tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ima: Avoid blocking in RCU read-side critical section

A panic happens in ima_match_policy:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS: 00007f5195b51740(0000)
GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ima_get_action+0x22/0x30
process_measurement+0xb0/0x830
? page_add_file_rmap+0x15/0x170
? alloc_set_pte+0x269/0x4c0
? prep_new_page+0x81/0x140
? simple_xattr_get+0x75/0xa0
? selinux_file_open+0x9d/0xf0
ima_file_check+0x64/0x90
path_openat+0x571/0x1720
do_filp_open+0x9b/0x110
? page_counter_try_charge+0x57/0xc0
? files_cgroup_alloc_fd+0x38/0x60
? __alloc_fd+0xd4/0x250
? do_sys_open+0x1bd/0x250
do_sys_open+0x1bd/0x250
do_syscall_64+0x5d/0x1d0
entry_SYSCALL_64_after_hwframe+0x65/0xca

Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.

Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.

The root cause of this issue could be described as follows:
| Thread A | Thread B |
| |ima_match_policy |
| | rcu_read_lock |
|ima_lsm_update_rule | |
| synchronize_rcu | |
| | kmalloc(GFP_KERNEL)|
| | sleep |
==> synchronize_rcu returns early
| kfree(entry) | |
| | entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
| | entry->action |
==> Accessing entry might cause panic.

To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.

Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Cc: stable@vger.kernel.org
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

