* [PATCH 0/2] Fix race conditions when reading out policy data @ 2020-08-24 11:30 Ondrej Mosnacek 2020-08-24 11:30 ` [PATCH 1/2] selinux: fix a race condition in security_read_policy() Ondrej Mosnacek 2020-08-24 11:30 ` [PATCH 2/2] selinux: fix a race condition in sel_open_policy() Ondrej Mosnacek 0 siblings, 2 replies; 7+ messages in thread From: Ondrej Mosnacek @ 2020-08-24 11:30 UTC (permalink / raw) To: selinux, Paul Moore; +Cc: Stephen Smalley v2: - avoid calling vmalloc_user() under read lock - add one more patch that fixes another related race condition v1: https://lore.kernel.org/selinux/CAFqZXNvdtpxveqesYMz3ZxoWGd_vi5euqy6c9gzhmdkKgbU-Fg@mail.gmail.com/T/ Ondrej Mosnacek (2): selinux: fix a race condition in security_read_policy() selinux: fix a race condition in sel_open_policy() security/selinux/include/security.h | 1 - security/selinux/selinuxfs.c | 12 ++++++------ security/selinux/ss/services.c | 28 ++++++++++++---------------- 3 files changed, 18 insertions(+), 23 deletions(-) -- 2.26.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/2] selinux: fix a race condition in security_read_policy() 2020-08-24 11:30 [PATCH 0/2] Fix race conditions when reading out policy data Ondrej Mosnacek @ 2020-08-24 11:30 ` Ondrej Mosnacek 2020-08-24 12:47 ` Stephen Smalley 2020-08-24 11:30 ` [PATCH 2/2] selinux: fix a race condition in sel_open_policy() Ondrej Mosnacek 1 sibling, 1 reply; 7+ messages in thread From: Ondrej Mosnacek @ 2020-08-24 11:30 UTC (permalink / raw) To: selinux, Paul Moore; +Cc: Stephen Smalley In security_read_policy(), the policy length is computed using security_policydb_len(), which does a separate transaction, and then another transaction is done to write the policydb into a buffer of this length. The bug is that the policy might be re-loaded in between the two transactions and so the length can be wrong. In case the new length is lower than the old length, the length is corrected at the end of the function. In case the new length is higher than the old one, an error is returned. Since we can't call vmalloc_user() under read_lock(), fix it by checking if the allocated buffer is sufficiently large after doing the allocation and taking the read lock and if not, retry the whole operation with the new size. Fixes: cee74f47a6ba ("SELinux: allow userspace to read policy back out of the kernel") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/ss/services.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a48fc1b337ba9..2c9072f095985 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3849,14 +3849,22 @@ int security_read_policy(struct selinux_state *state, *len = security_policydb_len(state); +again: *data = vmalloc_user(*len); if (!*data) return -ENOMEM; + read_lock(&state->ss->policy_rwlock); + if (*len < state->ss->policy->policydb.len) { + *len = state->ss->policy->policydb.len; + read_unlock(&state->ss->policy_rwlock); + vfree(*data); + goto again; + } + fp.data = *data; fp.len = *len; - read_lock(&state->ss->policy_rwlock); rc = policydb_write(&state->ss->policy->policydb, &fp); read_unlock(&state->ss->policy_rwlock); -- 2.26.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] selinux: fix a race condition in security_read_policy() 2020-08-24 11:30 ` [PATCH 1/2] selinux: fix a race condition in security_read_policy() Ondrej Mosnacek @ 2020-08-24 12:47 ` Stephen Smalley 2020-08-24 12:52 ` Stephen Smalley 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2020-08-24 12:47 UTC (permalink / raw) To: Ondrej Mosnacek; +Cc: SElinux list, Paul Moore On Mon, Aug 24, 2020 at 7:30 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > In security_read_policy(), the policy length is computed using > security_policydb_len(), which does a separate transaction, and then > another transaction is done to write the policydb into a buffer of this > length. > > The bug is that the policy might be re-loaded in between the two > transactions and so the length can be wrong. In case the new length is > lower than the old length, the length is corrected at the end of the > function. In case the new length is higher than the old one, an error is > returned. > > Since we can't call vmalloc_user() under read_lock(), fix it by checking > if the allocated buffer is sufficiently large after doing the allocation > and taking the read lock and if not, retry the whole operation with the > new size. > > Fixes: cee74f47a6ba ("SELinux: allow userspace to read policy back out of the kernel") > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > security/selinux/ss/services.