On Thu, Mar 18, 2021 at 12:22 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Wed, Mar 3, 2021 at 4:01 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > On Wed, Mar 3, 2021 at 3:57 AM Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx> wrote: > > > On 2021-02-12 19:59:30, Ondrej Mosnacek wrote: > > > > Commit 02a52c5c8c3b ("selinux: move policy commit after updating > > > > selinuxfs") moved the selinux_policy_commit() call out of > > > > security_load_policy() into sel_write_load(), which caused a subtle yet > > > > rather serious bug. > > > > > > > > The problem is that security_load_policy() passes a reference to the > > > > convert_params local variable to sidtab_convert(), which stores it in > > > > the sidtab, where it may be accessed until the policy is swapped over > > > > and RCU synchronized. Before 02a52c5c8c3b, selinux_policy_commit() was > > > > called directly from security_load_policy(), so the convert_params > > > > pointer remained valid all the way until the old sidtab was destroyed, > > > > but now that's no longer the case and calls to sidtab_context_to_sid() > > > > on the old sidtab after security_load_policy() returns may cause invalid > > > > memory accesses. > > > > > > > > This can be easily triggered using the stress test from commit > > > > ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve > > > > performance"): > > > > ``` > > > > function rand_cat() { > > > > echo $(( $RANDOM % 1024 )) > > > > } > > > > > > > > function do_work() { > > > > while true; do > > > > echo -n "system_u:system_r:kernel_t:s0:c$(rand_cat),c$(rand_cat)" \ > > > > >/sys/fs/selinux/context 2>/dev/null || true > > > > done > > > > } > > > > > > > > do_work >/dev/null & > > > > do_work >/dev/null & > > > > do_work >/dev/null & > > > > > > > > while load_policy; do echo -n .; sleep 0.1; done > > > > > > > > kill %1 > > > > kill %2 > > > > kill %3 > > > > ``` > > > > > > > > Fix this by allocating the temporary sidtab convert structures > > > > dynamically and passing them among the > > > > selinux_policy_{load,cancel,commit} functions. > > > > > > > > Note that this commit also fixes the minor issue of logging a > > > > MAC_POLICY_LOAD audit record in case sel_make_policy_nodes() fails (in > > > > which case the new policy isn't actually loaded). > > > > > > > > Fixes: 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs") > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > > > > > Tested-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx> > > > Reviewed-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx> > > > > > > Feel free to leave those tags on your v3 submission after making the two > > > small changes requested by Paul. > > > > Thanks! > > I haven't seen a final version of these patches yet. Did I miss it? No, I've been waiting for a reply regarding pr_warn() vs. pr_err(), etc. on patch 1/2 (and then it slipped off my mind, so I didn't follow up...) -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.