Re: Kernel Panic while accessing avtab_search_node

[Paul Moore <paul@paul-moore.com>]

On Wed, Nov 23, 2022 at 7:52 AM Jaihind Yadav (QUIC)
<quic_jaihindy@quicinc.com> wrote:
> Hi Paul Moore Sir,
>
> Thanks  for quick response .
> Please find the additional information below.
> We are using 5.15 kernel in Android T.
> We have not applied any additional  patch to the kernel .
>
> I am replying on the same thread again because in that email I attached call stack frame with locals  images to explain the issue better after loading the dump in t32,
> but It converted the images in base32 due to plain text format and made it unreadable . Sorry for inconvenience caused.
>
> Please let me know if more information is needed .

Hi Jaihind,

Thanks for the additional information.  Unfortunately Android has been
known to carry a large number of kernel patches in their kernels so I
would suggest contacting the Android team for additional help on
resolving this issue.  If you can reproduce this problem with a plain
upstream kernel we may be able to help, but I don't recall seeing
anything similar in any of our upstream kernel use/testing.

Good luck,
-Paul

> -----Original Message-----
> From: Paul Moore <paul@paul-moore.com>
> Sent: Tuesday, November 22, 2022 11:53 PM
> To: Jaihind Yadav (QUIC) <quic_jaihindy@quicinc.com>
> Cc: selinux@vger.kernel.org
> Subject: Re: Kernel Panic while accessing avtab_search_node
>
> On Tue, Nov 22, 2022 at 6:22 AM Jaihind Yadav (QUIC) <quic_jaihindy@quicinc.com> wrote:
> > Hi Selinux team,
> >
> > We are getting kernel panic due to invalid memory access from avtab_search_node @231.
> >
> > 165.187593][T21313] Unable to handle kernel access to user memory
> > outside uaccess routines at virtual address 0000000081000000 [
> > 165.265699][T22438] pc : avtab_search_node+0xe4/0x138 [
> > 165.265710][T22438] lr : context_struct_compute_av+0x260/0x908
> > [  165.265715][T22438] sp : ffffffc0330a3920 [  165.265717][T22438]
> > x29: ffffffc0330a3a20 x28: ffffff804097ea40 x27: 0000000000000360 [
> > 165.265725][T22438] x26: ffffff803acab190 x25: ffffff803acab138 x24:
> > ffffffc0330a3b60 [  165.265732][T22438] x23: ffffff804097ea40 x22:
> > ffffffc0330a3b48 x21: 0000000000000361 [  165.265739][T22438] x20:
> > 0000000000000360 x19: ffffff80409d3608 x18: ffffffc02ba1d070 [
> > 165.265746][T22438] x17: 000000008f58b13b x16: 000000005bbbfbe1 x15:
> > 00000000e6546b64 [  165.265753][T22438] x14: 000000001b873593 x13:
> > 0000000058a5459e x12: 0000000000000061 [  165.265760][T22438] x11:
> > 0000000000000707 x10: 0000000000000361 x9 : 0000000000000361 [
> > 165.265767][T22438] x8 : 0000000000000002 x7 : 0000000000000000 x6 :
> > ffffffc0330a39ac [  165.265773][T22438] x5 : ffffffc0330a3b60 x4 : ffffffc0330a3b48 x3 : ffffffc0330a3b60 [  165.265780][T22438] x2 : ffffffc0330a3b48 x1 : ffffffc0330a3960 x0 : 0000000081000000 [  165.265787][T22438] Call trace:
> > [  165.265789][T22438]  avtab_search_node+0xe4/0x138 [
> > 165.265793][T22438]  security_compute_av+0x18c/0x3f4 [
> > 165.265798][T22438]  avc_compute_av+0x84/0xe4 [  165.265804][T22438]
> > avc_has_perm+0x188/0x1f4 [  165.265808][T22438]
> > selinux_task_alloc+0x48/0x58 [  165.265812][T22438]
> > security_task_alloc+0x84/0x150 [  165.265816][T22438]
> > copy_process+0x51c/0xe98 [  165.265823][T22438]
> > kernel_clone+0xb8/0x684 [  165.265827][T22438]
> > __arm64_sys_clone+0x5c/0x8c [  165.265831][T22438]
> > invoke_syscall+0x60/0x150 [  165.265836][T22438]
> > el0_svc_common+0x98/0x114 [  165.265840][T22438]  do_el0_svc+0x28/0xa0
> > [  165.265843][T22438]  el0_svc+0x28/0x90 [  165.265848][T22438]
> > el0t_64_sync_handler+0x88/0xec [  165.265852][T22438]
> > el0t_64_sync+0x1b4/0x1b8 [  165.265858][T22438] Code: f86bd980
> > b4000260 79400c2b 1200396b (7940000c) [  165.265862][T22438] ---[ end
> > trace 78d0a75f861b1c77 ]---
> >
> > Kernel panic is coming while accessing cur @231 line from below code snippet.
> >
> > 218 struct avtab_node *avtab_search_node(struct avtab *h,
> > 219                                                             const struct avtab_key *key)
> > 220 {
> > 221        int hvalue;
> > 222        struct avtab_node *cur;
> > 223        u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
> > 224
> > 225        if (!h || !h->nslot)
> > 226                        return NULL;
> > 227
> > 228        hvalue = avtab_hash(key, h->mask);
> > 229        for (cur = h->htable[hvalue]; cur;
> > 230             cur = cur->next) {
> > 231                        if (key->source_type == cur->key.source_type &&
> > 232                            key->target_type == cur->key.target_type &&
> > 233                            key->target_class == cur->key.target_class &&
> > 234                            (specified & cur->key.specified))
> > 235                                        return cur;
> >
> > In the above code null check are properly handled So I am suspecting the hashtable is getting modified by other thread/process when it is accessing the code.
> >
> > Can you please provide your expert opinion what could be the issue here and how to fix this issue .
>
> Hi Jaihind,
>
> We need some additional information to help understand the problem.
> What Linux distribution are you using?  What kernel are you using (version number), and do you have any patches applied to that kernel?
> What SELinux policy are you using?

-- 
paul-moore.com