diff mbox series

ima: Avoid blocking in RCU read-side critical section

Message ID 20240417074444.2834769-1-guozihua@huawei.com (mailing list archive)
State Changes Requested
Delegated to: Paul Moore
Headers show
Series ima: Avoid blocking in RCU read-side critical section | expand

Commit Message

Guozihua (Scott) April 17, 2024, 7:44 a.m. UTC
A panic happens in ima_match_policy:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ima_get_action+0x22/0x30
 process_measurement+0xb0/0x830
 ima_file_check+0x64/0x90
 path_openat+0x571/0x1720
 do_filp_open+0x9b/0x110
 do_sys_open+0x1bd/0x250
 do_syscall_64+0x5d/0x1d0
 entry_SYSCALL_64_after_hwframe+0x65/0xca

(stack trace marked with ? is deleted)

Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.

Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.

The root cause of this issue could be described as follows:
|	Thread A	|	Thread B	|
|			|ima_match_policy	|
|			|  rcu_read_lock	|
|ima_lsm_update_rule	|			|
|  synchronize_rcu	|			|
|			|    kmalloc(GFP_KERNEL)|
|			|      sleep		|
==> synchronize_rcu returns early
|  kfree(entry)		|			|
|			|    entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
|			|    entry->action	|
==> Accessing entry might cause panic.

To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.

Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Cc: stable@vger.kernel.org
Signed-off-by: GUO Zihua <guozihua@huawei.com>
---
 security/integrity/ima/ima_policy.c | 2 +-
 security/selinux/ss/services.c      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Stephen Smalley April 19, 2024, 9:41 p.m. UTC | #1
On Wed, Apr 17, 2024 at 12:49 AM GUO Zihua <guozihua@huawei.com> wrote:
>
> A panic happens in ima_match_policy:
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> PGD 42f873067 P4D 0
> Oops: 0000 [#1] SMP NOPTI
> CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
> RIP: 0010:ima_match_policy+0x84/0x450
> Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
> RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
> RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
> RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
> R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
> R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
> FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  ima_get_action+0x22/0x30
>  process_measurement+0xb0/0x830
>  ima_file_check+0x64/0x90
>  path_openat+0x571/0x1720
>  do_filp_open+0x9b/0x110
>  do_sys_open+0x1bd/0x250
>  do_syscall_64+0x5d/0x1d0
>  entry_SYSCALL_64_after_hwframe+0x65/0xca
>
> (stack trace marked with ? is deleted)
>
> Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
> RCU read-side critical section which contains kmalloc with GFP_KERNEL.
> This implies a possible sleep and violates limitations of RCU read-side
> critical sections on non-PREEMPT systems.
>
> Sleeping within RCU read-side critical section might cause
> synchronize_rcu() returning early and break RCU protection, allowing a
> UAF to happen.
>
> The root cause of this issue could be described as follows:
> |       Thread A        |       Thread B        |
> |                       |ima_match_policy       |
> |                       |  rcu_read_lock        |
> |ima_lsm_update_rule    |                       |
> |  synchronize_rcu      |                       |
> |                       |    kmalloc(GFP_KERNEL)|
> |                       |      sleep            |
> ==> synchronize_rcu returns early
> |  kfree(entry)         |                       |
> |                       |    entry = entry->next|
> ==> UAF happens and entry now becomes NULL (or could be anything).
> |                       |    entry->action      |
> ==> Accessing entry might cause panic.
>
> To fix this issue, we are converting all kmalloc that is called within
> RCU read-side critical section to use GFP_ATOMIC.
>
> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> Cc: stable@vger.kernel.org
> Signed-off-by: GUO Zihua <guozihua@huawei.com>
> ---
>  security/integrity/ima/ima_policy.c | 2 +-
>  security/selinux/ss/services.c      | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index c0556907c2e6..c0cf9b6a01f0 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -410,7 +410,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
>          * Immutable elements are copied over as pointers and data; only
>          * lsm rules can change
>          */
> -       nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
> +       nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
>         if (!nentry)
>                 return NULL;
>
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index e88b1b6c4adb..b7cfad1a2964 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -3549,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
>                 return -EINVAL;
>         }
>
> -       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
> +       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);

I would suggest passing in gfp flags from the callers and only using
GFP_ATOMIC for the particular call chain that requires atomic
allocations, or re-factoring the caller to perform the allocating
operations outside of the critical section.
Sidebar: the refactoring of the SELinux policy loading logic may have
made it possible to revisit the approaches here to permit holding a
reference to the policy from which the rule was derived so that we
don't have to return -ESTALE in this scenario.

>         if (!tmprule)
>                 return -ENOMEM;
>         context_init(&tmprule->au_ctxt);
> --

>
Guozihua (Scott) April 22, 2024, 1:26 a.m. UTC | #2
On 2024/4/20 5:41, Stephen Smalley wrote:
> On Wed, Apr 17, 2024 at 12:49 AM GUO Zihua <guozihua@huawei.com> wrote:
>>
>> A panic happens in ima_match_policy:
>>
>> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
>> PGD 42f873067 P4D 0
>> Oops: 0000 [#1] SMP NOPTI
>> CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
>> RIP: 0010:ima_match_policy+0x84/0x450
>> Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
>> RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
>> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
>> RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
>> RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
>> R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
>> R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
>> FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>>  ima_get_action+0x22/0x30
>>  process_measurement+0xb0/0x830
>>  ima_file_check+0x64/0x90
>>  path_openat+0x571/0x1720
>>  do_filp_open+0x9b/0x110
>>  do_sys_open+0x1bd/0x250
>>  do_syscall_64+0x5d/0x1d0
>>  entry_SYSCALL_64_after_hwframe+0x65/0xca
>>
>> (stack trace marked with ? is deleted)
>>
>> Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
>> ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
>> RCU read-side critical section which contains kmalloc with GFP_KERNEL.
>> This implies a possible sleep and violates limitations of RCU read-side
>> critical sections on non-PREEMPT systems.
>>
>> Sleeping within RCU read-side critical section might cause
>> synchronize_rcu() returning early and break RCU protection, allowing a
>> UAF to happen.
>>
>> The root cause of this issue could be described as follows:
>> |       Thread A        |       Thread B        |
>> |                       |ima_match_policy       |
>> |                       |  rcu_read_lock        |
>> |ima_lsm_update_rule    |                       |
>> |  synchronize_rcu      |                       |
>> |                       |    kmalloc(GFP_KERNEL)|
>> |                       |      sleep            |
>> ==> synchronize_rcu returns early
>> |  kfree(entry)         |                       |
>> |                       |    entry = entry->next|
>> ==> UAF happens and entry now becomes NULL (or could be anything).
>> |                       |    entry->action      |
>> ==> Accessing entry might cause panic.
>>
>> To fix this issue, we are converting all kmalloc that is called within
>> RCU read-side critical section to use GFP_ATOMIC.
>>
>> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: GUO Zihua <guozihua@huawei.com>
>> ---
>>  security/integrity/ima/ima_policy.c | 2 +-
>>  security/selinux/ss/services.c      | 2 +-
>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index c0556907c2e6..c0cf9b6a01f0 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -410,7 +410,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
>>          * Immutable elements are copied over as pointers and data; only
>>          * lsm rules can change
>>          */
>> -       nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
>> +       nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
>>         if (!nentry)
>>                 return NULL;
>>
>> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
>> index e88b1b6c4adb..b7cfad1a2964 100644
>> --- a/security/selinux/ss/services.c
>> +++ b/security/selinux/ss/services.c
>> @@ -3549,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
>>                 return -EINVAL;
>>         }
>>
>> -       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
>> +       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);
> 
> I would suggest passing in gfp flags from the callers and only using
> GFP_ATOMIC for the particular call chain that requires atomic
> allocations, or re-factoring the caller to perform the allocating
> operations outside of the critical section.

Well unfortunately the SELinux involved in this patch is called via
security hooks. Adding new flags would mean define macros as well as all
the callers and implementations would have to be changed.