GUO Zihua and committed by
Paul Moore 9a95c5bf 83a7eefe

+34 -22
+1 -1
include/linux/lsm_hook_defs.h
··· 413 413 414 414 #ifdef CONFIG_AUDIT 415 415 LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, 416 - void **lsmrule) 416 + void **lsmrule, gfp_t gfp) 417 417 LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) 418 418 LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) 419 419 LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)
+3 -2
include/linux/security.h
··· 2048 2048 2049 2049 #ifdef CONFIG_AUDIT 2050 2050 #ifdef CONFIG_SECURITY 2051 - int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); 2051 + int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, 2052 + gfp_t gfp); 2052 2053 int security_audit_rule_known(struct audit_krule *krule); 2053 2054 int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); 2054 2055 void security_audit_rule_free(void *lsmrule); ··· 2057 2056 #else 2058 2057 2059 2058 static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, 2060 - void **lsmrule) 2059 + void **lsmrule, gfp_t gfp) 2061 2060 { 2062 2061 return 0; 2063 2062 }
+3 -2
kernel/auditfilter.c
··· 529 529 entry->rule.buflen += f_val; 530 530 f->lsm_str = str; 531 531 err = security_audit_rule_init(f->type, f->op, str, 532 - (void **)&f->lsm_rule); 532 + (void **)&f->lsm_rule, 533 + GFP_KERNEL); 533 534 /* Keep currently invalid fields around in case they 534 535 * become valid after a policy reload. */ 535 536 if (err == -EINVAL) { ··· 800 799 801 800 /* our own (refreshed) copy of lsm_rule */ 802 801 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 803 - (void **)&df->lsm_rule); 802 + (void **)&df->lsm_rule, GFP_KERNEL); 804 803 /* Keep currently invalid fields around in case they 805 804 * become valid after a policy reload. */ 806 805 if (ret == -EINVAL) {
+3 -3
security/apparmor/audit.c
··· 217 217 } 218 218 } 219 219 220 - int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 220 + int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) 221 221 { 222 222 struct aa_audit_rule *rule; 223 223 ··· 230 230 return -EINVAL; 231 231 } 232 232 233 - rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); 233 + rule = kzalloc(sizeof(struct aa_audit_rule), gfp); 234 234 235 235 if (!rule) 236 236 return -ENOMEM; 237 237 238 238 /* Currently rules are treated as coming from the root ns */ 239 239 rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, 240 - GFP_KERNEL, true, false); 240 + gfp, true, false); 241 241 if (IS_ERR(rule->label)) { 242 242 int err = PTR_ERR(rule->label); 243 243 aa_audit_rule_free(rule);
+1 -1
security/apparmor/include/audit.h
··· 200 200 } 201 201 202 202 void aa_audit_rule_free(void *vrule); 203 - int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); 203 + int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); 204 204 int aa_audit_rule_known(struct audit_krule *rule); 205 205 int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); 206 206
+1 -1
security/integrity/ima/ima.h
··· 546 546 #else 547 547 548 548 static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, 549 - void **lsmrule) 549 + void **lsmrule, gfp_t gfp) 550 550 { 551 551 return -EINVAL; 552 552 }
+9 -6
security/integrity/ima/ima_policy.c
··· 401 401 kfree(entry); 402 402 } 403 403 404 - static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 404 + static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, 405 + gfp_t gfp) 405 406 { 406 407 struct ima_rule_entry *nentry; 407 408 int i; ··· 411 410 * Immutable elements are copied over as pointers and data; only 412 411 * lsm rules can change 413 412 */ 414 - nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 413 + nentry = kmemdup(entry, sizeof(*nentry), gfp); 415 414 if (!nentry) 416 415 return NULL; 417 416 ··· 426 425 427 426 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 428 427 nentry->lsm[i].args_p, 429 - &nentry->lsm[i].rule); 428 + &nentry->lsm[i].rule, 429 + gfp); 430 430 if (!nentry->lsm[i].rule) 431 431 pr_warn("rule for LSM \'%s\' is undefined\n", 432 432 nentry->lsm[i].args_p); ··· 440 438 int i; 441 439 struct ima_rule_entry *nentry; 442 440 443 - nentry = ima_lsm_copy_rule(entry); 441 + nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); 444 442 if (!nentry) 445 443 return -ENOMEM; 446 444 ··· 666 664 } 667 665 668 666 if (rc == -ESTALE && !rule_reinitialized) { 669 - lsm_rule = ima_lsm_copy_rule(rule); 667 + lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); 670 668 if (lsm_rule) { 671 669 rule_reinitialized = true; 672 670 goto retry; ··· 1142 1140 entry->lsm[lsm_rule].type = audit_type; 1143 1141 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1144 1142 entry->lsm[lsm_rule].args_p, 1145 - &entry->lsm[lsm_rule].rule); 1143 + &entry->lsm[lsm_rule].rule, 1144 + GFP_KERNEL); 1146 1145 if (!entry->lsm[lsm_rule].rule) { 1147 1146 pr_warn("rule for LSM \'%s\' is undefined\n", 1148 1147 entry->lsm[lsm_rule].args_p);
+4 -2
security/security.c
··· 5332 5332 * @op: rule operator 5333 5333 * @rulestr: rule context 5334 5334 * @lsmrule: receive buffer for audit rule struct 5335 + * @gfp: GFP flag used for kmalloc 5335 5336 * 5336 5337 * Allocate and initialize an LSM audit rule structure. 5337 5338 * 5338 5339 * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of 5339 5340 * an invalid rule. 5340 5341 */ 5341 - int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) 5342 + int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, 5343 + gfp_t gfp) 5342 5344 { 5343 - return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule); 5345 + return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); 5344 5346 } 5345 5347 5346 5348 /**
+3 -1
security/selinux/include/audit.h
··· 21 21 * @op: the operator the rule uses 22 22 * @rulestr: the text "target" of the rule 23 23 * @rule: pointer to the new rule structure returned via this 24 + * @gfp: GFP flag used for kmalloc 24 25 * 25 26 * Returns 0 if successful, -errno if not. On success, the rule structure 26 27 * will be allocated internally. The caller must free this structure with 27 28 * selinux_audit_rule_free() after use. 28 29 */ 29 - int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); 30 + int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, 31 + gfp_t gfp); 30 32 31 33 /** 32 34 * selinux_audit_rule_free - free an selinux audit rule structure.
+3 -2
security/selinux/ss/services.c
··· 3507 3507 } 3508 3508 } 3509 3509 3510 - int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3510 + int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 3511 + gfp_t gfp) 3511 3512 { 3512 3513 struct selinux_state *state = &selinux_state; 3513 3514 struct selinux_policy *policy; ··· 3549 3548 return -EINVAL; 3550 3549 } 3551 3550 3552 - tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 3551 + tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); 3553 3552 if (!tmprule) 3554 3553 return -ENOMEM; 3555 3554 context_init(&tmprule->au_ctxt);
+3 -1
security/smack/smack_lsm.c
··· 4693 4693 * @op: required testing operator (=, !=, >, <, ...) 4694 4694 * @rulestr: smack label to be audited 4695 4695 * @vrule: pointer to save our own audit rule representation 4696 + * @gfp: type of the memory for the allocation 4696 4697 * 4697 4698 * Prepare to audit cases where (@field @op @rulestr) is true. 4698 4699 * The label to be audited is created if necessay. 4699 4700 */ 4700 - static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4701 + static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4702 + gfp_t gfp) 4701 4703 { 4702 4704 struct smack_known *skp; 4703 4705 char **rule = (char **)vrule;