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index a48fc1b337ba9..2c9072f095985 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -3849,14 +3849,22 @@ int security_read_policy(struct selinux_state *state, > > *len = security_policydb_len(state); > > +again: > *data = vmalloc_user(*len); > if (!*data) > return -ENOMEM; > > + read_lock(&state->ss->policy_rwlock); > + if (*len < state->ss->policy->policydb.len) { > + *len = state->ss->policy->policydb.len; > + read_unlock(&state->ss->policy_rwlock); > + vfree(*data); > + goto again; > + } > + > fp.data = *data; > fp.len = *len; > > - read_lock(&state->ss->policy_rwlock); > rc = policydb_write(&state->ss->policy->policydb, &fp); > read_unlock(&state->ss->policy_rwlock); > security_read_policy() is called with fsi->mutex held by selinuxfs, so policy reload cannot occur in between the length computation and the writing of the policydb. Right? It's another case where we could pass down the mutex as in my rcu patches for a lockdep assertion. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] selinux: fix a race condition in security_read_policy() 2020-08-24 12:47 ` Stephen Smalley @ 2020-08-24 12:52 ` Stephen Smalley 2020-08-24 13:04 ` Ondrej Mosnacek 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2020-08-24 12:52 UTC (permalink / raw) To: Ondrej Mosnacek; +Cc: SElinux list, Paul Moore On Mon, Aug 24, 2020 at 8:47 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Mon, Aug 24, 2020 at 7:30 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > In security_read_policy(), the policy length is computed using > > security_policydb_len(), which does a separate transaction, and then > > another transaction is done to write the policydb into a buffer of this > > length. > > > > The bug is that the policy might be re-loaded in between the two > > transactions and so the length can be wrong. In case the new length is > > lower than the old length, the length is corrected at the end of the > > function. In case the new length is higher than the old one, an error is > > returned. > > > > Since we can't call vmalloc_user() under read_lock(), fix it by checking > > if the allocated buffer is sufficiently large after doing the allocation > > and taking the read lock and if not, retry the whole operation with the > > new size. > > > > Fixes: cee74f47a6ba ("SELinux: allow userspace to read policy back out of the kernel") > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > security/selinux/ss/services.c | 10 +++++++++- > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > > index a48fc1b337ba9..2c9072f095985 100644 > > --- a/security/selinux/ss/services.c > > +++ b/security/selinux/ss/services.c > > @@ -3849,14 +3849,22 @@ int security_read_policy(struct selinux_state *state, > > > > *len = security_policydb_len(state); > > > > +again: > > *data = vmalloc_user(*len); > > if (!*data) > > return -ENOMEM; > > > > + read_lock(&state->ss->policy_rwlock); > > + if (*len < state->ss->policy->policydb.len) { > > + *len = state->ss->policy->policydb.len; > > + read_unlock(&state->ss->policy_rwlock); > > + vfree(*data); > > + goto again; > > + } > > + > > fp.data = *data; > > fp.len = *len; > > > > - read_lock(&state->ss->policy_rwlock); > > rc = policydb_write(&state->ss->policy->policydb, &fp); > > read_unlock(&state->ss->policy_rwlock); > > > > security_read_policy() is called with fsi->mutex held by selinuxfs, so > policy reload cannot occur in between the length computation and the > writing of the policydb. Right? It's another case where we could > pass down the mutex as in my rcu patches for a lockdep assertion. If my RCU patches are merged, we could modify security_read_policy() to take the mutex too and use rcu_dereference_protected() there, likewise getting rid of the separate security_policydb_len(). Or I could re-spin them to do that if any other changes are needed. Waiting to see if Paul wants any changes to either of those. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] selinux: fix a race condition in security_read_policy() 2020-08-24 12:52 ` Stephen Smalley @ 2020-08-24 13:04 ` Ondrej Mosnacek 2020-08-25 13:28 ` Paul Moore 0 siblings, 1 reply; 7+ messages in thread From: Ondrej Mosnacek @ 2020-08-24 13:04 UTC (permalink / raw) To: Stephen Smalley; +Cc: SElinux list, Paul Moore On Mon, Aug 24, 2020 at 2:53 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > On Mon, Aug 24, 2020 at 8:47 AM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > > > On Mon, Aug 24, 2020 at 7:30 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > > > In security_read_policy(), the policy length is computed using > > > security_policydb_len(), which does a separate transaction, and then > > > another transaction is done to write the policydb into a buffer of this > > > length. > > > > > > The bug is that the policy might be re-loaded in between the two > > > transactions and so the length can be wrong. In case the new length is > > > lower than the old length, the length is corrected at the end of the > > > function. In case the new length is higher than the old one, an error is > > > returned. > > > > > > Since we can't call vmalloc_user() under read_lock(), fix it by checking > > > if the allocated buffer is sufficiently large after doing the allocation > > > and taking the read lock and if not, retry the whole operation with the > > > new size. > > > > > > Fixes: cee74f47a6ba ("SELinux: allow userspace to read policy back out of the kernel") > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > > --- > > > security/selinux/ss/services.c | 10 +++++++++- > > > 1 file changed, 9 insertions(+), 1 deletion(-) > > > > > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > > > index a48fc1b337ba9..2c9072f095985 100644 > > > --- a/security/selinux/ss/services.c > > > +++ b/security/selinux/ss/services.c > > > @@ -3849,14 +3849,22 @@ int security_read_policy(struct selinux_state *state, > > > > > > *len = security_policydb_len(state); > > > > > > +again: > > > *data = vmalloc_user(*len); > > > if (!*data) > > > return -ENOMEM; > > > > > > + read_lock(&state->ss->policy_rwlock); > > > + if (*len < state->ss->policy->policydb.len) { > > > + *len = state->ss->policy->policydb.len; > > > + read_unlock(&state->ss->policy_rwlock); > > > + vfree(*data); > > > + goto again; > > > + } > > > + > > > fp.data = *data; > > > fp.len = *len; > > > > > > - read_lock(&state->ss->policy_rwlock); > > > rc = policydb_write(&state->ss->policy->policydb, &fp); > > > read_unlock(&state->ss->policy_rwlock); > > > > > > > security_read_policy() is called with fsi->mutex held by selinuxfs, so > > policy reload cannot occur in between the length computation and the > > writing of the policydb. Right? It's another case where we could > > pass down the mutex as in my rcu patches for a lockdep assertion. > > If my RCU patches are merged, we could modify security_read_policy() > to take the mutex too and use rcu_dereference_protected() there, > likewise getting rid of the separate security_policydb_len(). Or I > could re-spin them to do that if any other changes are needed. > Waiting to see if Paul wants any changes to either of those. Oh, you're right, there is really no race condition thanks to the mutex... So this patch isn't necessary then, but the second one should still count as a simplification (with an updated commit message). I'm fine with merging it into the RCU patch(es) if you want to do it. Or I'll just send a rebased version if they get merged in the current form. -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] selinux: fix a race condition in security_read_policy() 2020-08-24 13:04 ` Ondrej Mosnacek @ 2020-08-25 13:28 ` Paul Moore 0 siblings, 0 replies; 7+ messages in thread From: Paul Moore @ 2020-08-25 13:28 UTC (permalink / raw) To: Ondrej Mosnacek; +Cc: Stephen Smalley, SElinux list On Mon, Aug 24, 2020 at 9:04 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > Oh, you're right, there is really no race condition thanks to the > mutex... So this patch isn't necessary then, but the second one should > still count as a simplification (with an updated commit message). I'm > fine with merging it into the RCU patch(es) if you want to do it. Or > I'll just send a rebased version if they get merged in the current > form. Yes, I think we can drop this patch, but as you point out, I think patch 2/2 would still be nice to have even if it isn't strictly necessary. If you rebase the patch on top of selinux/next and update the description I'll happily merge it. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/2] selinux: fix a race condition in sel_open_policy() 2020-08-24 11:30 [PATCH 0/2] Fix race conditions when reading out policy data Ondrej Mosnacek 2020-08-24 11:30 ` [PATCH 1/2] selinux: fix a race condition in security_read_policy() Ondrej Mosnacek @ 2020-08-24 11:30 ` Ondrej Mosnacek 1 sibling, 0 replies; 7+ messages in thread From: Ondrej Mosnacek @ 2020-08-24 11:30 UTC (permalink / raw) To: selinux, Paul Moore; +Cc: Stephen Smalley The code to update the policy inode size is racy and inefficient. Move it below the security_read_policy() call where we already know the length of the policy we are returning. Since after this, security_policydb_len() is only called from security_load_policy(), remove it and just open-code it there. Fixes: cee74f47a6ba ("SELinux: allow userspace to read policy back out of the kernel") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/include/security.h | 1 - security/selinux/selinuxfs.c | 12 ++++++------ security/selinux/ss/services.c | 18 +++--------------- 3 files changed, 9 insertions(+), 22 deletions(-) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index c68ed2beadff4..2c14d4165d688 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -219,7 +219,6 @@ void selinux_policy_cancel(struct selinux_state *state, struct selinux_policy *policy); int security_read_policy(struct selinux_state *state, void **data, size_t *len); -size_t security_policydb_len(struct selinux_state *state); int security_policycap_supported(struct selinux_state *state, unsigned int req_cap); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 131816878e503..098d012cf40d8 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -403,16 +403,16 @@ static int sel_open_policy(struct inode *inode, struct file *filp) if (!plm) goto err; - if (i_size_read(inode) != security_policydb_len(state)) { - inode_lock(inode); - i_size_write(inode, security_policydb_len(state)); - inode_unlock(inode); - } - rc = security_read_policy(state, &plm->data, &plm->len); if (rc) goto err; + if ((size_t)i_size_read(inode) != plm->len) { + inode_lock(inode); + i_size_write(inode, plm->len); + inode_unlock(inode); + } + fsi->policy_opened = 1; filp->private_data = plm; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2c9072f095985..0745d4f3a5765 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2289,20 +2289,6 @@ err: return rc; } -size_t security_policydb_len(struct selinux_state *state) -{ - size_t len; - - if (!selinux_initialized(state)) - return 0; - - read_lock(&state->ss->policy_rwlock); - len = state->ss->policy->policydb.len; - read_unlock(&state->ss->policy_rwlock); - - return len; -} - /** * security_port_sid - Obtain the SID for a port. * @protocol: protocol number @@ -3847,7 +3833,9 @@ int security_read_policy(struct selinux_state *state, if (!selinux_initialized(state)) return -EINVAL; - *len = security_policydb_len(state); + read_lock(&state->ss->policy_rwlock); + *len = state->ss->policy->policydb.len; + read_unlock(&state->ss->policy_rwlock); again: *data = vmalloc_user(*len); -- 2.26.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-08-25 13:28 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-08-24 11:30 [PATCH 0/2] Fix race conditions when reading out policy data Ondrej Mosnacek 2020-08-24 11:30 ` [PATCH 1/2] selinux: fix a race condition in security_read_policy() Ondrej Mosnacek 2020-08-24 12:47 ` Stephen Smalley 2020-08-24 12:52 ` Stephen Smalley 2020-08-24 13:04 ` Ondrej Mosnacek 2020-08-25 13:28 ` Paul Moore 2020-08-24 11:30 ` [PATCH 2/2] selinux: fix a race condition in sel_open_policy() Ondrej Mosnacek
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).