> Sidebar: the refactoring of the SELinux policy loading logic may have
> made it possible to revisit the approaches here to permit holding a
> reference to the policy from which the rule was derived so that we
> don't have to return -ESTALE in this scenario.

This would be nice if we are able to make this re-init happen in-place
which would spare IMA from initializing a temporary rule and the list
replace behavior.
> 
>>         if (!tmprule)
>>                 return -ENOMEM;
>>         context_init(&tmprule->au_ctxt);
>> --
> 
>>
Stephen Smalley April 22, 2024, 12:18 p.m. UTC | #3
On Sun, Apr 21, 2024 at 9:26 PM Guozihua (Scott) <guozihua@huawei.com> wrote:
>
> On 2024/4/20 5:41, Stephen Smalley wrote:
> > On Wed, Apr 17, 2024 at 12:49 AM GUO Zihua <guozihua@huawei.com> wrote:
> >>
> >> A panic happens in ima_match_policy:
> >>
> >> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> >> PGD 42f873067 P4D 0
> >> Oops: 0000 [#1] SMP NOPTI
> >> CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
> >> RIP: 0010:ima_match_policy+0x84/0x450
> >> Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
> >> RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
> >> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
> >> RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
> >> RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
> >> R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
> >> R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
> >> FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
> >> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
> >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >> Call Trace:
> >>  ima_get_action+0x22/0x30
> >>  process_measurement+0xb0/0x830
> >>  ima_file_check+0x64/0x90
> >>  path_openat+0x571/0x1720
> >>  do_filp_open+0x9b/0x110
> >>  do_sys_open+0x1bd/0x250
> >>  do_syscall_64+0x5d/0x1d0
> >>  entry_SYSCALL_64_after_hwframe+0x65/0xca
> >>
> >> (stack trace marked with ? is deleted)
> >>
> >> Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> >> ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
> >> RCU read-side critical section which contains kmalloc with GFP_KERNEL.
> >> This implies a possible sleep and violates limitations of RCU read-side
> >> critical sections on non-PREEMPT systems.
> >>
> >> Sleeping within RCU read-side critical section might cause
> >> synchronize_rcu() returning early and break RCU protection, allowing a
> >> UAF to happen.
> >>
> >> The root cause of this issue could be described as follows:
> >> |       Thread A        |       Thread B        |
> >> |                       |ima_match_policy       |
> >> |                       |  rcu_read_lock        |
> >> |ima_lsm_update_rule    |                       |
> >> |  synchronize_rcu      |                       |
> >> |                       |    kmalloc(GFP_KERNEL)|
> >> |                       |      sleep            |
> >> ==> synchronize_rcu returns early
> >> |  kfree(entry)         |                       |
> >> |                       |    entry = entry->next|
> >> ==> UAF happens and entry now becomes NULL (or could be anything).
> >> |                       |    entry->action      |
> >> ==> Accessing entry might cause panic.
> >>
> >> To fix this issue, we are converting all kmalloc that is called within
> >> RCU read-side critical section to use GFP_ATOMIC.
> >>
> >> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> >> Cc: stable@vger.kernel.org
> >> Signed-off-by: GUO Zihua <guozihua@huawei.com>
> >> ---
> >>  security/integrity/ima/ima_policy.c | 2 +-
> >>  security/selinux/ss/services.c      | 2 +-
> >>  2 files changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> >> index c0556907c2e6..c0cf9b6a01f0 100644
> >> --- a/security/integrity/ima/ima_policy.c
> >> +++ b/security/integrity/ima/ima_policy.c
> >> @@ -410,7 +410,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> >>          * Immutable elements are copied over as pointers and data; only
> >>          * lsm rules can change
> >>          */
> >> -       nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
> >> +       nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
> >>         if (!nentry)
> >>                 return NULL;
> >>
> >> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> >> index e88b1b6c4adb..b7cfad1a2964 100644
> >> --- a/security/selinux/ss/services.c
> >> +++ b/security/selinux/ss/services.c
> >> @@ -3549,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> >>                 return -EINVAL;
> >>         }
> >>
> >> -       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
> >> +       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);
> >
> > I would suggest passing in gfp flags from the callers and only using
> > GFP_ATOMIC for the particular call chain that requires atomic
> > allocations, or re-factoring the caller to perform the allocating
> > operations outside of the critical section.
>
> Well unfortunately the SELinux involved in this patch is called via
> security hooks. Adding new flags would mean define macros as well as all
> the callers and implementations would have to be changed.

