* selinux_msg_queue_msgrcv() oops
@ 2013-02-06 12:56 Tommi Rantala
2013-02-06 14:18 ` Stephen Smalley
0 siblings, 1 reply; 6+ messages in thread
From: Tommi Rantala @ 2013-02-06 12:56 UTC (permalink / raw)
To: Stephen Smalley, James Morris, Eric Paris, linux-security-module
Cc: Dave Jones, LKML
Hello,
I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
Trinity as the root user (in a qemu VM):
[12578.053111] BUG: unable to handle kernel NULL pointer dereference
at (null)
[12578.054025] IP: [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
[12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
[12578.054025] Oops: 0000 [#2] SMP
[12578.054025] CPU 1
[12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G D W
3.8.0-rc6+ #31 Bochs Bochs
[12578.054025] RIP: 0010:[<ffffffff8131e1da>] [<ffffffff8131e1da>]
selinux_msg_queue_msgrcv+0xda/0x1e0
[12578.054025] RSP: 0018:ffff88002b6b5e18 EFLAGS: 00010246
[12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX: 0000000000000001
[12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI: 0000000000000246
[12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09: 0000000000000000
[12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12: 0000000000000001
[12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15: ffff88003132d410
[12578.054025] FS: 00007f7385059700(0000) GS:ffff88003e200000(0000)
knlGS:0000000000000000
[12578.054025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4: 00000000000006e0
[12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[12578.054025] Process trinity-child23 (pid: 23453, threadinfo
ffff88002b6b4000, task ffff88000e8bc560)
[12578.054025] Stack:
[12578.054025] ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
ffffffff00000000
[12578.054025] ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
0000000000000001
[12578.054025] 0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
ffffffff81314086
[12578.054025] Call Trace:
[12578.054025] [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
[12578.054025] [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
[12578.054025] [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
[12578.054025] [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
[12578.054025] [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
[12578.054025] [<ffffffff812fe340>] ? load_msg+0x180/0x180
[12578.054025] [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
[12578.054025] [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
[12578.054025] [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[12578.054025] [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
[12578.054025] [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
[12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
00 00
[12578.054025] RIP [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
[12578.054025] RSP <ffff88002b6b5e18>
[12578.054025] CR2: 0000000000000000
[12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
After adding:
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 54aaa72..20cec57 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
msg_queue *msq, struct msg_msg *msg,
rc = avc_has_perm(sid, isec->sid,
SECCLASS_MSGQ, MSGQ__READ, &ad);
- if (!rc)
+ if (!rc) {
+ WARN(msec == NULL, "msec is NULL!");
+
rc = avc_has_perm(sid, msec->sid,
SECCLASS_MSG, MSG__RECEIVE, &ad);
+ }
return rc;
}
I see:
[ 43.103283] ------------[ cut here ]------------
[ 43.104236] WARNING: at
/home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
selinux_msg_queue_msgrcv+0x1ff/0x210()
[ 43.106088] Hardware name: Bochs
[ 43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
tainted 3.8.0-rc6+ #37
[ 43.107950] Call Trace:
[ 43.108393] [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
[ 43.109534] [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
[ 43.110565] [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
[ 43.111561] [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
[ 43.112677] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
[ 43.113808] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
[ 43.114919] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
[ 43.115817] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
[ 43.116929] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
[ 43.117909] [<ffffffff812fe370>] ? load_msg+0x180/0x180
[ 43.118850] [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
[ 43.120019] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 43.121126] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
[ 43.122001] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
[ 43.123044] ---[ end trace db5952f0fa3bedc7 ]---
[ 43.123815]
[ 43.124096] ===============================
[ 43.124804] [ INFO: suspicious RCU usage. ]
[ 43.125531] 3.8.0-rc6+ #37 Tainted: G W
[ 43.126344] -------------------------------
[ 43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
Illegal context switch in RCU read-side critical section!
[ 43.129015]
[ 43.129015] other info that might help us debug this:
[ 43.129015]
[ 43.130367]
[ 43.130367] rcu_scheduler_active = 1, debug_locks = 0
[ 43.131481] 3 locks held by trinity-child9/2387:
[ 43.132266] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
ipc_lock+0x5/0x1c0
[ 43.133709] #1: (&(&new->lock)->rlock){+.+...}, at:
[<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
[ 43.135294] #2: (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
__do_page_fault+0x114/0x4e0
[ 43.136864]
[ 43.136864] stack backtrace:
[ 43.137619] Pid: 2387, comm: trinity-child9 Tainted: G W
3.8.0-rc6+ #37
[ 43.138897] Call Trace:
[ 43.139338] [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
[ 43.140417] [<ffffffff81cfb783>] __schedule+0x543/0x900
[ 43.141342] [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
[ 43.142291] [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
[ 43.143440] [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
[ 43.144362] [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
[ 43.145362] [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
[ 43.146316] [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
[ 43.147386] [<ffffffff8108e5de>] do_page_fault+0xe/0x10
[ 43.148254] [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
[ 43.149239] [<ffffffff81cfe138>] async_page_fault+0x28/0x30
[ 43.150167] [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
[ 43.151263] [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
[ 43.152357] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
[ 43.153475] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
[ 43.154828] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
[ 43.156052] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
[ 43.157586] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
[ 43.158830] [<ffffffff812fe370>] ? load_msg+0x180/0x180
[ 43.160131] [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
[ 43.161736] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 43.163238] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
[ 43.164453] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
[ 43.176035] BUG: unable to handle kernel NULL pointer dereference
at (null)
[ 43.177016] IP: [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
[ 43.177016] PGD 3189b067 PUD 3189c067 PMD 0
[ 43.177016] Oops: 0000 [#1] SMP
[ 43.177016] CPU 0
[ 43.177016] Pid: 2387, comm: trinity-child9 Tainted: G W
3.8.0-rc6+ #37 Bochs Bochs
[ 43.177016] RIP: 0010:[<ffffffff8131e017>] [<ffffffff8131e017>]
selinux_msg_queue_msgrcv+0xe7/0x210
[ 43.177016] RSP: 0018:ffff8800318a7e18 EFLAGS: 00010296
[ 43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX: 0000000000000006
[ 43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI: 0000000000000009
[ 43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09: 0000000000000000
[ 43.177016] R10: 0000000000000000 R11: 0000000000000288 R12: 0000000000000001
[ 43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15: ffff880032e0e810
[ 43.177016] FS: 00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[ 43.177016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4: 00000000000006f0
[ 43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 43.177016] Process trinity-child9 (pid: 2387, threadinfo
ffff8800318a6000, task ffff88003b7c4560)
[ 43.177016] Stack:
[ 43.177016] ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
ffffffff5d6d982a
[ 43.177016] ffffffff812fd725 ffff880039c675c0 0000000000000000
0000000000000001
[ 43.177016] 0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
ffffffff813140b6
[ 43.177016] Call Trace:
[ 43.177016] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
[ 43.177016] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
[ 43.177016] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
[ 43.177016] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
[ 43.177016] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
[ 43.177016] [<ffffffff812fe370>] ? load_msg+0x180/0x180
[ 43.177016] [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
[ 43.177016] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 43.177016] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
[ 43.177016] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
[ 43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
00 00
[ 43.177016] RIP [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
[ 43.177016] RSP <ffff8800318a7e18>
[ 43.177016] CR2: 0000000000000000
[ 43.228535] ---[ end trace db5952f0fa3bedc8 ]---
[ 68.106008] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child8:2382]
Tommi
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: selinux_msg_queue_msgrcv() oops
2013-02-06 12:56 selinux_msg_queue_msgrcv() oops Tommi Rantala
@ 2013-02-06 14:18 ` Stephen Smalley
2013-02-06 15:21 ` Tommi Rantala
0 siblings, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2013-02-06 14:18 UTC (permalink / raw)
To: Tommi Rantala
Cc: James Morris, Eric Paris, linux-security-module, Dave Jones, LKML
On 02/06/2013 07:56 AM, Tommi Rantala wrote:
> Hello,
>
> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
> Trinity as the root user (in a qemu VM):
NULL msg->security at that point is a bug in the ipc subsystem; SELinux
is just the messenger. Normally msg->security is set for every
allocated msg by load_msg() -> security_msg_msg_alloc() ->
selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
security_msg_msg_free() -> selinux_msg_msg_free_security(). Looking
around, I see copy_msg() introduced for checkpoint-restore initializes
dst->security to NULL but never sets it properly?
