From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FD5DC3F2CE for ; Fri, 28 Feb 2020 00:14:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 05467246A6 for ; Fri, 28 Feb 2020 00:14:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="Cetq1zeY" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730163AbgB1AOa (ORCPT ); Thu, 27 Feb 2020 19:14:30 -0500 Received: from mail-ed1-f68.google.com ([209.85.208.68]:43555 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729876AbgB1AO3 (ORCPT ); Thu, 27 Feb 2020 19:14:29 -0500 Received: by mail-ed1-f68.google.com with SMTP id dc19so1199950edb.10 for ; Thu, 27 Feb 2020 16:14:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1ib8VWwHjJvggYN18BEOwzhOZqnlM4YEYxegYLVlKSo=; b=Cetq1zeYMvA3/xQUwFFjv1v7a1bjQAjSwdUaiPi9JjojBXivvTLHJkO6+ll4GT8Ghc m4/MgSddbFsriGMMZ+avMc7K0HlBlyJU+uKEFXcLh6wkVNKc+wbLmWlfpl8+R5NF3I8M takyOyT3ZosZd4ERE+TMDmzCgp5XOHnLqRZPkuRa6Pmf4jg/17k5EkKPa53ec1Z9UWcI w3lbneT1IyeYjJRqrnUip3m4xn7zIumvSMkIoi6SMw1LXOXXpvjBxB3gemdqq80RmB7L jSvf/J/cTa1+8ehW41M0doB+D6RKJNZjebMAQCJqk5m8s9qW+Db1BQyqzuC/mMBPky46 MgDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1ib8VWwHjJvggYN18BEOwzhOZqnlM4YEYxegYLVlKSo=; b=oGW+r7RFUwmUVUYqji1cy3WVTwkj8rNGlHh7LdxYXHvRE5Joy0bSalE14W6A7P9Y3p iblAaJFq7KiC9ygJCGWZ4D2woRs+JgDoGnSfUzslZ9qwrq6EsIi7LGn7g5/KznNoH8mM R2JVKZu3kTVep0X3Po0CB/EoKG3JnIu2U2q1Fzli8Z2pHU8+rjhhCnBVvaa1wYFE6Hii Q0NI106xocSUFaFCfAoN39YTZV9Kvk4pkhnQo6yWRn0U6K4v6ik/zK1u+QzE6eSoCHEp 1bxb2iGvPlBcstB5aTTHjI/J/SBJHHpwkS9cVJHTFb9QakHHhvGwQ/pdVzG3NbPt4/by faLg== X-Gm-Message-State: APjAAAXUX2d4NSjjcxwDavCVHenCIixYvFdZSUMVVX0ga7L6k+ukwcB7 Iv32SAJIyLclmU+a01EJ3ldByUl8Kzcyi+7iT0r2 X-Google-Smtp-Source: APXvYqzIh7t+mGR5KHWmesjgjSlqpj0MLXTGXcf7rY8aVOBQpqG6xj9+VllvTVXsLbvgWVt9QS8HOh37KIMIXqFAaUs= X-Received: by 2002:a50:a7a5:: with SMTP id i34mr1145928edc.128.1582848866078; Thu, 27 Feb 2020 16:14:26 -0800 (PST) MIME-Version: 1.0 References: <0000000000003cbb40059f4e0346@google.com> <17916d0509978e14d9a5e9eb52d760fa57460542.camel@redhat.com> In-Reply-To: From: Paul Moore Date: Thu, 27 Feb 2020 19:14:15 -0500 Message-ID: Subject: Re: kernel panic: audit: backlog limit exceeded To: Dmitry Vyukov Cc: Tetsuo Handa , Eric Paris , syzbot , a@unstable.cc, b.a.t.m.a.n@lists.open-mesh.org, Dan Carpenter , David Miller , fzago@cray.com, Greg Kroah-Hartman , john.hammond@intel.com, linux-audit@redhat.com, LKML , mareklindner@neomailbox.ch, netdev , sw@simonwunderlich.de, syzkaller-bugs , syzkaller Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 27, 2020 at 10:40 AM Dmitry Vyukov wrote: > On Mon, Feb 24, 2020 at 11:47 PM Paul Moore wrote: > > On Mon, Feb 24, 2020 at 5:43 PM Eric Paris wrote: > > > https://syzkaller.appspot.com/x/repro.syz?x=151b1109e00000 (the > > > reproducer listed) looks like it is literally fuzzing the AUDIT_SET. > > > Which seems like this is working as designed if it is setting the > > > failure mode to 2. > > > > So it is, good catch :) I saw the panic and instinctively chalked > > that up to a mistaken config, not expecting that it was what was being > > tested. > > Yes, this audit failure mode is quite unpleasant for fuzzing. And > since this is not a top-level syscall argument value, it's effectively > impossible to filter out in the fuzzer. Maybe another use case for the > "fuzer lockdown" feature +Tetsuo proposed. > With the current state of the things, I think we only have an option > to disable fuzzing of audit. Which is pity because it has found 5 or > so real bugs in audit too. > But this happened anyway because audit is only reachable from init pid > namespace and syzkaller always unshares pid namespace for sandboxing > reasons, that was removed accidentally and that's how it managed to > find the bugs. But the unshare is restored now: > https://github.com/google/syzkaller/commit/5e0e1d1450d7c3497338082fc28912fdd7f93a3c > > As a side effect all other real bugs in audit will be auto-obsoleted > in future if not fixed because they will stop happening. On the plus side, I did submit fixes for the other real audit bugs that syzbot found recently and Linus pulled them into the tree today so at least we have that small victory. We could consider adding a fuzz-friendly build time config which would disable the panic failsafe, but it probably isn't worth it at the moment considering the syzbot's pid namespace limitations. -- paul moore www.paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5F11C3F2CF for ; Fri, 28 Feb 2020 00:14:53 +0000 (UTC) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 365FA246AF for ; Fri, 28 Feb 2020 00:14:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Kv+E7k5r" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 365FA246AF Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1582848892; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=RnhnHPLDlJ6BuqtfFMPZhLKSvdHvnd9WVB0V4aiJdY8=; b=Kv+E7k5rjsPfzslJhAQq9wHe6ao6lKtOBuxUkFn7IcbSI9YLA1+8v9rvyEJxFcntCeVakU WQocIxlneZ6AmztxflpWfFNi8v96/s7WC1rxdevcJDM0KhVUASaeNR83QNewpqeXf/Q4Oz eT1vHyMy843pCWouzW1ak2SJ1h2FgHw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-485-Vsy45N_QMS-gMIoGZSrctQ-1; Thu, 27 Feb 2020 19:14:50 -0500 X-MC-Unique: Vsy45N_QMS-gMIoGZSrctQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 164B813F6; Fri, 28 Feb 2020 00:14:46 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C69CE5C54A; Fri, 28 Feb 2020 00:14:42 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4510E18089C8; Fri, 28 Feb 2020 00:14:39 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 01S0EZQj009678 for ; Thu, 27 Feb 2020 19:14:35 -0500 Received: by smtp.corp.redhat.com (Postfix) id F40E12022EA7; Fri, 28 Feb 2020 00:14:35 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EF3502026D69 for ; Fri, 28 Feb 2020 00:14:32 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BB41F8007B3 for ; Fri, 28 Feb 2020 00:14:32 +0000 (UTC) Received: from mail-ed1-f65.google.com (mail-ed1-f65.google.com [209.85.208.65]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-159-fcGkJ1yBPQyI80VhIp8ltw-1; Thu, 27 Feb 2020 19:14:27 -0500 X-MC-Unique: fcGkJ1yBPQyI80VhIp8ltw-1 Received: by mail-ed1-f65.google.com with SMTP id e25so1237415edq.5 for ; Thu, 27 Feb 2020 16:14:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1ib8VWwHjJvggYN18BEOwzhOZqnlM4YEYxegYLVlKSo=; b=ngBcj5kPoMK3M772OCciYJ5BWe360JW9QLwxurXvnTq/GcWCGxjEWfRtbYMZxIeq7i NyZ/Evs5mXzTdDFE8e3L91eyywvjI/C4IwxwninNdsfurIqutgltro4nX3swez/KqLnQ Dtc46iye9lItnFFAgfSXIBdCgOhuPreqKwIPxilsjjjiyi9kBYadYR+lNtG6CNxGrCJr J0DCBHTsvMkE6ZOY44kJMMSZd7OjLVzqhWHdwc1xxRpCXO9zwQsPqfTNQjANP7KPyARH aYgFu4gvXA/Mt/Da+Vd/PhBDbmx7Hm8nm1xOYVjZ/Nh+4kCIHL+sKQNQTzroPBrnCadf XJ/A== X-Gm-Message-State: APjAAAUHazLlxva37h//Yp0m0V69x9ETAlDk+uDyyUMxKwBy4lgoD71C 83INrs7l6VqZDTKyTcBq3B+fLbez1xGtRNc4bUvN X-Google-Smtp-Source: APXvYqzIh7t+mGR5KHWmesjgjSlqpj0MLXTGXcf7rY8aVOBQpqG6xj9+VllvTVXsLbvgWVt9QS8HOh37KIMIXqFAaUs= X-Received: by 2002:a50:a7a5:: with SMTP id i34mr1145928edc.128.1582848866078; Thu, 27 Feb 2020 16:14:26 -0800 (PST) MIME-Version: 1.0 References: <0000000000003cbb40059f4e0346@google.com> <17916d0509978e14d9a5e9eb52d760fa57460542.camel@redhat.com> In-Reply-To: From: Paul Moore Date: Thu, 27 Feb 2020 19:14:15 -0500 Message-ID: Subject: Re: kernel panic: audit: backlog limit exceeded To: Dmitry Vyukov X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 01S0EZQj009678 X-loop: linux-audit@redhat.com Cc: mareklindner@neomailbox.ch, sw@simonwunderlich.de, Greg Kroah-Hartman , a@unstable.cc, LKML , David Miller , syzkaller-bugs , b.a.t.m.a.n@diktynna.open-mesh.org, linux-audit@redhat.com, syzkaller , netdev , john.hammond@intel.com, fzago@cray.com, syzbot , Dan Carpenter X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-ID: <20200228001415.2MfkrXol5IbQ9Y5sKXRh8nOczdIUP4KYDUdnEDfBQpA@z> On Thu, Feb 27, 2020 at 10:40 AM Dmitry Vyukov wrote: > On Mon, Feb 24, 2020 at 11:47 PM Paul Moore wrote: > > On Mon, Feb 24, 2020 at 5:43 PM Eric Paris wrote: > > > https://syzkaller.appspot.com/x/repro.syz?x=151b1109e00000 (the > > > reproducer listed) looks like it is literally fuzzing the AUDIT_SET. > > > Which seems like this is working as designed if it is setting the > > > failure mode to 2. > > > > So it is, good catch :) I saw the panic and instinctively chalked > > that up to a mistaken config, not expecting that it was what was being > > tested. > > Yes, this audit failure mode is quite unpleasant for fuzzing. And > since this is not a top-level syscall argument value, it's effectively > impossible to filter out in the fuzzer. Maybe another use case for the > "fuzer lockdown" feature +Tetsuo proposed. > With the current state of the things, I think we only have an option > to disable fuzzing of audit. Which is pity because it has found 5 or > so real bugs in audit too. > But this happened anyway because audit is only reachable from init pid > namespace and syzkaller always unshares pid namespace for sandboxing > reasons, that was removed accidentally and that's how it managed to > find the bugs. But the unshare is restored now: > https://github.com/google/syzkaller/commit/5e0e1d1450d7c3497338082fc28912fdd7f93a3c > > As a side effect all other real bugs in audit will be auto-obsoleted > in future if not fixed because they will stop happening. On the plus side, I did submit fixes for the other real audit bugs that syzbot found recently and Linus pulled them into the tree today so at least we have that small victory. We could consider adding a fuzz-friendly build time config which would disable the panic failsafe, but it probably isn't worth it at the moment considering the syzbot's pid namespace limitations. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit