From: Paul Moore <paul@paul-moore.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Eric Paris <eparis@redhat.com>,
syzbot <syzbot+9a5e789e4725b9ef1316@syzkaller.appspotmail.com>,
a@unstable.cc, b.a.t.m.a.n@lists.open-mesh.org,
Dan Carpenter <dan.carpenter@oracle.com>,
David Miller <davem@davemloft.net>,
fzago@cray.com, Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
john.hammond@intel.com, linux-audit@redhat.com,
LKML <linux-kernel@vger.kernel.org>,
mareklindner@neomailbox.ch, netdev <netdev@vger.kernel.org>,
sw@simonwunderlich.de,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: kernel panic: audit: backlog limit exceeded
Date: Thu, 27 Feb 2020 19:14:15 -0500 [thread overview]
Message-ID: <CAHC9VhRRDJzyene2_40nhnxRV_ufgyaU=RrFxYGsnxR4Z_AWWw@mail.gmail.com> (raw)
In-Reply-To: <CACT4Y+azQXLcPqtJG9zbj8hxqw4jE3dcwUj5T06bdL3uMaZk+Q@mail.gmail.com>
On Thu, Feb 27, 2020 at 10:40 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> On Mon, Feb 24, 2020 at 11:47 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Mon, Feb 24, 2020 at 5:43 PM Eric Paris <eparis@redhat.com> wrote:
> > > https://syzkaller.appspot.com/x/repro.syz?x=151b1109e00000 (the
> > > reproducer listed) looks like it is literally fuzzing the AUDIT_SET.
> > > Which seems like this is working as designed if it is setting the
> > > failure mode to 2.
> >
> > So it is, good catch :) I saw the panic and instinctively chalked
> > that up to a mistaken config, not expecting that it was what was being
> > tested.
>
> Yes, this audit failure mode is quite unpleasant for fuzzing. And
> since this is not a top-level syscall argument value, it's effectively
> impossible to filter out in the fuzzer. Maybe another use case for the
> "fuzer lockdown" feature +Tetsuo proposed.
> With the current state of the things, I think we only have an option
> to disable fuzzing of audit. Which is pity because it has found 5 or
> so real bugs in audit too.
> But this happened anyway because audit is only reachable from init pid
> namespace and syzkaller always unshares pid namespace for sandboxing
> reasons, that was removed accidentally and that's how it managed to
> find the bugs. But the unshare is restored now:
> https://github.com/google/syzkaller/commit/5e0e1d1450d7c3497338082fc28912fdd7f93a3c
>
> As a side effect all other real bugs in audit will be auto-obsoleted
> in future if not fixed because they will stop happening.
On the plus side, I did submit fixes for the other real audit bugs
that syzbot found recently and Linus pulled them into the tree today
so at least we have that small victory.
We could consider adding a fuzz-friendly build time config which would
disable the panic failsafe, but it probably isn't worth it at the
moment considering the syzbot's pid namespace limitations.
--
paul moore
www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: mareklindner@neomailbox.ch, sw@simonwunderlich.de,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
a@unstable.cc, LKML <linux-kernel@vger.kernel.org>,
David Miller <davem@davemloft.net>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
b.a.t.m.a.n@diktynna.open-mesh.org, linux-audit@redhat.com,
syzkaller <syzkaller@googlegroups.com>,
netdev <netdev@vger.kernel.org>,
john.hammond@intel.com, fzago@cray.com,
syzbot <syzbot+9a5e789e4725b9ef1316@syzkaller.appspotmail.com>,
Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: kernel panic: audit: backlog limit exceeded
Date: Thu, 27 Feb 2020 19:14:15 -0500 [thread overview]
Message-ID: <CAHC9VhRRDJzyene2_40nhnxRV_ufgyaU=RrFxYGsnxR4Z_AWWw@mail.gmail.com> (raw)
Message-ID: <20200228001415.2MfkrXol5IbQ9Y5sKXRh8nOczdIUP4KYDUdnEDfBQpA@z> (raw)
In-Reply-To: <CACT4Y+azQXLcPqtJG9zbj8hxqw4jE3dcwUj5T06bdL3uMaZk+Q@mail.gmail.com>
On Thu, Feb 27, 2020 at 10:40 AM Dmitry Vyukov <dvyukov@google.com> wrote:
> On Mon, Feb 24, 2020 at 11:47 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Mon, Feb 24, 2020 at 5:43 PM Eric Paris <eparis@redhat.com> wrote:
> > > https://syzkaller.appspot.com/x/repro.syz?x=151b1109e00000 (the
> > > reproducer listed) looks like it is literally fuzzing the AUDIT_SET.