>
> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
> at (null)
> [12578.054025] IP: [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
> [12578.054025] Oops: 0000 [#2] SMP
> [12578.054025] CPU 1
> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G D W
> 3.8.0-rc6+ #31 Bochs Bochs
> [12578.054025] RIP: 0010:[<ffffffff8131e1da>] [<ffffffff8131e1da>]
> selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025] RSP: 0018:ffff88002b6b5e18 EFLAGS: 00010246
> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX: 0000000000000001
> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI: 0000000000000246
> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09: 0000000000000000
> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12: 0000000000000001
> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15: ffff88003132d410
> [12578.054025] FS: 00007f7385059700(0000) GS:ffff88003e200000(0000)
> knlGS:0000000000000000
> [12578.054025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4: 00000000000006e0
> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
> ffff88002b6b4000, task ffff88000e8bc560)
> [12578.054025] Stack:
> [12578.054025] ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
> ffffffff00000000
> [12578.054025] ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
> 0000000000000001
> [12578.054025] 0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
> ffffffff81314086
> [12578.054025] Call Trace:
> [12578.054025] [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
> [12578.054025] [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
> [12578.054025] [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
> [12578.054025] [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
> [12578.054025] [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
> [12578.054025] [<ffffffff812fe340>] ? load_msg+0x180/0x180
> [12578.054025] [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
> [12578.054025] [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
> [12578.054025] [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [12578.054025] [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
> [12578.054025] [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
> 00 00
> [12578.054025] RIP [<ffffffff8131e1da>] selinux_msg_queue_msgrcv+0xda/0x1e0
> [12578.054025] RSP <ffff88002b6b5e18>
> [12578.054025] CR2: 0000000000000000
> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>
>
> After adding:
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 54aaa72..20cec57 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
> msg_queue *msq, struct msg_msg *msg,
>
> rc = avc_has_perm(sid, isec->sid,
> SECCLASS_MSGQ, MSGQ__READ, &ad);
> - if (!rc)
> + if (!rc) {
> + WARN(msec == NULL, "msec is NULL!");
> +
> rc = avc_has_perm(sid, msec->sid,
> SECCLASS_MSG, MSG__RECEIVE, &ad);
> + }
> return rc;
> }
>
>
> I see:
>
> [ 43.103283] ------------[ cut here ]------------
> [ 43.104236] WARNING: at
> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
> selinux_msg_queue_msgrcv+0x1ff/0x210()
> [ 43.106088] Hardware name: Bochs
> [ 43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
> tainted 3.8.0-rc6+ #37
> [ 43.107950] Call Trace:
> [ 43.108393] [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
> [ 43.109534] [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
> [ 43.110565] [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
> [ 43.111561] [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
> [ 43.112677] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [ 43.113808] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [ 43.114919] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [ 43.115817] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [ 43.116929] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [ 43.117909] [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [ 43.118850] [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [ 43.120019] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [ 43.121126] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [ 43.122001] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [ 43.123044] ---[ end trace db5952f0fa3bedc7 ]---
> [ 43.123815]
> [ 43.124096] ===============================
> [ 43.124804] [ INFO: suspicious RCU usage. ]
> [ 43.125531] 3.8.0-rc6+ #37 Tainted: G W
> [ 43.126344] -------------------------------
> [ 43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
> Illegal context switch in RCU read-side critical section!
> [ 43.129015]
> [ 43.129015] other info that might help us debug this:
> [ 43.129015]
> [ 43.130367]
> [ 43.130367] rcu_scheduler_active = 1, debug_locks = 0
> [ 43.131481] 3 locks held by trinity-child9/2387:
> [ 43.132266] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
> ipc_lock+0x5/0x1c0
> [ 43.133709] #1: (&(&new->lock)->rlock){+.+...}, at:
> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
> [ 43.135294] #2: (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
> __do_page_fault+0x114/0x4e0
> [ 43.136864]
> [ 43.136864] stack backtrace:
> [ 43.137619] Pid: 2387, comm: trinity-child9 Tainted: G W
> 3.8.0-rc6+ #37
> [ 43.138897] Call Trace:
> [ 43.139338] [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
> [ 43.140417] [<ffffffff81cfb783>] __schedule+0x543/0x900
> [ 43.141342] [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
> [ 43.142291] [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
> [ 43.143440] [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
> [ 43.144362] [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
> [ 43.145362] [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
> [ 43.146316] [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
> [ 43.147386] [<ffffffff8108e5de>] do_page_fault+0xe/0x10
> [ 43.148254] [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
> [ 43.149239] [<ffffffff81cfe138>] async_page_fault+0x28/0x30
> [ 43.150167] [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
> [ 43.151263] [<ffffffff8131e12f>] ? selinux_msg_queue_msgrcv+0x1ff/0x210
> [ 43.152357] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [ 43.153475] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [ 43.154828] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [ 43.156052] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [ 43.157586] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [ 43.158830] [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [ 43.160131] [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [ 43.161736] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [ 43.163238] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [ 43.164453] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [ 43.176035] BUG: unable to handle kernel NULL pointer dereference
> at (null)
> [ 43.177016] IP: [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
> [ 43.177016] PGD 3189b067 PUD 3189c067 PMD 0
> [ 43.177016] Oops: 0000 [#1] SMP
> [ 43.177016] CPU 0
> [ 43.177016] Pid: 2387, comm: trinity-child9 Tainted: G W
> 3.8.0-rc6+ #37 Bochs Bochs
> [ 43.177016] RIP: 0010:[<ffffffff8131e017>] [<ffffffff8131e017>]
> selinux_msg_queue_msgrcv+0xe7/0x210
> [ 43.177016] RSP: 0018:ffff8800318a7e18 EFLAGS: 00010296
> [ 43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX: 0000000000000006
> [ 43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI: 0000000000000009
> [ 43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09: 0000000000000000
> [ 43.177016] R10: 0000000000000000 R11: 0000000000000288 R12: 0000000000000001
> [ 43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15: ffff880032e0e810
> [ 43.177016] FS: 00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
> knlGS:0000000000000000
> [ 43.177016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4: 00000000000006f0
> [ 43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [ 43.177016] Process trinity-child9 (pid: 2387, threadinfo
> ffff8800318a6000, task ffff88003b7c4560)
> [ 43.177016] Stack:
> [ 43.177016] ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
> ffffffff5d6d982a
> [ 43.177016] ffffffff812fd725 ffff880039c675c0 0000000000000000
> 0000000000000001
> [ 43.177016] 0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
> ffffffff813140b6
> [ 43.177016] Call Trace:
> [ 43.177016] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
> [ 43.177016] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
> [ 43.177016] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
> [ 43.177016] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
> [ 43.177016] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
> [ 43.177016] [<ffffffff812fe370>] ? load_msg+0x180/0x180
> [ 43.177016] [<ffffffff810fb35d>] ? trace_hardirqs_on_caller+0x10d/0x1a0
> [ 43.177016] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
> [ 43.177016] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
> [ 43.177016] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
> [ 43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
> 00 00
> [ 43.177016] RIP [<ffffffff8131e017>] selinux_msg_queue_msgrcv+0xe7/0x210
> [ 43.177016] RSP <ffff8800318a7e18>
> [ 43.177016] CR2: 0000000000000000
> [ 43.228535] ---[ end trace db5952f0fa3bedc8 ]---
> [ 68.106008] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child8:2382]
>
> Tommi
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: selinux_msg_queue_msgrcv() oops
2013-02-06 14:18 ` Stephen Smalley
@ 2013-02-06 15:21 ` Tommi Rantala
2013-02-06 16:28 ` Stephen Smalley
0 siblings, 1 reply; 6+ messages in thread
From: Tommi Rantala @ 2013-02-06 15:21 UTC (permalink / raw)
To: Stephen Smalley
Cc: James Morris, Eric Paris, linux-security-module, Dave Jones, LKML
2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>
>> Hello,
>>
>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>> Trinity as the root user (in a qemu VM):
>
>
> NULL msg->security at that point is a bug in the ipc subsystem; SELinux is
> just the messenger. Normally msg->security is set for every allocated msg
> by load_msg() -> security_msg_msg_alloc() ->
> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
> security_msg_msg_free() -> selinux_msg_msg_free_security(). Looking around,
> I see copy_msg() introduced for checkpoint-restore initializes dst->security
> to NULL but never sets it properly?
I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
analysis seems to be correct.
>>
>> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
>> at (null)
>> [12578.054025] IP: [<ffffffff8131e1da>]
>> selinux_msg_queue_msgrcv+0xda/0x1e0
>> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
>> [12578.054025] Oops: 0000 [#2] SMP
>> [12578.054025] CPU 1
>> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G D W
>> 3.8.0-rc6+ #31 Bochs Bochs
>> [12578.054025] RIP: 0010:[<ffffffff8131e1da>] [<ffffffff8131e1da>]
>> selinux_msg_queue_msgrcv+0xda/0x1e0
>> [12578.054025] RSP: 0018:ffff88002b6b5e18 EFLAGS: 00010246
>> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX:
>> 0000000000000001
>> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI:
>> 0000000000000246
>> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09:
>> 0000000000000000
>> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12:
>> 0000000000000001
>> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15:
>> ffff88003132d410
>> [12578.054025] FS: 00007f7385059700(0000) GS:ffff88003e200000(0000)
>> knlGS:0000000000000000
>> [12578.054025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4:
>> 00000000000006e0
>> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>> 0000000000000400
>> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
>> ffff88002b6b4000, task ffff88000e8bc560)
>> [12578.054025] Stack:
>> [12578.054025] ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
>> ffffffff00000000
>> [12578.054025] ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
>> 0000000000000001
>> [12578.054025] 0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
>> ffffffff81314086
>> [12578.054025] Call Trace:
>> [12578.054025] [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
>> [12578.054025] [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
>> [12578.054025] [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
>> [12578.054025] [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
>> [12578.054025] [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
>> [12578.054025] [<ffffffff812fe340>] ? load_msg+0x180/0x180
>> [12578.054025] [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
>> [12578.054025] [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
>> [12578.054025] [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [12578.054025] [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
>> [12578.054025] [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
>> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
>> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
>> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>> 00 00
>> [12578.054025] RIP [<ffffffff8131e1da>]
>> selinux_msg_queue_msgrcv+0xda/0x1e0
>> [12578.054025] RSP <ffff88002b6b5e18>
>> [12578.054025] CR2: 0000000000000000
>> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>>
>>
>> After adding:
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 54aaa72..20cec57 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
>> msg_queue *msq, struct msg_msg *msg,
>>
>> rc = avc_has_perm(sid, isec->sid,
>> SECCLASS_MSGQ, MSGQ__READ, &ad);
>> - if (!rc)
>> + if (!rc) {
>> + WARN(msec == NULL, "msec is NULL!");
>> +
>> rc = avc_has_perm(sid, msec->sid,
>> SECCLASS_MSG, MSG__RECEIVE, &ad);
>> + }
>> return rc;
>> }
>>
>>
>> I see:
>>
>> [ 43.103283] ------------[ cut here ]------------
>> [ 43.104236] WARNING: at
>> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
>> selinux_msg_queue_msgrcv+0x1ff/0x210()
>> [ 43.106088] Hardware name: Bochs
>> [ 43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
>> tainted 3.8.0-rc6+ #37
>> [ 43.107950] Call Trace:
>> [ 43.108393] [<ffffffff8131e12f>] ?
>> selinux_msg_queue_msgrcv+0x1ff/0x210
>> [ 43.109534] [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
>> [ 43.110565] [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
>> [ 43.111561] [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
>> [ 43.112677] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>> [ 43.113808] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>> [ 43.114919] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>> [ 43.115817] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>> [ 43.116929] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>> [ 43.117909] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>> [ 43.118850] [<ffffffff810fb35d>] ?
>> trace_hardirqs_on_caller+0x10d/0x1a0
>> [ 43.120019] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [ 43.121126] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>> [ 43.122001] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>> [ 43.123044] ---[ end trace db5952f0fa3bedc7 ]---
>> [ 43.123815]
>> [ 43.124096] ===============================
>> [ 43.124804] [ INFO: suspicious RCU usage. ]
>> [ 43.125531] 3.8.0-rc6+ #37 Tainted: G W
>> [ 43.126344] -------------------------------
>> [ 43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
>> Illegal context switch in RCU read-side critical section!
>> [ 43.129015]
>> [ 43.129015] other info that might help us debug this:
>> [ 43.129015]
>> [ 43.130367]
>> [ 43.130367] rcu_scheduler_active = 1, debug_locks = 0
>> [ 43.131481] 3 locks held by trinity-child9/2387:
>> [ 43.132266] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
>> ipc_lock+0x5/0x1c0
>> [ 43.133709] #1: (&(&new->lock)->rlock){+.+...}, at:
>> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
>> [ 43.135294] #2: (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
>> __do_page_fault+0x114/0x4e0
>> [ 43.136864]
>> [ 43.136864] stack backtrace:
>> [ 43.137619] Pid: 2387, comm: trinity-child9 Tainted: G W
>> 3.8.0-rc6+ #37
>> [ 43.138897] Call Trace:
>> [ 43.139338] [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
>> [ 43.140417] [<ffffffff81cfb783>] __schedule+0x543/0x900
>> [ 43.141342] [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
>> [ 43.142291] [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
>> [ 43.143440] [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
>> [ 43.144362] [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
>> [ 43.145362] [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
>> [ 43.146316] [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
>> [ 43.147386] [<ffffffff8108e5de>] do_page_fault+0xe/0x10
>> [ 43.148254] [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
>> [ 43.149239] [<ffffffff81cfe138>] async_page_fault+0x28/0x30
>> [ 43.150167] [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
>> [ 43.151263] [<ffffffff8131e12f>] ?
>> selinux_msg_queue_msgrcv+0x1ff/0x210
>> [ 43.152357] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>> [ 43.153475] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>> [ 43.154828] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>> [ 43.156052] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>> [ 43.157586] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>> [ 43.158830] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>> [ 43.160131] [<ffffffff810fb35d>] ?