That is ok if it is what is required to fix this correctly. However,
if you can re-factor the caller to move the allocation outside of the
RCU read lock, or eliminate the need for an allocation altogether,
that would be better.

> > Sidebar: the refactoring of the SELinux policy loading logic may have
> > made it possible to revisit the approaches here to permit holding a
> > reference to the policy from which the rule was derived so that we
> > don't have to return -ESTALE in this scenario.
>
> This would be nice if we are able to make this re-init happen in-place
> which would spare IMA from initializing a temporary rule and the list
> replace behavior.

Yes, that would be best if possible.
Guozihua (Scott) April 23, 2024, 7:30 a.m. UTC | #4
On 2024/4/22 20:18, Stephen Smalley wrote:
> On Sun, Apr 21, 2024 at 9:26 PM Guozihua (Scott) <guozihua@huawei.com> wrote:
>>
>> On 2024/4/20 5:41, Stephen Smalley wrote:
>>> On Wed, Apr 17, 2024 at 12:49 AM GUO Zihua <guozihua@huawei.com> wrote:
>>>>
>>>> A panic happens in ima_match_policy:
>>>>
>>>> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
>>>> PGD 42f873067 P4D 0
>>>> Oops: 0000 [#1] SMP NOPTI
>>>> CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
>>>> RIP: 0010:ima_match_policy+0x84/0x450
>>>> Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
>>>> RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
>>>> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
>>>> RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
>>>> RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
>>>> R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
>>>> R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
>>>> FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
>>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
>>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>>> Call Trace:
>>>>  ima_get_action+0x22/0x30
>>>>  process_measurement+0xb0/0x830
>>>>  ima_file_check+0x64/0x90
>>>>  path_openat+0x571/0x1720
>>>>  do_filp_open+0x9b/0x110
>>>>  do_sys_open+0x1bd/0x250
>>>>  do_syscall_64+0x5d/0x1d0
>>>>  entry_SYSCALL_64_after_hwframe+0x65/0xca
>>>>
>>>> (stack trace marked with ? is deleted)
>>>>
>>>> Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
>>>> ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
>>>> RCU read-side critical section which contains kmalloc with GFP_KERNEL.
>>>> This implies a possible sleep and violates limitations of RCU read-side
>>>> critical sections on non-PREEMPT systems.
>>>>
>>>> Sleeping within RCU read-side critical section might cause
>>>> synchronize_rcu() returning early and break RCU protection, allowing a
>>>> UAF to happen.
>>>>
>>>> The root cause of this issue could be described as follows:
>>>> |       Thread A        |       Thread B        |
>>>> |                       |ima_match_policy       |
>>>> |                       |  rcu_read_lock        |
>>>> |ima_lsm_update_rule    |                       |
>>>> |  synchronize_rcu      |                       |
>>>> |                       |    kmalloc(GFP_KERNEL)|
>>>> |                       |      sleep            |
>>>> ==> synchronize_rcu returns early
>>>> |  kfree(entry)         |                       |
>>>> |                       |    entry = entry->next|
>>>> ==> UAF happens and entry now becomes NULL (or could be anything).
>>>> |                       |    entry->action      |
>>>> ==> Accessing entry might cause panic.
>>>>
>>>> To fix this issue, we are converting all kmalloc that is called within
>>>> RCU read-side critical section to use GFP_ATOMIC.
>>>>
>>>> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
>>>> Cc: stable@vger.kernel.org
>>>> Signed-off-by: GUO Zihua <guozihua@huawei.com>
>>>> ---
>>>>  security/integrity/ima/ima_policy.c | 2 +-
>>>>  security/selinux/ss/services.c      | 2 +-
>>>>  2 files changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>>>> index c0556907c2e6..c0cf9b6a01f0 100644
>>>> --- a/security/integrity/ima/ima_policy.c
>>>> +++ b/security/integrity/ima/ima_policy.c
>>>> @@ -410,7 +410,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
>>>>          * Immutable elements are copied over as pointers and data; only
>>>>          * lsm rules can change
>>>>          */
>>>> -       nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
>>>> +       nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
>>>>         if (!nentry)
>>>>                 return NULL;
>>>>
>>>> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
>>>> index e88b1b6c4adb..b7cfad1a2964 100644
>>>> --- a/security/selinux/ss/services.c
>>>> +++ b/security/selinux/ss/services.c
>>>> @@ -3549,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
>>>>                 return -EINVAL;
>>>>         }
>>>>
>>>> -       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
>>>> +       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);
>>>
>>> I would suggest passing in gfp flags from the callers and only using
>>> GFP_ATOMIC for the particular call chain that requires atomic
>>> allocations, or re-factoring the caller to perform the allocating
>>> operations outside of the critical section.
>>
>> Well unfortunately the SELinux involved in this patch is called via
>> security hooks. Adding new flags would mean define macros as well as all
>> the callers and implementations would have to be changed.
> 
> That is ok if it is what is required to fix this correctly. However,
> if you can re-factor the caller to move the allocation outside of the
> RCU read lock, or eliminate the need for an allocation altogether,
> that would be better.

