Hi Selinux team,
We are getting kernel panic due to invalid memory access from avtab_search_node @231.
165.187593][T21313] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000081000000
[ 165.265699][T22438] pc : avtab_search_node+0xe4/0x138
[ 165.265710][T22438] lr : context_struct_compute_av+0x260/0x908
[ 165.265715][T22438] sp : ffffffc0330a3920
[ 165.265717][T22438] x29: ffffffc0330a3a20 x28: ffffff804097ea40 x27: 0000000000000360
[ 165.265725][T22438] x26: ffffff803acab190 x25: ffffff803acab138 x24: ffffffc0330a3b60
[ 165.265732][T22438] x23: ffffff804097ea40 x22: ffffffc0330a3b48 x21: 0000000000000361
[ 165.265739][T22438] x20: 0000000000000360 x19: ffffff80409d3608 x18: ffffffc02ba1d070
[ 165.265746][T22438] x17: 000000008f58b13b x16: 000000005bbbfbe1 x15: 00000000e6546b64
[ 165.265753][T22438] x14: 000000001b873593 x13: 0000000058a5459e x12: 0000000000000061
[ 165.265760][T22438] x11: 0000000000000707 x10: 0000000000000361 x9 : 0000000000000361
[ 165.265767][T22438] x8 : 0000000000000002 x7 : 0000000000000000 x6 : ffffffc0330a39ac
[ 165.265773][T22438] x5 : ffffffc0330a3b60 x4 : ffffffc0330a3b48 x3 : ffffffc0330a3b60
[ 165.265780][T22438] x2 : ffffffc0330a3b48 x1 : ffffffc0330a3960 x0 : 0000000081000000
[ 165.265787][T22438] Call trace:
[ 165.265789][T22438] avtab_search_node+0xe4/0x138
[ 165.265793][T22438] security_compute_av+0x18c/0x3f4
[ 165.265798][T22438] avc_compute_av+0x84/0xe4
[ 165.265804][T22438] avc_has_perm+0x188/0x1f4
[ 165.265808][T22438] selinux_task_alloc+0x48/0x58
[ 165.265812][T22438] security_task_alloc+0x84/0x150
[ 165.265816][T22438] copy_process+0x51c/0xe98
[ 165.265823][T22438] kernel_clone+0xb8/0x684
[ 165.265827][T22438] __arm64_sys_clone+0x5c/0x8c
[ 165.265831][T22438] invoke_syscall+0x60/0x150
[ 165.265836][T22438] el0_svc_common+0x98/0x114
[ 165.265840][T22438] do_el0_svc+0x28/0xa0
[ 165.265843][T22438] el0_svc+0x28/0x90
[ 165.265848][T22438] el0t_64_sync_handler+0x88/0xec
[ 165.265852][T22438] el0t_64_sync+0x1b4/0x1b8
[ 165.265858][T22438] Code: f86bd980 b4000260 79400c2b 1200396b (7940000c)
[ 165.265862][T22438] ---[ end trace 78d0a75f861b1c77 ]---
Kernel panic is coming while accessing cur @231 line from below code snippet.
218 struct avtab_node *avtab_search_node(struct avtab *h,
219 const struct avtab_key *key)
220 {
221 int hvalue;
222 struct avtab_node *cur;
223 u16 specified = key->specified & ~(AVTAB_ENABLED|AVTAB_ENABLED_OLD);
224
225 if (!h || !h->nslot)
226 return NULL;
227
228 hvalue = avtab_hash(key, h->mask);
229 for (cur = h->htable[hvalue]; cur;
230 cur = cur->next) {
231 if (key->source_type == cur->key.source_type &&
232 key->target_type == cur->key.target_type &&
233 key->target_class == cur->key.target_class &&
234 (specified & cur->key.specified))
235 return cur;
In the above code null check are properly handled So I am suspecting the hashtable is getting modified by other thread/process when it is accessing the code.
Can you please provide your expert opinion what could be the issue here and how to fix this issue .
Thanks,
Jaihind Yadav