>> trace_hardirqs_on_caller+0x10d/0x1a0
>> [ 43.161736] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [ 43.163238] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>> [ 43.164453] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>> [ 43.176035] BUG: unable to handle kernel NULL pointer dereference
>> at (null)
>> [ 43.177016] IP: [<ffffffff8131e017>]
>> selinux_msg_queue_msgrcv+0xe7/0x210
>> [ 43.177016] PGD 3189b067 PUD 3189c067 PMD 0
>> [ 43.177016] Oops: 0000 [#1] SMP
>> [ 43.177016] CPU 0
>> [ 43.177016] Pid: 2387, comm: trinity-child9 Tainted: G W
>> 3.8.0-rc6+ #37 Bochs Bochs
>> [ 43.177016] RIP: 0010:[<ffffffff8131e017>] [<ffffffff8131e017>]
>> selinux_msg_queue_msgrcv+0xe7/0x210
>> [ 43.177016] RSP: 0018:ffff8800318a7e18 EFLAGS: 00010296
>> [ 43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX:
>> 0000000000000006
>> [ 43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI:
>> 0000000000000009
>> [ 43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09:
>> 0000000000000000
>> [ 43.177016] R10: 0000000000000000 R11: 0000000000000288 R12:
>> 0000000000000001
>> [ 43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15:
>> ffff880032e0e810
>> [ 43.177016] FS: 00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
>> knlGS:0000000000000000
>> [ 43.177016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4:
>> 00000000000006f0
>> [ 43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>> 0000000000000000
>> [ 43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>> 0000000000000400
>> [ 43.177016] Process trinity-child9 (pid: 2387, threadinfo
>> ffff8800318a6000, task ffff88003b7c4560)
>> [ 43.177016] Stack:
>> [ 43.177016] ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
>> ffffffff5d6d982a
>> [ 43.177016] ffffffff812fd725 ffff880039c675c0 0000000000000000
>> 0000000000000001
>> [ 43.177016] 0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
>> ffffffff813140b6
>> [ 43.177016] Call Trace:
>> [ 43.177016] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>> [ 43.177016] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>> [ 43.177016] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>> [ 43.177016] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>> [ 43.177016] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>> [ 43.177016] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>> [ 43.177016] [<ffffffff810fb35d>] ?
>> trace_hardirqs_on_caller+0x10d/0x1a0
>> [ 43.177016] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>> [ 43.177016] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>> [ 43.177016] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>> [ 43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
>> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
>> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>> 00 00
>> [ 43.177016] RIP [<ffffffff8131e017>]
>> selinux_msg_queue_msgrcv+0xe7/0x210
>> [ 43.177016] RSP <ffff8800318a7e18>
>> [ 43.177016] CR2: 0000000000000000
>> [ 43.228535] ---[ end trace db5952f0fa3bedc8 ]---
>> [ 68.106008] BUG: soft lockup - CPU#0 stuck for 22s!
>> [trinity-child8:2382]
>>
>> Tommi
>>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: selinux_msg_queue_msgrcv() oops
2013-02-06 15:21 ` Tommi Rantala
@ 2013-02-06 16:28 ` Stephen Smalley
2013-02-06 19:51 ` Tommi Rantala
0 siblings, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2013-02-06 16:28 UTC (permalink / raw)
To: Tommi Rantala
Cc: James Morris, Eric Paris, linux-security-module, Dave Jones,
LKML, Stanislav Kinsbursky
[-- Attachment #1: Type: text/plain, Size: 12427 bytes --]
On 02/06/2013 10:21 AM, Tommi Rantala wrote:
> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>>
>>> Hello,
>>>
>>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>>> Trinity as the root user (in a qemu VM):
>>
>>
>> NULL msg->security at that point is a bug in the ipc subsystem; SELinux is
>> just the messenger. Normally msg->security is set for every allocated msg
>> by load_msg() -> security_msg_msg_alloc() ->
>> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
>> security_msg_msg_free() -> selinux_msg_msg_free_security(). Looking around,
>> I see copy_msg() introduced for checkpoint-restore initializes dst->security
>> to NULL but never sets it properly?
>
> I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
> analysis seems to be correct.
(cc originator of the bug)
If I am reading this correctly, then when the copy msg was created, a
msg security struct was already allocated
(prepare_copy->load_msg->security_msg_msg_alloc). So having copy_msg()
clear dst->security is also a memory leak in addition to leading to this
oops. Attached is a possible, un-tested fix.
>
>>>
>>> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
>>> at (null)
>>> [12578.054025] IP: [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
>>> [12578.054025] Oops: 0000 [#2] SMP
>>> [12578.054025] CPU 1
>>> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G D W
>>> 3.8.0-rc6+ #31 Bochs Bochs
>>> [12578.054025] RIP: 0010:[<ffffffff8131e1da>] [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025] RSP: 0018:ffff88002b6b5e18 EFLAGS: 00010246
>>> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX:
>>> 0000000000000001
>>> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI:
>>> 0000000000000246
>>> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09:
>>> 0000000000000000
>>> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12:
>>> 0000000000000001
>>> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15:
>>> ffff88003132d410
>>> [12578.054025] FS: 00007f7385059700(0000) GS:ffff88003e200000(0000)
>>> knlGS:0000000000000000
>>> [12578.054025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4:
>>> 00000000000006e0
>>> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>> 0000000000000000
>>> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>> 0000000000000400
>>> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
>>> ffff88002b6b4000, task ffff88000e8bc560)
>>> [12578.054025] Stack:
>>> [12578.054025] ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
>>> ffffffff00000000
>>> [12578.054025] ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
>>> 0000000000000001
>>> [12578.054025] 0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
>>> ffffffff81314086
>>> [12578.054025] Call Trace:
>>> [12578.054025] [<ffffffff8131e105>] ? selinux_msg_queue_msgrcv+0x5/0x1e0
>>> [12578.054025] [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
>>> [12578.054025] [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
>>> [12578.054025] [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
>>> [12578.054025] [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
>>> [12578.054025] [<ffffffff812fe340>] ? load_msg+0x180/0x180
>>> [12578.054025] [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
>>> [12578.054025] [<ffffffff810fb236>] ? trace_hardirqs_on_caller+0x16/0x1a0
>>> [12578.054025] [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [12578.054025] [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
>>> [12578.054025] [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
>>> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
>>> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
>>> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>> 00 00
>>> [12578.054025] RIP [<ffffffff8131e1da>]
>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>> [12578.054025] RSP <ffff88002b6b5e18>
>>> [12578.054025] CR2: 0000000000000000
>>> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>>>
>>>
>>> After adding:
>>>
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 54aaa72..20cec57 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
>>> msg_queue *msq, struct msg_msg *msg,
>>>
>>> rc = avc_has_perm(sid, isec->sid,
>>> SECCLASS_MSGQ, MSGQ__READ, &ad);
>>> - if (!rc)
>>> + if (!rc) {
>>> + WARN(msec == NULL, "msec is NULL!");
>>> +
>>> rc = avc_has_perm(sid, msec->sid,
>>> SECCLASS_MSG, MSG__RECEIVE, &ad);
>>> + }
>>> return rc;
>>> }
>>>
>>>
>>> I see:
>>>
>>> [ 43.103283] ------------[ cut here ]------------
>>> [ 43.104236] WARNING: at
>>> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
>>> selinux_msg_queue_msgrcv+0x1ff/0x210()
>>> [ 43.106088] Hardware name: Bochs
>>> [ 43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
>>> tainted 3.8.0-rc6+ #37
>>> [ 43.107950] Call Trace:
>>> [ 43.108393] [<ffffffff8131e12f>] ?
