alloc_security) (struct msg_msg *msg);
+	int (*msg_msg_copy_security) (struct msg_msg *src, struct msg_msg *dst);
 	void (*msg_msg_free_security) (struct msg_msg *msg);
 
 	int (*msg_queue_alloc_security) (struct msg_queue *msq);
@@ -1811,6 +1817,7 @@ void security_task_to_inode(struct task_struct *p, struct inode *inode);
 int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
 void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
 int security_msg_msg_alloc(struct msg_msg *msg);
+int security_msg_msg_copy(struct msg_msg *src, struct msg_msg *dst);
 void security_msg_msg_free(struct msg_msg *msg);
 int security_msg_queue_alloc(struct msg_queue *msq);
 void security_msg_queue_free(struct msg_queue *msq);
@@ -2409,6 +2416,11 @@ static inline int security_msg_msg_alloc(struct msg_msg *msg)
 	return 0;
 }
 
+static inline int security_msg_msg_copy(struct msg_msg *src, struct msg_msg *dst)
+{
+	return 0;
+}
+
 static inline void security_msg_msg_free(struct msg_msg *msg)
 { }
 
diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index ebfcbfa..7837257 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -108,6 +108,7 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
 	struct msg_msgseg *dst_pseg, *src_pseg;
 	int len = src->m_ts;
 	int alen;
+	int err;
 
 	BUG_ON(dst == NULL);
 	if (src->m_ts > dst->m_ts)
@@ -118,7 +119,10 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
 		alen = DATALEN_MSG;
 
 	dst->next = NULL;
-	dst->security = NULL;
+
+	err = security_msg_msg_copy(src, dst);
+	if (err < 0)
+		return ERR_PTR(err);
 
 	memcpy(dst + 1, src + 1, alen);
 
diff --git a/security/security.c b/security/security.c
index 7b88c6a..85cd39d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -936,6 +936,11 @@ int security_msg_msg_alloc(struct msg_msg *msg)
 	return security_ops->msg_msg_alloc_security(msg);
 }
 
+int security_msg_msg_copy(struct msg_msg *src, struct msg_msg *dst)
+{
+	return security_ops->msg_msg_copy_security(src, dst);
+}
+
 void security_msg_msg_free(struct msg_msg *msg)
 {
 	security_ops->msg_msg_free_security(msg);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ef26e96..79f93ad 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4840,6 +4840,15 @@ static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
 	return msg_msg_alloc_security(msg);
 }
 
+static int selinux_msg_msg_copy_security(struct msg_msg *src, struct msg_msg *dst)
+{
+	struct msg_security_struct *smsec, *dmsec;
+	smsec = src->security;
+	dmsec = dst->security;
+	dmsec->sid = smsec->sid;
+	return 0;
+}
+
 static void selinux_msg_msg_free_security(struct msg_msg *msg)
 {
 	msg_msg_free_security(msg);
@@ -5603,6 +5612,7 @@ static struct security_operations selinux_ops = {
 	.ipc_getsecid =			selinux_ipc_getsecid,
 
 	.msg_msg_alloc_security =	selinux_msg_msg_alloc_security,
+	.msg_msg_copy_security =	selinux_msg_msg_copy_security,
 	.msg_msg_free_security =	selinux_msg_msg_free_security,
 
 	.msg_queue_alloc_security =	selinux_msg_queue_alloc_security,
-- 
1.7.11.7

Re: selinux_msg_queue_msgrcv() oops

[Tommi Rantala]

2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
> On 02/06/2013 10:21 AM, Tommi Rantala wrote:
>>
>> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>>>
>>> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>>>> Trinity as the root user (in a qemu VM):
>>>
>>>
>>>
>>> NULL msg->security at that point is a bug in the ipc subsystem; SELinux
>>> is
>>> just the messenger.  Normally msg->security is set for every allocated
>>> msg
>>> by load_msg() -> security_msg_msg_alloc() ->
>>> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
>>> security_msg_msg_free() -> selinux_msg_msg_free_security().  Looking
>>> around,
>>> I see copy_msg() introduced for checkpoint-restore initializes
>>> dst->security
>>> to NULL but never sets it properly?
>>
>>
>> I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
>> analysis seems to be correct.
>
>
> (cc originator of the bug)
>
> If I am reading this correctly, then when the copy msg was created, a msg
> security struct was already allocated
> (prepare_copy->load_msg->security_msg_msg_alloc).  So having copy_msg()
> clear dst->security is also a memory leak in addition to leading to this
> oops.  Attached is a possible, un-tested fix.