This does not seems to be possible for now. The RCU lock circulates the
whole list access while there might be more LSM related rules within the
list. Besides we cannot release the RCU lock before allocation, this
would trigger an UAF immediately.

Will send a v2 adding a GFP mask for security hook as well as
ima_lsm_copy_rule.
> 
>>> Sidebar: the refactoring of the SELinux policy loading logic may have
>>> made it possible to revisit the approaches here to permit holding a
>>> reference to the policy from which the rule was derived so that we
>>> don't have to return -ESTALE in this scenario.
>>
>> This would be nice if we are able to make this re-init happen in-place
>> which would spare IMA from initializing a temporary rule and the list
>> replace behavior.
> 
> Yes, that would be best if possible.
Roberto Sassu May 8, 2024, 8:32 a.m. UTC | #5
On Fri, 2024-04-19 at 14:41 -0700, Stephen Smalley wrote:
> On Wed, Apr 17, 2024 at 12:49 AM GUO Zihua <guozihua@huawei.com> wrote:
> > 
> > A panic happens in ima_match_policy:
> > 
> > BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> > PGD 42f873067 P4D 0
> > Oops: 0000 [#1] SMP NOPTI
> > CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
> > RIP: 0010:ima_match_policy+0x84/0x450
> > Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
> > RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
> > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
> > RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
> > RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
> > R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
> > R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
> > FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  ima_get_action+0x22/0x30
> >  process_measurement+0xb0/0x830
> >  ima_file_check+0x64/0x90
> >  path_openat+0x571/0x1720
> >  do_filp_open+0x9b/0x110
> >  do_sys_open+0x1bd/0x250
> >  do_syscall_64+0x5d/0x1d0
> >  entry_SYSCALL_64_after_hwframe+0x65/0xca
> > 
> > (stack trace marked with ? is deleted)
> > 
> > Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> > ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
> > RCU read-side critical section which contains kmalloc with GFP_KERNEL.
> > This implies a possible sleep and violates limitations of RCU read-side
> > critical sections on non-PREEMPT systems.
> > 
> > Sleeping within RCU read-side critical section might cause
> > synchronize_rcu() returning early and break RCU protection, allowing a
> > UAF to happen.
> > 
> > The root cause of this issue could be described as follows:
> > >       Thread A        |       Thread B        |
> > >                       |ima_match_policy       |
> > >                       |  rcu_read_lock        |
> > > ima_lsm_update_rule    |                       |
> > >  synchronize_rcu      |                       |
> > >                       |    kmalloc(GFP_KERNEL)|
> > >                       |      sleep            |
> > ==> synchronize_rcu returns early
> > >  kfree(entry)         |                       |
> > >                       |    entry = entry->next|
> > ==> UAF happens and entry now becomes NULL (or could be anything).
> > >                       |    entry->action      |
> > ==> Accessing entry might cause panic.
> > 
> > To fix this issue, we are converting all kmalloc that is called within
> > RCU read-side critical section to use GFP_ATOMIC.
> > 
> > Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: GUO Zihua <guozihua@huawei.com>
> > ---
> >  security/integrity/ima/ima_policy.c | 2 +-
> >  security/selinux/ss/services.c      | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index c0556907c2e6..c0cf9b6a01f0 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -410,7 +410,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> >          * Immutable elements are copied over as pointers and data; only
> >          * lsm rules can change
> >          */
> > -       nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
> > +       nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
> >         if (!nentry)
> >                 return NULL;
> > 
> > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > index e88b1b6c4adb..b7cfad1a2964 100644
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -3549,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> >                 return -EINVAL;
> >         }
> > 
> > -       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
> > +       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);
> 
> I would suggest passing in gfp flags from the callers and only using
> GFP_ATOMIC for the particular call chain that requires atomic
> allocations, or re-factoring the caller to perform the allocating
> operations outside of the critical section.
> Sidebar: the refactoring of the SELinux policy loading logic may have
> made it possible to revisit the approaches here to permit holding a
> reference to the policy from which the rule was derived so that we
> don't have to return -ESTALE in this scenario.