>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [ 43.109534] [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
>>> [ 43.110565] [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
>>> [ 43.111561] [<ffffffff8131e12f>] selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [ 43.112677] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [ 43.113808] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [ 43.114919] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [ 43.115817] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [ 43.116929] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [ 43.117909] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [ 43.118850] [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [ 43.120019] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [ 43.121126] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [ 43.122001] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [ 43.123044] ---[ end trace db5952f0fa3bedc7 ]---
>>> [ 43.123815]
>>> [ 43.124096] ===============================
>>> [ 43.124804] [ INFO: suspicious RCU usage. ]
>>> [ 43.125531] 3.8.0-rc6+ #37 Tainted: G W
>>> [ 43.126344] -------------------------------
>>> [ 43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
>>> Illegal context switch in RCU read-side critical section!
>>> [ 43.129015]
>>> [ 43.129015] other info that might help us debug this:
>>> [ 43.129015]
>>> [ 43.130367]
>>> [ 43.130367] rcu_scheduler_active = 1, debug_locks = 0
>>> [ 43.131481] 3 locks held by trinity-child9/2387:
>>> [ 43.132266] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
>>> ipc_lock+0x5/0x1c0
>>> [ 43.133709] #1: (&(&new->lock)->rlock){+.+...}, at:
>>> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
>>> [ 43.135294] #2: (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
>>> __do_page_fault+0x114/0x4e0
>>> [ 43.136864]
>>> [ 43.136864] stack backtrace:
>>> [ 43.137619] Pid: 2387, comm: trinity-child9 Tainted: G W
>>> 3.8.0-rc6+ #37
>>> [ 43.138897] Call Trace:
>>> [ 43.139338] [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
>>> [ 43.140417] [<ffffffff81cfb783>] __schedule+0x543/0x900
>>> [ 43.141342] [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
>>> [ 43.142291] [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
>>> [ 43.143440] [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
>>> [ 43.144362] [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
>>> [ 43.145362] [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
>>> [ 43.146316] [<ffffffff8137319d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
>>> [ 43.147386] [<ffffffff8108e5de>] do_page_fault+0xe/0x10
>>> [ 43.148254] [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
>>> [ 43.149239] [<ffffffff81cfe138>] async_page_fault+0x28/0x30
>>> [ 43.150167] [<ffffffff8131e017>] ? selinux_msg_queue_msgrcv+0xe7/0x210
>>> [ 43.151263] [<ffffffff8131e12f>] ?
>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>> [ 43.152357] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [ 43.153475] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [ 43.154828] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [ 43.156052] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [ 43.157586] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [ 43.158830] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [ 43.160131] [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [ 43.161736] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [ 43.163238] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [ 43.164453] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [ 43.176035] BUG: unable to handle kernel NULL pointer dereference
>>> at (null)
>>> [ 43.177016] IP: [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [ 43.177016] PGD 3189b067 PUD 3189c067 PMD 0
>>> [ 43.177016] Oops: 0000 [#1] SMP
>>> [ 43.177016] CPU 0
>>> [ 43.177016] Pid: 2387, comm: trinity-child9 Tainted: G W
>>> 3.8.0-rc6+ #37 Bochs Bochs
>>> [ 43.177016] RIP: 0010:[<ffffffff8131e017>] [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [ 43.177016] RSP: 0018:ffff8800318a7e18 EFLAGS: 00010296
>>> [ 43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX:
>>> 0000000000000006
>>> [ 43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI:
>>> 0000000000000009
>>> [ 43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09:
>>> 0000000000000000
>>> [ 43.177016] R10: 0000000000000000 R11: 0000000000000288 R12:
>>> 0000000000000001
>>> [ 43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15:
>>> ffff880032e0e810
>>> [ 43.177016] FS: 00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
>>> knlGS:0000000000000000
>>> [ 43.177016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [ 43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4:
>>> 00000000000006f0
>>> [ 43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>> 0000000000000000
>>> [ 43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>> 0000000000000400
>>> [ 43.177016] Process trinity-child9 (pid: 2387, threadinfo
>>> ffff8800318a6000, task ffff88003b7c4560)
>>> [ 43.177016] Stack:
>>> [ 43.177016] ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
>>> ffffffff5d6d982a
>>> [ 43.177016] ffffffff812fd725 ffff880039c675c0 0000000000000000
>>> 0000000000000001
>>> [ 43.177016] 0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
>>> ffffffff813140b6
>>> [ 43.177016] Call Trace:
>>> [ 43.177016] [<ffffffff8131df35>] ? selinux_msg_queue_msgrcv+0x5/0x210
>>> [ 43.177016] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>> [ 43.177016] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>> [ 43.177016] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>> [ 43.177016] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>> [ 43.177016] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>> [ 43.177016] [<ffffffff810fb35d>] ?
>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>> [ 43.177016] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>> [ 43.177016] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>> [ 43.177016] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>> [ 43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
>>> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
>>> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>> 00 00
>>> [ 43.177016] RIP [<ffffffff8131e017>]
>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>> [ 43.177016] RSP <ffff8800318a7e18>
>>> [ 43.177016] CR2: 0000000000000000
>>> [ 43.228535] ---[ end trace db5952f0fa3bedc8 ]---
>>> [ 68.106008] BUG: soft lockup - CPU#0 stuck for 22s!
>>> [trinity-child8:2382]
>>>
>>> Tommi
>>>
>>
[-- Attachment #2: 0001-Fix-selinux_msg_queue_msgrcv-oops.patch --]
[-- Type: text/x-patch, Size: 4635 bytes --]
>From 694502e960af954c4203d1b76837e51ce6720576 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 6 Feb 2013 11:15:08 -0500
Subject: [PATCH] Fix selinux_msg_queue_msgrcv() oops.
Fix an oops in selinux_msg_queue_msgrcv() by ensuring that
copied messages preserve security information.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Reported-by: Tommi Rantala <tt.rantala@gmail.com>
---
include/linux/security.h | 12 ++++++++++++
ipc/msgutil.c | 6 +++++-
security/security.c | 5 +++++
security/selinux/hooks.c | 10 ++++++++++
4 files changed, 32 insertions(+), 1 deletion(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index eee7478..4737635 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1126,6 +1126,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* created.
* @msg contains the message structure to be modified.
* Return 0 if operation was successful and permission is granted.
+ * @msg_msg_copy_security:
+ * Propagate security information on a msg copy operation.
+ * @src contains the source message structure.
+ * @dst contains the destination message structure.
+ * Return 0 if operation was successful.
* @msg_msg_free_security:
* Deallocate the security structure for this message.
* @msg contains the message structure to be modified.
@@ -1553,6 +1558,7 @@ struct security_operations {
void (*ipc_getsecid) (struct kern_ipc_perm *ipcp, u32 *secid);
int (*msg_msg_alloc_security) (struct msg_msg *msg);
+ int (*msg_msg_copy_security) (struct msg_msg *src, struct msg_msg *dst);
void (*msg_msg_free_security) (struct msg_msg *msg);
int (*msg_queue_alloc_security) (struct msg_queue *msq);
@@ -1811,6 +1817,7 @@ void security_task_to_inode(struct task_struct *p, struct inode *inode);
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
int security_msg_msg_alloc(struct msg_msg *msg);
+int security_msg_msg_copy(struct msg_msg *src, struct msg_msg *dst);
void security_msg_msg_free(struct msg_msg *msg);
int security_msg_queue_alloc(struct msg_queue *msq);
void security_msg_queue_free(struct msg_queue *msq);
@@ -2409,6 +2416,11 @@ static inline int security_msg_msg_alloc(struct msg_msg *msg)
return 0;
}
+static inline int security_msg_msg_copy(struct msg_msg *src, struct msg_msg *dst)
+{
+ return 0;
+}
+
static inline void security_msg_msg_free(struct msg_msg *msg)
{ }
diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index ebfcbfa..7837257 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -108,6 +108,7 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
struct msg_msgseg *dst_pseg, *src_pseg;
int len = src->m_ts;
int alen;
+ int err;
BUG_ON(dst == NULL);
if (src->m_ts > dst->m_ts)
@@ -118,7 +119,10 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
alen = DATALEN_MSG;
dst->next = NULL;
- dst->security = NULL;
+
+ err = security_msg_msg_copy(src, dst);
+ if (err < 0)
+ return ERR_PTR(err);
memcpy(dst + 1, src + 1, alen);
diff --git a/security/security.c b/security/security.c
index 7b88c6a..85cd39d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -936,6 +936,11 @@ int security_msg_msg_alloc(struct msg_msg *msg)
return security_ops->msg_msg_alloc_security(msg);
}
+int security_msg_msg_copy(struct msg_msg *src, struct msg_msg *dst)
+{
+ return security_ops->msg_msg_copy_security(src, dst);
+}
+
void security_msg_msg_free(struct msg_msg *msg)
{
security_ops->msg_msg_free_security(msg);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ef26e96..79f93ad 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4840,6 +4840,15 @@ static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
return msg_msg_alloc_security(msg);
}
+static int selinux_msg_msg_copy_security(struct msg_msg *src, struct msg_msg *dst)
+{
+ struct msg_security_struct *smsec, *dmsec;
+ smsec = src->security;
+ dmsec = dst->security;
+ dmsec->sid = smsec->sid;
+ return 0;
+}
+
static void selinux_msg_msg_free_security(struct msg_msg *msg)
{
msg_msg_free_security(msg);
@@ -5603,6 +5612,7 @@ static struct security_operations selinux_ops = {
.ipc_getsecid = selinux_ipc_getsecid,
.msg_msg_alloc_security = selinux_msg_msg_alloc_security,
+ .msg_msg_copy_security = selinux_msg_msg_copy_security,
.msg_msg_free_security = selinux_msg_msg_free_security,
.msg_queue_alloc_security = selinux_msg_queue_alloc_security,
--
1.7.11.7
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: selinux_msg_queue_msgrcv() oops
2013-02-06 16:28 ` Stephen Smalley
@ 2013-02-06 19:51 ` Tommi Rantala
2013-02-07 9:16 ` Stanislav Kinsbursky
0 siblings, 1 reply; 6+ messages in thread
From: Tommi Rantala @ 2013-02-06 19:51 UTC (permalink / raw)
To: Stephen Smalley
Cc: James Morris, Eric Paris, linux-security-module, Dave Jones,
LKML, Stanislav Kinsbursky
2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
> On 02/06/2013 10:21 AM, Tommi Rantala wrote:
>>
>> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>>>
>>> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>>>> Trinity as the root user (in a qemu VM):
>>>
>>>
>>>
>>> NULL msg->security at that point is a bug in the ipc subsystem; SELinux
>>> is
>>> just the messenger. Normally msg->security is set for every allocated
>>> msg
>>> by load_msg() -> security_msg_msg_alloc() ->
>>> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
>>> security_msg_msg_free() -> selinux_msg_msg_free_security(). Looking
>>> around,
>>> I see copy_msg() introduced for checkpoint-restore initializes
>>> dst->security
>>> to NULL but never sets it properly?
>>
>>
>> I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
>> analysis seems to be correct.
>
>
> (cc originator of the bug)
>
> If I am reading this correctly, then when the copy msg was created, a msg
> security struct was already allocated
> (prepare_copy->load_msg->security_msg_msg_alloc). So having copy_msg()
> clear dst->security is also a memory leak in addition to leading to this
> oops. Attached is a possible, un-tested fix.
I can still reproduce the exact same oops with the patch applied. I
also wanted to be sure that copy_msg() is called, so I added a warning
there, but that never gets triggered. So I suppose the problem is not
actually related to CONFIG_CHECKPOINT_RESTORE.
diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index 7837257..78faadc 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -110,6 +110,8 @@ struct msg_msg *copy_msg(struct msg_msg *src,
struct msg_msg *dst)
int alen;
int err;
+ WARN_ON(1);
+
BUG_ON(dst == NULL);
if (src->m_ts > dst->m_ts)
return ERR_PTR(-EINVAL);
>
>>
>>>>
>>>> [12578.053111] BUG: unable to handle kernel NULL pointer dereference
>>>> at (null)
>>>> [12578.054025] IP: [<ffffffff8131e1da>]
>>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>>> [12578.054025] PGD 29961067 PUD 34dc5067 PMD 0
>>>> [12578.054025] Oops: 0000 [#2] SMP
>>>> [12578.054025] CPU 1
>>>> [12578.054025] Pid: 23453, comm: trinity-child23 Tainted: G D W
>>>> 3.8.0-rc6+ #31 Bochs Bochs
>>>> [12578.054025] RIP: 0010:[<ffffffff8131e1da>] [<ffffffff8131e1da>]
>>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>>> [12578.054025] RSP: 0018:ffff88002b6b5e18 EFLAGS: 00010246
>>>> [12578.054025] RAX: 0000000000000000 RBX: ffff88003132d410 RCX:
>>>> 0000000000000001
>>>> [12578.054025] RDX: ffff88000e8bc560 RSI: 0000000000000001 RDI:
>>>> 0000000000000246
>>>> [12578.054025] RBP: ffff88002b6b5e68 R08: 0000000000000000 R09:
>>>> 0000000000000000
>>>> [12578.054025] R10: ffff88000e8bc560 R11: 0000000000000000 R12:
>>>> 0000000000000001
>>>> [12578.054025] R13: 0000000000000000 R14: ffff880006449500 R15:
>>>> ffff88003132d410
>>>> [12578.054025] FS: 00007f7385059700(0000) GS:ffff88003e200000(0000)
>>>> knlGS:0000000000000000
>>>> [12578.054025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> [12578.054025] CR2: 0000000000000000 CR3: 00000000303a2000 CR4:
>>>> 00000000000006e0
>>>> [12578.054025] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>>> 0000000000000000
>>>> [12578.054025] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>>> 0000000000000400
>>>> [12578.054025] Process trinity-child23 (pid: 23453, threadinfo
>>>> ffff88002b6b4000, task ffff88000e8bc560)
>>>> [12578.054025] Stack:
>>>> [12578.054025] ffffffff8131e105 ffffffff81313f69 ffff88002b6b5e04
>>>> ffffffff00000000
>>>> [12578.054025] ffffffff812fd6f5 ffff88003a89c1c0 0000000000000000
>>>> 0000000000000001
>>>> [12578.054025] 0000000000000000 ffff88003132d4c0 ffff88002b6b5e78
>>>> ffffffff81314086
>>>> [12578.054025] Call Trace:
>>>> [12578.054025] [<ffffffff8131e105>] ?
