Re: [PATCH] selinux: KASAN; slab-out-of-bounds in avc_lookup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Dec 9, 2024 at 8:00 PM Joey Jiao <quic_jiangenj@xxxxxxxxxxx> wrote:
> From: "Jiao, Joey" <quic_jiangenj@xxxxxxxxxxx>
>
> BUG: KASAN: slab-out-of-bounds in avc_lookup+0x174/0x298
> Read of size 8 at addr ffffff8846ef70b1 by task spdaemon/1037
>
> Call trace:
>  dump_backtrace+0xf0/0x13c
>  show_stack+0x18/0x28
>  dump_stack_lvl+0xd0/0x128
>  print_report+0x13c/0x6f8
>  kasan_report+0xe8/0x148
>  __asan_load8+0x98/0xa0
>  avc_lookup+0x174/0x298
>  avc_has_perm_noaudit+0x60/0x12c
>  selinux_inode_permission+0x278/0x3cc
>  security_inode_permission+0x84/0xc8
>  inode_permission+0xb8/0x2b8
>  link_path_walk+0x178/0x7c0
>  path_lookupat+0x6c/0x298
>  filename_lookup+0x11c/0x2e4
>  vfs_statx+0xb4/0x3f0
>  vfs_fstatat+0xfc/0x3e4
>  __arm64_sys_newfstatat+0x88/0x340
>  invoke_syscall+0x6c/0x17c
>  el0_svc_common+0xf8/0x138
>  do_el0_svc+0x30/0x40
>  el0_svc+0x3c/0x70
>  el0t_64_sync_handler+0x68/0xbc
>  el0t_64_sync+0x19c/0x1a0
>
> To fix this, protect the rcu read access
>
> Signed-off-by: Jiao, Joey <quic_jiangenj@xxxxxxxxxxx>
> ---
>  security/selinux/avc.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index 32eb67fb3e42..ded3823d4451 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -528,6 +528,7 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
>
>         hvalue = avc_hash(ssid, tsid, tclass);
>         head = &selinux_avc.avc_cache.slots[hvalue];
> +       rcu_read_lock();
>         hlist_for_each_entry_rcu(node, head, list) {
>                 if (ssid == node->ae.ssid &&
>                     tclass == node->ae.tclass &&
> @@ -536,6 +537,7 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
>                         break;
>                 }
>         }
> +       rcu_read_unlock();
>
>         return ret;
>  }
> --
> 2.47.1

Thanks for the bug report, do you have any more information about the
kernel that demonstrated this problem?

I'm asking because when I look at the kernel sources, all callers of
avc_search_node() should already be holding the RCU read lock:

  avc_has_extended_perms() or avc_has_perm_noaudit()
    avc_lookup()
      avc_search_node()

-- 
paul-moore.com
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux