From: Stephen Smalley <sds@tycho.nsa.gov>
To: syzbot <syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com>,
eparis@parisplace.org, linux-kernel@vger.kernel.org,
paul@paul-moore.com, peter.enderborg@sony.com,
selinux@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: general protection fault in ebitmap_destroy
Date: Wed, 09 Jan 2019 11:13:40 -0500 [thread overview]
Message-ID: <d54c804a5d2dfd560108912094db9967db5a795b.camel@tycho.nsa.gov> (raw)
In-Reply-To: <0000000000001a9aa0057f084a81@google.com>
On Wed, 2019-01-09 at 07:41 -0800, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: a88cc8da0279 Merge branch 'akpm' (patches from
> Andrew)
> git tree: upstream
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=1722da4f400000
> kernel config:
> https://syzkaller.appspot.com/x/.config?x=edf1c3031097c304
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=6664500f0f18f07a5c0e
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:
> https://syzkaller.appspot.com/x/repro.syz?x=12d43580c00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the
> commit:
> Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com
>
> SELinux: failed to load policy
> sel_write_load: 238 callbacks suppressed
> SELinux: failed to load policy
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 9316 Comm: syz-executor2 Not tainted 5.0.0-rc1+ #16
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS
> Google 01/01/2011
> RIP: 0010:ebitmap_destroy+0x32/0xf0 security/selinux/ss/ebitmap.c:334
> Code: 49 89 fd 41 54 53 e8 9d e6 36 fe 4d 85 ed 0f 84 99 00 00 00 e8
> 8f e6
> 36 fe 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02
> 00 0f
> 85 98 00 00 00 49 be 00 00 00 00 00 fc ff df 4d 8b
> RSP: 0018:ffff88808967f5c0 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffff88808967f6a8 RCX: dffffc0000000000
> RDX: 0000000000000001 RSI: ffffffff834b1081 RDI: 0000000000000008
> RBP: ffff88808967f5e0 R08: ffff8880972a8140 R09: ffffed1015cc5b90
> R10: ffffed1015cc5b8f R11: ffff8880ae62dc7b R12: ffff888099d993c0
> R13: 0000000000000008 R14: ffff888099d993c0 R15: ffff88808967f648
> FS: 00007f70cd9e5700(0000) GS:ffff8880ae600000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000015e7938 CR3: 0000000096c4a000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> sens_destroy+0x49/0xa0 security/selinux/ss/policydb.c:735
> sens_read+0x25d/0x460 security/selinux/ss/policydb.c:1636
> policydb_read+0xed9/0x60d0 security/selinux/ss/policydb.c:2430
> security_load_policy+0x423/0x1830
> security/selinux/ss/services.c:2129
> sel_write_load+0x25a/0x470 security/selinux/selinuxfs.c:565
> __vfs_write+0x116/0xb40 fs/read_write.c:485
> vfs_write+0x20c/0x580 fs/read_write.c:549
> ksys_write+0x105/0x260 fs/read_write.c:598
> __do_sys_write fs/read_write.c:610 [inline]
> __se_sys_write fs/read_write.c:607 [inline]
> __x64_sys_write+0x73/0xb0 fs/read_write.c:607
> do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x457ec9
> Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48
> 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
> f0 ff
> ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f70cd9e4c78 EFLAGS: 00000246 ORIG_RAX:
> 0000000000000001
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
> RDX: 000000000000005c RSI: 0000000020000000 RDI: 0000000000000003
> RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f70cd9e56d4
> R13: 00000000004c720f R14: 00000000004dc9a0 R15: 00000000ffffffff
> Modules linked in:
> ---[ end trace 78ea480790940b53 ]---
> RIP: 0010:ebitmap_destroy+0x32/0xf0 security/selinux/ss/ebitmap.c:334
> Code: 49 89 fd 41 54 53 e8 9d e6 36 fe 4d 85 ed 0f 84 99 00 00 00 e8
> 8f e6
> 36 fe 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02
> 00 0f
> 85 98 00 00 00 49 be 00 00 00 00 00 fc ff df 4d 8b
> RSP: 0018:ffff88808967f5c0 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffff88808967f6a8 RCX: dffffc0000000000
> RDX: 0000000000000001 RSI: ffffffff834b1081 RDI: 0000000000000008
> RBP: ffff88808967f5e0 R08: ffff8880972a8140 R09: ffffed1015cc5b90
> R10: ffffed1015cc5b8f R11: ffff8880ae62dc7b R12: ffff888099d993c0
> R13: 0000000000000008 R14: ffff888099d993c0 R15: ffff88808967f648
> FS: 00007f70cd9e5700(0000) GS:ffff8880ae700000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000000073c000 CR3: 0000000096c4a000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Possible fix below
From cc9324299f32db326447a28a836c462fc16bc945 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 9 Jan 2019 10:55:10 -0500
Subject: [PATCH] selinux: fix GPF on invalid policy
levdatum->level can be NULL if we encounter an error while loading
the policy during sens_read prior to initializing it. Make sure
sens_destroy handles that case correctly.
Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
security/selinux/ss/policydb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index a50d625e7946..c1c31e33657a 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -732,7 +732,8 @@ static int sens_destroy(void *key, void *datum, void *p)
kfree(key);
if (datum) {
levdatum = datum;
- ebitmap_destroy(&levdatum->level->cat);
+ if (levdatum->level)
+ ebitmap_destroy(&levdatum->level->cat);
kfree(levdatum->level);
}
kfree(datum);
--
2.20.1
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate
> with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
next prev parent reply other threads:[~2019-01-09 16:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-09 15:41 general protection fault in ebitmap_destroy syzbot
2019-01-09 16:13 ` Stephen Smalley [this message]
2019-01-11 1:26 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d54c804a5d2dfd560108912094db9967db5a795b.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=eparis@parisplace.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=peter.enderborg@sony.com \
--cc=selinux@vger.kernel.org \
--cc=syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.