>>>> selinux_msg_queue_msgrcv+0x5/0x1e0
>>>> [12578.054025] [<ffffffff81313f69>] ? security_ipc_permission+0x19/0x20
>>>> [12578.054025] [<ffffffff812fd6f5>] ? ipc_lock+0x5/0x1c0
>>>> [12578.054025] [<ffffffff81314086>] security_msg_queue_msgrcv+0x16/0x20
>>>> [12578.054025] [<ffffffff812ff93f>] do_msgrcv+0x1ef/0x6e0
>>>> [12578.054025] [<ffffffff812fe340>] ? load_msg+0x180/0x180
>>>> [12578.054025] [<ffffffff81373184>] ? lockdep_sys_exit_thunk+0x35/0x67
>>>> [12578.054025] [<ffffffff810fb236>] ?
>>>> trace_hardirqs_on_caller+0x16/0x1a0
>>>> [12578.054025] [<ffffffff8137310e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>>> [12578.054025] [<ffffffff812ffe45>] sys_msgrcv+0x15/0x20
>>>> [12578.054025] [<ffffffff81cfe9d9>] system_call_fastpath+0x16/0x1b
>>>> [12578.054025] Code: 4c 8d 45 c0 45 31 c9 b9 10 00 00 00 44 89 e7 4d
>>>> 8b 6d 28 c6 45 c0 04 89 55 c8 8b 70 04 ba 1b 00 00 00 e8 fa 7a ff ff
>>>> 85 c0 75 1d <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>>> 00 00
>>>> [12578.054025] RIP [<ffffffff8131e1da>]
>>>> selinux_msg_queue_msgrcv+0xda/0x1e0
>>>> [12578.054025] RSP <ffff88002b6b5e18>
>>>> [12578.054025] CR2: 0000000000000000
>>>> [12578.142292] ---[ end trace 36aee1c7bfea7f83 ]---
>>>>
>>>>
>>>> After adding:
>>>>
>>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>>> index 54aaa72..20cec57 100644
>>>> --- a/security/selinux/hooks.c
>>>> +++ b/security/selinux/hooks.c
>>>> @@ -4982,9 +4982,12 @@ static int selinux_msg_queue_msgrcv(struct
>>>> msg_queue *msq, struct msg_msg *msg,
>>>>
>>>> rc = avc_has_perm(sid, isec->sid,
>>>> SECCLASS_MSGQ, MSGQ__READ, &ad);
>>>> - if (!rc)
>>>> + if (!rc) {
>>>> + WARN(msec == NULL, "msec is NULL!");
>>>> +
>>>> rc = avc_has_perm(sid, msec->sid,
>>>> SECCLASS_MSG, MSG__RECEIVE, &ad);
>>>> + }
>>>> return rc;
>>>> }
>>>>
>>>>
>>>> I see:
>>>>
>>>> [ 43.103283] ------------[ cut here ]------------
>>>> [ 43.104236] WARNING: at
>>>> /home/ttrantal/git/linux-2.6/security/selinux/hooks.c:4986
>>>> selinux_msg_queue_msgrcv+0x1ff/0x210()
>>>> [ 43.106088] Hardware name: Bochs
>>>> [ 43.106640] msec is NULL!Pid: 2387, comm: trinity-child9 Not
>>>> tainted 3.8.0-rc6+ #37
>>>> [ 43.107950] Call Trace:
>>>> [ 43.108393] [<ffffffff8131e12f>] ?
>>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>>> [ 43.109534] [<ffffffff8109ac1a>] warn_slowpath_common+0x7a/0xb0
>>>> [ 43.110565] [<ffffffff8109acc6>] warn_slowpath_fmt+0x46/0x50
>>>> [ 43.111561] [<ffffffff8131e12f>]
>>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>>> [ 43.112677] [<ffffffff8131df35>] ?
>>>> selinux_msg_queue_msgrcv+0x5/0x210
>>>> [ 43.113808] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>>> [ 43.114919] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>>> [ 43.115817] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>>> [ 43.116929] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>>> [ 43.117909] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>>> [ 43.118850] [<ffffffff810fb35d>] ?
>>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>>> [ 43.120019] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>>> [ 43.121126] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>>> [ 43.122001] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>>> [ 43.123044] ---[ end trace db5952f0fa3bedc7 ]---
>>>> [ 43.123815]
>>>> [ 43.124096] ===============================
>>>> [ 43.124804] [ INFO: suspicious RCU usage. ]
>>>> [ 43.125531] 3.8.0-rc6+ #37 Tainted: G W
>>>> [ 43.126344] -------------------------------
>>>> [ 43.127083] /home/ttrantal/git/linux-2.6/include/linux/rcupdate.h:468
>>>> Illegal context switch in RCU read-side critical section!
>>>> [ 43.129015]
>>>> [ 43.129015] other info that might help us debug this:
>>>> [ 43.129015]
>>>> [ 43.130367]
>>>> [ 43.130367] rcu_scheduler_active = 1, debug_locks = 0
>>>> [ 43.131481] 3 locks held by trinity-child9/2387:
>>>> [ 43.132266] #0: (rcu_read_lock){.+.+..}, at: [<ffffffff812fd725>]
>>>> ipc_lock+0x5/0x1c0
>>>> [ 43.133709] #1: (&(&new->lock)->rlock){+.+...}, at:
>>>> [<ffffffff812fd7a1>] ipc_lock+0x81/0x1c0
>>>> [ 43.135294] #2: (&mm->mmap_sem){++++++}, at: [<ffffffff8108e1d4>]
>>>> __do_page_fault+0x114/0x4e0
>>>> [ 43.136864]
>>>> [ 43.136864] stack backtrace:
>>>> [ 43.137619] Pid: 2387, comm: trinity-child9 Tainted: G W
>>>> 3.8.0-rc6+ #37
>>>> [ 43.138897] Call Trace:
>>>> [ 43.139338] [<ffffffff810fdd1d>] lockdep_rcu_suspicious+0xfd/0x130
>>>> [ 43.140417] [<ffffffff81cfb783>] __schedule+0x543/0x900
>>>> [ 43.141342] [<ffffffff810d38ba>] __cond_resched+0x2a/0x40
>>>> [ 43.142291] [<ffffffff8108e1d4>] ? __do_page_fault+0x114/0x4e0
>>>> [ 43.143440] [<ffffffff81cfbc6f>] _cond_resched+0x2f/0x40
>>>> [ 43.144362] [<ffffffff8108e1e1>] __do_page_fault+0x121/0x4e0
>>>> [ 43.145362] [<ffffffff810fb3fd>] ? trace_hardirqs_on+0xd/0x10
>>>> [ 43.146316] [<ffffffff8137319d>] ?
>>>> trace_hardirqs_off_thunk+0x3a/0x3c
>>>> [ 43.147386] [<ffffffff8108e5de>] do_page_fault+0xe/0x10
>>>> [ 43.148254] [<ffffffff810889fa>] do_async_page_fault+0x2a/0xa0
>>>> [ 43.149239] [<ffffffff81cfe138>] async_page_fault+0x28/0x30
>>>> [ 43.150167] [<ffffffff8131e017>] ?
>>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>>> [ 43.151263] [<ffffffff8131e12f>] ?
>>>> selinux_msg_queue_msgrcv+0x1ff/0x210
>>>> [ 43.152357] [<ffffffff8131df35>] ?
>>>> selinux_msg_queue_msgrcv+0x5/0x210
>>>> [ 43.153475] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>>> [ 43.154828] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>>> [ 43.156052] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>>> [ 43.157586] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>>> [ 43.158830] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>>> [ 43.160131] [<ffffffff810fb35d>] ?
>>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>>> [ 43.161736] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>>> [ 43.163238] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>>> [ 43.164453] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>>> [ 43.176035] BUG: unable to handle kernel NULL pointer dereference
>>>> at (null)
>>>> [ 43.177016] IP: [<ffffffff8131e017>]
>>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>>> [ 43.177016] PGD 3189b067 PUD 3189c067 PMD 0
>>>> [ 43.177016] Oops: 0000 [#1] SMP
>>>> [ 43.177016] CPU 0
>>>> [ 43.177016] Pid: 2387, comm: trinity-child9 Tainted: G W
>>>> 3.8.0-rc6+ #37 Bochs Bochs
>>>> [ 43.177016] RIP: 0010:[<ffffffff8131e017>] [<ffffffff8131e017>]
>>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>>> [ 43.177016] RSP: 0018:ffff8800318a7e18 EFLAGS: 00010296
>>>> [ 43.177016] RAX: 0000000000000000 RBX: ffff880032e0e810 RCX:
>>>> 0000000000000006
>>>> [ 43.177016] RDX: 0000000000003e50 RSI: ffff88003b7c4c68 RDI:
>>>> 0000000000000009
>>>> [ 43.177016] RBP: ffff8800318a7e68 R08: 0000000000000001 R09:
>>>> 0000000000000000
>>>> [ 43.177016] R10: 0000000000000000 R11: 0000000000000288 R12:
>>>> 0000000000000001
>>>> [ 43.177016] R13: 0000000000000000 R14: ffff88003b22ae80 R15:
>>>> ffff880032e0e810
>>>> [ 43.177016] FS: 00007fc6ba864700(0000) GS:ffff88003fc00000(0000)
>>>> knlGS:0000000000000000
>>>> [ 43.177016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> [ 43.177016] CR2: 00007fc6ba6471f0 CR3: 0000000031898000 CR4:
>>>> 00000000000006f0
>>>> [ 43.177016] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>>>> 0000000000000000
>>>> [ 43.177016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
>>>> 0000000000000400
>>>> [ 43.177016] Process trinity-child9 (pid: 2387, threadinfo
>>>> ffff8800318a6000, task ffff88003b7c4560)
>>>> [ 43.177016] Stack:
>>>> [ 43.177016] ffffffff8131df35 ffffffff81313f99 ffff8800318a7e04
>>>> ffffffff5d6d982a
>>>> [ 43.177016] ffffffff812fd725 ffff880039c675c0 0000000000000000
>>>> 0000000000000001
>>>> [ 43.177016] 0000000000000000 ffff880032e0e8c0 ffff8800318a7e78
>>>> ffffffff813140b6
>>>> [ 43.177016] Call Trace:
>>>> [ 43.177016] [<ffffffff8131df35>] ?
>>>> selinux_msg_queue_msgrcv+0x5/0x210
>>>> [ 43.177016] [<ffffffff81313f99>] ? security_ipc_permission+0x19/0x20
>>>> [ 43.177016] [<ffffffff812fd725>] ? ipc_lock+0x5/0x1c0
>>>> [ 43.177016] [<ffffffff813140b6>] security_msg_queue_msgrcv+0x16/0x20
>>>> [ 43.177016] [<ffffffff812ff96f>] do_msgrcv+0x1ef/0x6e0
>>>> [ 43.177016] [<ffffffff812fe370>] ? load_msg+0x180/0x180
>>>> [ 43.177016] [<ffffffff810fb35d>] ?
>>>> trace_hardirqs_on_caller+0x10d/0x1a0
>>>> [ 43.177016] [<ffffffff8137315e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>>>> [ 43.177016] [<ffffffff812ffe75>] sys_msgrcv+0x15/0x20
>>>> [ 43.177016] [<ffffffff81cfea19>] system_call_fastpath+0x16/0x1b
>>>> [ 43.177016] Code: 00 00 00 44 89 e7 4d 8b 6d 28 c6 45 c0 04 89 55
>>>> c8 8b 70 04 ba 1b 00 00 00 e8 f6 7c ff ff 85 c0 75 26 4d 85 ed 0f 84
>>>> 00 01 00 00 <41> 8b 75 00 4c 8d 45 c0 45 31 c9 b9 02 00 00 00 ba 1a 00
>>>> 00 00
>>>> [ 43.177016] RIP [<ffffffff8131e017>]
>>>> selinux_msg_queue_msgrcv+0xe7/0x210
>>>> [ 43.177016] RSP <ffff8800318a7e18>
>>>> [ 43.177016] CR2: 0000000000000000
>>>> [ 43.228535] ---[ end trace db5952f0fa3bedc8 ]---
>>>> [ 68.106008] BUG: soft lockup - CPU#0 stuck for 22s!
>>>> [trinity-child8:2382]
>>>>
>>>> Tommi
>>>>
>>>
>
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: selinux_msg_queue_msgrcv() oops
2013-02-06 19:51 ` Tommi Rantala
@ 2013-02-07 9:16 ` Stanislav Kinsbursky
0 siblings, 0 replies; 6+ messages in thread
From: Stanislav Kinsbursky @ 2013-02-07 9:16 UTC (permalink / raw)
To: Tommi Rantala
Cc: Stephen Smalley, James Morris, Eric Paris, linux-security-module,
Dave Jones, LKML
06.02.2013 23:51, Tommi Rantala пишет:
> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>> On 02/06/2013 10:21 AM, Tommi Rantala wrote:
>>>
>>> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>>>>
>>>> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>>>>> Trinity as the root user (in a qemu VM):
>>>>
>>>>
>>>>
>>>> NULL msg->security at that point is a bug in the ipc subsystem; SELinux
>>>> is
>>>> just the messenger. Normally msg->security is set for every allocated
>>>> msg
>>>> by load_msg() -> security_msg_msg_alloc() ->
>>>> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
>>>> security_msg_msg_free() -> selinux_msg_msg_free_security(). Looking
>>>> around,
>>>> I see copy_msg() introduced for checkpoint-restore initializes
>>>> dst->security
>>>> to NULL but never sets it properly?
>>>
>>>
>>> I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
>>> analysis seems to be correct.
>>
>>
>> (cc originator of the bug)
>>
>> If I am reading this correctly, then when the copy msg was created, a msg
>> security struct was already allocated
>> (prepare_copy->load_msg->security_msg_msg_alloc). So having copy_msg()
>> clear dst->security is also a memory leak in addition to leading to this
>> oops. Attached is a possible, un-tested fix.
>
> I can still reproduce the exact same oops with the patch applied. I
> also wanted to be sure that copy_msg() is called, so I added a warning
> there, but that never gets triggered. So I suppose the problem is not
> actually related to CONFIG_CHECKPOINT_RESTORE.
>
Hello.
Unfortunately, you are not the first one, who experience problems with Trinity running in KVM.
copy_msg() won't be called unless you'll specify the MSG_COPY flag in msgrcv() flags parameter.
Could you make a small investigation around the problem?
For example, does this problem appear, is you disable CONFIG_CHECKPOINT_RESTORE config option?
--
Best regards,
Stanislav Kinsbursky
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-02-07 9:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-02-06 12:56 selinux_msg_queue_msgrcv() oops Tommi Rantala
2013-02-06 14:18 ` Stephen Smalley
2013-02-06 15:21 ` Tommi Rantala
2013-02-06 16:28 ` Stephen Smalley
2013-02-06 19:51 ` Tommi Rantala
2013-02-07 9:16 ` Stanislav Kinsbursky
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.