> > > Which seems like this is working as designed if it is setting the
> > > failure mode to 2.
> >
> > So it is, good catch :) I saw the panic and instinctively chalked
> > that up to a mistaken config, not expecting that it was what was being
> > tested.
>
> Yes, this audit failure mode is quite unpleasant for fuzzing. And
> since this is not a top-level syscall argument value, it's effectively
> impossible to filter out in the fuzzer. Maybe another use case for the
> "fuzer lockdown" feature +Tetsuo proposed.
> With the current state of the things, I think we only have an option
> to disable fuzzing of audit. Which is pity because it has found 5 or
> so real bugs in audit too.
> But this happened anyway because audit is only reachable from init pid
> namespace and syzkaller always unshares pid namespace for sandboxing
> reasons, that was removed accidentally and that's how it managed to
> find the bugs. But the unshare is restored now:
> https://github.com/google/syzkaller/commit/5e0e1d1450d7c3497338082fc28912fdd7f93a3c
>
> As a side effect all other real bugs in audit will be auto-obsoleted
> in future if not fixed because they will stop happening.
On the plus side, I did submit fixes for the other real audit bugs
that syzbot found recently and Linus pulled them into the tree today
so at least we have that small victory.
We could consider adding a fuzz-friendly build time config which would
disable the panic failsafe, but it probably isn't worth it at the
moment considering the syzbot's pid namespace limitations.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-02-28 0:14 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-24 8:18 kernel panic: audit: backlog limit exceeded syzbot
2020-02-24 8:18 ` syzbot
2020-02-24 22:38 ` Paul Moore
2020-02-24 22:38 ` Paul Moore
2020-02-24 22:43 ` Eric Paris
2020-02-24 22:43 ` Eric Paris
2020-02-24 22:43 ` Eric Paris
2020-02-24 22:46 ` Paul Moore
2020-02-24 22:46 ` Paul Moore
[not found] ` <CAHC9VhQnbdJprbdTa_XcgUJaiwhzbnGMWJqHczU54UMk0AFCtw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2020-02-27 15:39 ` (unknown) Dmitry Vyukov via B.A.T.M.A.N
2020-02-27 15:39 ` kernel panic: audit: backlog limit exceeded Dmitry Vyukov
2020-02-27 15:39 ` Dmitry Vyukov
2020-02-28 0:14 ` Paul Moore [this message]
2020-02-28 0:14 ` Paul Moore
2020-02-28 10:03 ` Tetsuo Handa
2020-02-28 13:08 ` Paul Moore
2020-03-02 8:47 ` Dmitry Vyukov
2020-03-02 13:43 ` Paul Moore
2020-03-02 14:25 ` Dmitry Vyukov
2020-03-02 8:42 ` Dmitry Vyukov
2020-03-02 8:42 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhRRDJzyene2_40nhnxRV_ufgyaU=RrFxYGsnxR4Z_AWWw@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=a@unstable.cc \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=eparis@redhat.com \
--cc=fzago@cray.com \
--cc=gregkh@linuxfoundation.org \
--cc=john.hammond@intel.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mareklindner@neomailbox.ch \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sw@simonwunderlich.de \
--cc=syzbot+9a5e789e4725b9ef1316@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.