That would be really nice, would simplify the code for us.

I was wondering if the label comparison would be still reliable after a
policy update. I was thinking for example the case where a type is
removed from the newer policy, and that type was used in an IMA rule.

Thanks

Roberto

> >         if (!tmprule)
> >                 return -ENOMEM;
> >         context_init(&tmprule->au_ctxt);
> > --
> 
> >
Mimi Zohar May 8, 2024, 11:19 a.m. UTC | #6
On Wed, 2024-05-08 at 10:32 +0200, Roberto Sassu wrote:
> On Fri, 2024-04-19 at 14:41 -0700, Stephen Smalley wrote:
> > On Wed, Apr 17, 2024 at 12:49 AM GUO Zihua <guozihua@huawei.com> wrote:
> > > A panic happens in ima_match_policy:
> > > 
> > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> > > PGD 42f873067 P4D 0
> > > Oops: 0000 [#1] SMP NOPTI
> > > CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
> > > RIP: 0010:ima_match_policy+0x84/0x450
> > > Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
> > > RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
> > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
> > > RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
> > > RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
> > > R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
> > > R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
> > > FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
> > > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
> > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > Call Trace:
> > >  ima_get_action+0x22/0x30
> > >  process_measurement+0xb0/0x830
> > >  ima_file_check+0x64/0x90
> > >  path_openat+0x571/0x1720
> > >  do_filp_open+0x9b/0x110
> > >  do_sys_open+0x1bd/0x250
> > >  do_syscall_64+0x5d/0x1d0
> > >  entry_SYSCALL_64_after_hwframe+0x65/0xca
> > > 
> > > (stack trace marked with ? is deleted)
> > > 
> > > Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> > > ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
> > > RCU read-side critical section which contains kmalloc with GFP_KERNEL.
> > > This implies a possible sleep and violates limitations of RCU read-side
> > > critical sections on non-PREEMPT systems.
> > > 
> > > Sleeping within RCU read-side critical section might cause
> > > synchronize_rcu() returning early and break RCU protection, allowing a
> > > UAF to happen.
> > > 
> > > The root cause of this issue could be described as follows:
> > > >       Thread A        |       Thread B        |
> > > >                       |ima_match_policy       |
> > > >                       |  rcu_read_lock        |
> > > > ima_lsm_update_rule    |                       |
> > > >  synchronize_rcu      |                       |
> > > >                       |    kmalloc(GFP_KERNEL)|
> > > >                       |      sleep            |
> > > ==> synchronize_rcu returns early
> > > >  kfree(entry)         |                       |
> > > >                       |    entry = entry->next|
> > > ==> UAF happens and entry now becomes NULL (or could be anything).
> > > >                       |    entry->action      |
> > > ==> Accessing entry might cause panic.
> > > 
> > > To fix this issue, we are converting all kmalloc that is called within
> > > RCU read-side critical section to use GFP_ATOMIC.
> > > 
> > > Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: GUO Zihua <guozihua@huawei.com>
> > > ---
> > >  security/integrity/ima/ima_policy.c | 2 +-
> > >  security/selinux/ss/services.c      | 2 +-
> > >  2 files changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > > index c0556907c2e6..c0cf9b6a01f0 100644
> > > --- a/security/integrity/ima/ima_policy.c
> > > +++ b/security/integrity/ima/ima_policy.c
> > > @@ -410,7 +410,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> > >          * Immutable elements are copied over as pointers and data; only
> > >          * lsm rules can change
> > >          */
> > > -       nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
> > > +       nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
> > >         if (!nentry)
> > >                 return NULL;
> > > 
> > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > > index e88b1b6c4adb..b7cfad1a2964 100644
> > > --- a/security/selinux/ss/services.c
> > > +++ b/security/selinux/ss/services.c
> > > @@ -3549,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> > >                 return -EINVAL;
> > >         }
> > > 
> > > -       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
> > > +       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);
> > 
> > I would suggest passing in gfp flags from the callers and only using
> > GFP_ATOMIC for the particular call chain that requires atomic
> > allocations, or re-factoring the caller to perform the allocating
> > operations outside of the critical section.
> > Sidebar: the refactoring of the SELinux policy loading logic may have
> > made it possible to revisit the approaches here to permit holding a
> > reference to the policy from which the rule was derived so that we
> > don't have to return -ESTALE in this scenario.
> 
> That would be really nice, would simplify the code for us.
> 
> I was wondering if the label comparison would be still reliable after a
> policy update. I was thinking for example the case where a type is
> removed from the newer policy, and that type was used in an IMA rule.

Yes, I was concerned too.  We followed Stephen's suggestion to ignore the IMA
policy rules containing an unknown SELinux label.  The original discussion can
be found here: 
https://lore.kernel.org/linux-integrity/1432f617-424e-044c-4f78-47f1100262ae@tycho.nsa.gov/

thanks,

Mimi
Stephen Smalley May 8, 2024, 3:15 p.m. UTC | #7
On Wed, May 8, 2024 at 4:33 AM Roberto Sassu
<roberto.sassu@huaweicloud.com> wrote:
>
> On Fri, 2024-04-19 at 14:41 -0700, Stephen Smalley wrote:
> > On Wed, Apr 17, 2024 at 12:49 AM GUO Zihua <guozihua@huawei.com> wrote:
> > >
> > > A panic happens in ima_match_policy:
> > >
> > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> > > PGD 42f873067 P4D 0
> > > Oops: 0000 [#1] SMP NOPTI
> > > CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
> > > RIP: 0010:ima_match_policy+0x84/0x450
> > > Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
> > > RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
> > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
> > > RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
> > > RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
> > > R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
> > > R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
> > > FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
> > > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
> > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > Call Trace:
> > >  ima_get_action+0x22/0x30
> > >  process_measurement+0xb0/0x830
> > >  ima_file_check+0x64/0x90
> > >  path_openat+0x571/0x1720
> > >  do_filp_open+0x9b/0x110
> > >  do_sys_open+0x1bd/0x250
> > >  do_syscall_64+0x5d/0x1d0
> > >  entry_SYSCALL_64_after_hwframe+0x65/0xca
> > >
> > > (stack trace marked with ? is deleted)
> > >
> > > Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> > > ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
> > > RCU read-side critical section which contains kmalloc with GFP_KERNEL.
> > > This implies a possible sleep and violates limitations of RCU read-side
> > > critical sections on non-PREEMPT systems.
> > >
> > > Sleeping within RCU read-side critical section might cause
> > > synchronize_rcu() returning early and break RCU protection, allowing a
> > > UAF to happen.
> > >
> > > The root cause of this issue could be described as follows:
> > > >       Thread A        |       Thread B        |
> > > >                       |ima_match_policy       |
> > > >                       |  rcu_read_lock        |
> > > > ima_lsm_update_rule    |                       |
> > > >  synchronize_rcu      |                       |
> > > >                       |    kmalloc(GFP_KERNEL)|
> > > >                       |      sleep            |
> > > ==> synchronize_rcu returns early
> > > >  kfree(entry)         |                       |
> > > >                       |    entry = entry->next|
> > > ==> UAF happens and entry now becomes NULL (or could be anything).
> > > >                       |    entry->action      |
> > > ==> Accessing entry might cause panic.
> > >
> > > To fix this issue, we are converting all kmalloc that is called within
> > > RCU read-side critical section to use GFP_ATOMIC.
> > >
> > > Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: GUO Zihua <guozihua@huawei.com>
> > > ---
> > >  security/integrity/ima/ima_policy.c | 2 +-
> > >  security/selinux/ss/services.c      | 2 +-
> > >  2 files changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > > index c0556907c2e6..c0cf9b6a01f0 100644
> > > --- a/security/integrity/ima/ima_policy.c
> > > +++ b/security/integrity/ima/ima_policy.c