I can still reproduce the exact same oops with the patch applied. I
also wanted to be sure that copy_msg() is called, so I added a warning
there, but that never gets triggered. So I suppose the problem is not
actually related to CONFIG_CHECKPOINT_RESTORE.

diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index 7837257..78faadc 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -110,6 +110,8 @@ struct msg_msg *copy_msg(struct msg_msg *src,
struct msg_msg *dst)
        int alen;
        int err;

+       WARN_ON(1);
+
        BUG_ON(dst == NULL);
        if (src->m_ts > dst->m_ts)
                return ERR_PTR(-EINVAL);


>
>>
>>>>
>>>> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
>>>> at           (null)
>>>> [12578.054025] IP: [<ffffffff8131e1da>]
>>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>>> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
>>>> [12578.054025] Oops: 0000 [#2] SMP
>>>> [12578.054025] CPU 1
>>>> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G      D W
>>>>    3.8.0-rc6+ #31 Bochs Bochs
>>>> [12578.054025] RIP: 0010:[<ffffffff8131e1da>]  [<ffffffff8131e1da>]
>>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>>> [12578.054025] RSP: 0018:ffff88002b6b5e18  EFLAGS: 00010246
>>>> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX:
>>>> 0000000000000001
>>>> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI:
>>>> 0000000000000246
>>>> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09:
>>>> 0000000000000000
>>>> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12:
>>>> 0000000000000001
>>>> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15:
>>>> ffff88003132d410
>>>> [12578.054025] FS:  00007f7385059700(0000) GS:ffff88003e200000(0000)
>>>> knlGS:0000000000000000
>>>> [12578.054025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4:
>>>> 00000000000006e0
>>>> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>>> 0000000000000000
>>>> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>>> 0000000000000400
>>>> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
>>>> ffff88002b6b4000, task ffff88000e8bc560)
>>>> [12578.054025] Stack:
>>>> [12578.054025]  ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
>>>> ffffffff00000000
>>>> [12578.054025]  ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
>>>> 0000000000000001
>>>> [12578.054025]  0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
>>>> ffffffff81314086
>>>> [12578.054025] Call Trace:
>>>> [12578.054025]  [<ffffffff8131e105>] ?
>>>> selinux_msg_queue_msgrcv+0x5/0x1e0
>>>> [12578.054025]  [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
>>>> [12578.054025]  [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
>>>> [12578.054025]  [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
>>>> [12578.054025]  [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
>>>> [12578.054025]  [<ffffffff812fe340>] ? load_msg+0x180/0x180
>>>> [12578.054025]  [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
>>>> [12578.054025]  [<ffffffff810fb236>] ?
>>>> trace_hardirqs_on_caller+0x16/0x1a0
>>>> [12578.054025]  [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>>> [12578.054025]  [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
>>>> [12578.054025]  [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
>>>> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
>>>> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
>>>> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>>> 00 00
>>>> [12578.054025] RIP  [<ffffffff8131e1da>]
>>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>>> [12578.054025]  RSP <ffff88002b6b5e18>
>>>> [12578.054025] CR2: 0000000000000000
>>>> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>>>>
>>>>
>>>> After adding:
>>>>
>>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>>> index 54aaa72..20cec57 100644
>>>> --- a/security/selinux/hooks.c
>>>> +++ b/security/selinux/hooks.c
>>>> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
>>>> msg_queue *msq, struct msg_msg *msg,
>>>>
>>>>           rc = avc_has_perm(sid, isec->sid,
>>>>                             SECCLASS_MSGQ, MSGQ__READ, &ad);
>>>> -       if (!rc)
>>>> +       if (!rc) {
>>>> +               WARN(msec == NULL, "msec is NULL!");
>>>> +
>>>>                   rc = avc_has_perm(sid, msec->sid,
>>>>                                     SECCLASS_MSG, MSG__RECEIVE, &ad);
>>>> +       }
>>>>           return rc;
>>>>    }
>>>>
>>>>
>>>> I see:
>>>>
>>>> [   43.103283] ------------[ cut here ]------------
>>>> [   43.104236] WARNING: at
>>>> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
>>>> selinux_msg_queue_msgrcv+0x1ff/0x210()
>>>> [   43.106088] Hardware name: Bochs
>>>> [   43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
>>>> tainted 3.8.0-rc6+ #37
>>>> [   43.107950] Call Trace:
>>>> [   43.108393]  [<ffffffff8131e12f>] ?
>>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>>> [   43.109534]  [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
>>>> [   43.110565]  [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
>>>> [   43.111561]  [<ffffffff8131e12f>]
>>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>>> [   43.112677]  [<ffffffff8131df35>] ?
>>>> selinux_msg_queue_msgrcv+0x5/0x210
>>>> [   43.113808]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>>> [   43.114919]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>>> [   43.115817]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>>> [   43.116929]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>>> [   43.117909]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>>> [   43.118850]  [<ffffffff810fb35d>] ?
>>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>>> [   43.120019]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>>> [   43.121126]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>>> [   43.122001]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>>> [   43.123044] ---[ end trace db5952f0fa3bedc7 ]---
>>>> [   43.123815]
>>>> [   43.124096] ===============================
