On Wed, Aug 14, 2024 at 1:52 AM Jaihind Yadav (QUIC)
<quic_jaihindy@xxxxxxxxxxx> wrote:
>
> Hi @selinux@xxxxxxxxxxxxxxx,
>
> We are getting below Crash while doing "cp" exectutables to /system/bin inside adb shell.
> Reproducible steps:
> adb root
> adb remount
> adb shell
> cp <file_name> /system/bin
>
>
> Crash :
>
> [ 298.902980][ T7012] pstate: 60400005 (nZCv daif +PAN -UAO)
> [ 298.908637][ T7012] pc : file_has_perm+0x64/0x1f0
> [ 298.913483][ T7012] lr : file_has_perm+0x1bc/0x1f0
> [ 298.918415][ T7012] sp : ffffffc02a3c3b80
> [ 298.922556][ T7012] x29: ffffffc02a3c3bb0 x28: 0000000000010000
> [ 298.928744][ T7012] x27: 0000000000010000 x26: ffffffe94ca17000
> [ 298.934927][ T7012] x25: 0000000000000000 x24: ffffffaca6e90008
> [ 298.941102][ T7012] x23: ffffffe94bf77000 x22: ffffffad42699d00
> [ 298.947283][ T7012] x21: ffffffacb8829b40 x20: 0000000000000000
> [ 298.953467][ T7012] x19: 0000000000000002 x18: ffffffc01ffb3050
> [ 298.959652][ T7012] x17: 0000000000000031 x16: ffffffe94b265120
> [ 298.965836][ T7012] x15: ffffffe94bf76417 x14: ffffffad3d3cfa00
> [ 298.972014][ T7012] x13: 0000000000000004 x12: 0000000155de28d6
> [ 298.978197][ T7012] x11: 0000000000000015 x10: 000000000682aaab
> [ 298.984379][ T7012] x9 : dcd4944bf4caa800 x8 : 0000000000000000
> [ 298.990561][ T7012] x7 : ffffffe949f06644 x6 : ffffffad3cbce518
> [ 298.996741][ T7012] x5 : 0000000000000000 x4 : 0000000000000008
> [ 299.002919][ T7012] x3 : ffffffad3cbce468 x2 : ffffffe949fb6d84
> [ 299.009106][ T7012] x1 : ffffffe949fb6d84 x0 : 000000000000001a
> [ 299.015286][ T7012] Call trace:
> [ 299.018527][ T7012] file_has_perm+0x64/0x1f0
> [ 299.023025][ T7012] selinux_file_permission+0x1a0/0x224
> [ 299.028501][ T7012] security_file_permission+0x54/0x150
> [ 299.033972][ T7012] rw_verify_area+0x70/0xe8
> [ 299.038460][ T7012] splice_direct_to_actor+0xc0/0x318
> [ 299.043757][ T7012] do_splice_direct+0x84/0xd8
> [ 299.048423][ T7012] vfs_copy_file_range+0x1c4/0x458
> [ 299.053545][ T7012] __arm64_sys_copy_file_range+0xe8/0x1a8
> [ 299.059289][ T7012] el0_svc_common+0xcc/0x1d8
> [ 299.063876][ T7012] el0_svc_handler+0x84/0x90
> [ 299.068456][ T7012] el0_svc+0x8/0x100
> [ 299.072318][ T7012] Code: b4000ae0 f9403e88 b987cee9 8b090108 (b9400501)
> [ 299.079300][ T7012] ---[ end trace 9ef748cec7fd66eb ]---
> [ 299.084775][ T7012] Kernel panic - not syncing: Fatal exception
>
>
> Analysis :
>
> We added the log in current_sid function and found out current_cred is coming as NULL.
>
> /*
> * get the subjective security ID of the current task
> */
> static inline u32 current_sid(void)
> {
> const struct task_security_struct *tsec = selinux_cred(current_cred());
>
> return tsec->sid;
> }
>
> extern struct lsm_blob_sizes selinux_blob_sizes;
> static inline struct task_security_struct *selinux_cred(const struct cred *cred)
> {
> + if (cred == NULL) {
> + pr_err("SELinux: cred is NULL ...\n");
> + return 0;
> + }
> return cred->security + selinux_blob_sizes.lbs_cred;
> }
>
> comm 'cp' has 'cred' value as zero which is causing above crash.
>
> Could you please provide your expert opinion on how to fix this issue .
A NULL current_cred() is not a bug in SELinux but rather a bug
elsewhere in the kernel - that should never be NULL, at least not in
process context.
You didn't mention the kernel version or whether it has any
out-of-tree patches or modules, which is where I would suggest looking
first.
-