>>>> [   43.124804] [ INFO: suspicious RCU usage. ]
>>>> [   43.125531] 3.8.0-rc6+ #37 Tainted: G        W
>>>> [   43.126344] -------------------------------
>>>> [   43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
>>>> Illegal context switch in RCU read-side critical section!
>>>> [   43.129015]
>>>> [   43.129015] other info that might help us debug this:
>>>> [   43.129015]
>>>> [   43.130367]
>>>> [   43.130367] rcu_scheduler_active = 1, debug_locks = 0
>>>> [   43.131481] 3 locks held by trinity-child9/2387:
>>>> [   43.132266]  #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
>>>> ipc_lock+0x5/0x1c0
>>>> [   43.133709]  #1:  (&(&new->lock)->rlock){+.+...}, at:
>>>> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
>>>> [   43.135294]  #2:  (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
>>>> __do_page_fault+0x114/0x4e0
>>>> [   43.136864]
>>>> [   43.136864] stack backtrace:
>>>> [   43.137619] Pid: 2387, comm: trinity-child9 Tainted: G        W
>>>> 3.8.0-rc6+ #37
>>>> [   43.138897] Call Trace:
>>>> [   43.139338]  [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
>>>> [   43.140417]  [<ffffffff81cfb783>] __schedule+0x543/0x900
>>>> [   43.141342]  [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
>>>> [   43.142291]  [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
>>>> [   43.143440]  [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
>>>> [   43.144362]  [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
>>>> [   43.145362]  [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
>>>> [   43.146316]  [<ffffffff8137319d>] ?
>>>> trace_hardirqs_off_thunk+0x3a/0x3c
>>>> [   43.147386]  [<ffffffff8108e5de>] do_page_fault+0xe/0x10
>>>> [   43.148254]  [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
>>>> [   43.149239]  [<ffffffff81cfe138>] async_page_fault+0x28/0x30
>>>> [   43.150167]  [<ffffffff8131e017>] ?
>>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>>> [   43.151263]  [<ffffffff8131e12f>] ?
>>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>>> [   43.152357]  [<ffffffff8131df35>] ?
>>>> selinux_msg_queue_msgrcv+0x5/0x210
>>>> [   43.153475]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>>> [   43.154828]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>>> [   43.156052]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>>> [   43.157586]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>>> [   43.158830]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>>> [   43.160131]  [<ffffffff810fb35d>] ?
>>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>>> [   43.161736]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>>> [   43.163238]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>>> [   43.164453]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>>> [   43.176035] BUG: unable to handle kernel NULL pointer dereference
>>>> at           (null)
>>>> [   43.177016] IP: [<ffffffff8131e017>]
>>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>>> [   43.177016] PGD 3189b067 PUD 3189c067 PMD 0
>>>> [   43.177016] Oops: 0000 [#1] SMP
>>>> [   43.177016] CPU 0
>>>> [   43.177016] Pid: 2387, comm: trinity-child9 Tainted: G        W
>>>> 3.8.0-rc6+ #37 Bochs Bochs
>>>> [   43.177016] RIP: 0010:[<ffffffff8131e017>]  [<ffffffff8131e017>]
>>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>>> [   43.177016] RSP: 0018:ffff8800318a7e18  EFLAGS: 00010296
>>>> [   43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX:
>>>> 0000000000000006
>>>> [   43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI:
>>>> 0000000000000009
>>>> [   43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09:
>>>> 0000000000000000
>>>> [   43.177016] R10: 0000000000000000 R11: 0000000000000288 R12:
>>>> 0000000000000001
>>>> [   43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15:
>>>> ffff880032e0e810
>>>> [   43.177016] FS:  00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
>>>> knlGS:0000000000000000
>>>> [   43.177016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> [   43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4:
>>>> 00000000000006f0
>>>> [   43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>>> 0000000000000000
>>>> [   43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>>> 0000000000000400
>>>> [   43.177016] Process trinity-child9 (pid: 2387, threadinfo
>>>> ffff8800318a6000, task ffff88003b7c4560)
>>>> [   43.177016] Stack:
>>>> [   43.177016]  ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
>>>> ffffffff5d6d982a
>>>> [   43.177016]  ffffffff812fd725 ffff880039c675c0 0000000000000000
>>>> 0000000000000001
>>>> [   43.177016]  0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
>>>> ffffffff813140b6
>>>> [   43.177016] Call Trace:
>>>> [   43.177016]  [<ffffffff8131df35>] ?
>>>> selinux_msg_queue_msgrcv+0x5/0x210
>>>> [   43.177016]  [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>>> [   43.177016]  [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>>> [   43.177016]  [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>>> [   43.177016]  [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>>> [   43.177016]  [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>>> [   43.177016]  [<ffffffff810fb35d>] ?
>>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>>> [   43.177016]  [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>>> [   43.177016]  [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>>> [   43.177016]  [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>>> [   43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
>>>> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
>>>> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>>> 00 00
>>>> [   43.177016] RIP  [<ffffffff8131e017>]
>>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>>> [   43.177016]  RSP <ffff8800318a7e18>
>>>> [   43.177016] CR2: 0000000000000000
>>>> [   43.228535] ---[ end trace db5952f0fa3bedc8 ]---
>>>> [   68.106008] BUG: soft lockup - CPU#0 stuck for 22s!
>>>> [trinity-child8:2382]
>>>>
>>>> Tommi
>>>>
>>>
>

Re: selinux_msg_queue_msgrcv() oops

[Stanislav Kinsbursky]

06.02.2013 23:51, Tommi Rantala пишет:
> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>> On 02/06/2013 10:21 AM, Tommi Rantala wrote:
>>>
>>> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>>>>
>>>> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>>>>> Trinity as the root user (in a qemu VM):
>>>>
>>>>
>>>>
>>>> NULL msg->security at that point is a bug in the ipc subsystem; SELinux
>>>> is
>>>> just the messenger.  Normally msg->security is set for every allocated
>>>> msg
>>>> by load_msg() -> security_msg_msg_alloc() ->
>>>> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
>>>> security_msg_msg_free() -> selinux_msg_msg_free_security().  Looking
>>>> around,
>>>> I see copy_msg() introduced for checkpoint-restore initializes
>>>> dst->security
>>>> to NULL but never sets it properly?
>>>
>>>
>>> I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
>>> analysis seems to be correct.
>>
>>
>> (cc originator of the bug)
>>
>> If I am reading this correctly, then when the copy msg was created, a msg
>> security struct was already allocated
>> (prepare_copy->load_msg->security_msg_msg_alloc).  So having copy_msg()
>> clear dst->security is also a memory leak in addition to leading to this
>> oops.  Attached is a possible, un-tested fix.
>
> I can still reproduce the exact same oops with the patch applied. I
> also wanted to be sure that copy_msg() is called, so I added a warning
> there, but that never gets triggered. So I suppose the problem is not
> actually related to CONFIG_CHECKPOINT_RESTORE.
>

Hello.
Unfortunately, you are not the first one, who experience problems with Trinity running in KVM.

copy_msg() won't be called unless you'll specify the MSG_COPY flag in msgrcv() flags parameter.

Could you make a small investigation around the problem?
For example, does this problem appear, is you disable CONFIG_CHECKPOINT_RESTORE config option?


-- 
Best regards,
Stanislav Kinsbursky