> > > @@ -410,7 +410,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> > >          * Immutable elements are copied over as pointers and data; only
> > >          * lsm rules can change
> > >          */
> > > -       nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
> > > +       nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
> > >         if (!nentry)
> > >                 return NULL;
> > >
> > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > > index e88b1b6c4adb..b7cfad1a2964 100644
> > > --- a/security/selinux/ss/services.c
> > > +++ b/security/selinux/ss/services.c
> > > @@ -3549,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> > >                 return -EINVAL;
> > >         }
> > >
> > > -       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
> > > +       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);
> >
> > I would suggest passing in gfp flags from the callers and only using
> > GFP_ATOMIC for the particular call chain that requires atomic
> > allocations, or re-factoring the caller to perform the allocating
> > operations outside of the critical section.
> > Sidebar: the refactoring of the SELinux policy loading logic may have
> > made it possible to revisit the approaches here to permit holding a
> > reference to the policy from which the rule was derived so that we
> > don't have to return -ESTALE in this scenario.
>
> That would be really nice, would simplify the code for us.
>
> I was wondering if the label comparison would be still reliable after a
> policy update. I was thinking for example the case where a type is
> removed from the newer policy, and that type was used in an IMA rule.

The basic idea would be to add a refcount to struct selinux_policy,
add a reference to the corresponding selinux_policy in
selinux_audit_rule (same as for ima), and defer the freeing of the
selinux_policy until the refcount goes to zero. And have
selinux_audit_rule_match() use the policy from the audit rule instead
of the global state/active policy. That said, looking at it again, I'm
not confident that would work since we'd likely end up looking up a
SID from one policy in the SID table of another...
Stephen Smalley May 8, 2024, 3:25 p.m. UTC | #8
On Wed, May 8, 2024 at 11:15 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, May 8, 2024 at 4:33 AM Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
> >
> > On Fri, 2024-04-19 at 14:41 -0700, Stephen Smalley wrote:
> > > On Wed, Apr 17, 2024 at 12:49 AM GUO Zihua <guozihua@huawei.com> wrote:
> > > >
> > > > A panic happens in ima_match_policy:
> > > >
> > > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> > > > PGD 42f873067 P4D 0
> > > > Oops: 0000 [#1] SMP NOPTI
> > > > CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P
> > > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
> > > > RIP: 0010:ima_match_policy+0x84/0x450
> > > > Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
> > > > RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
> > > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
> > > > RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
> > > > RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
> > > > R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
> > > > R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
> > > > FS:  00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000
> > > > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
> > > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > > Call Trace:
> > > >  ima_get_action+0x22/0x30
> > > >  process_measurement+0xb0/0x830
> > > >  ima_file_check+0x64/0x90
> > > >  path_openat+0x571/0x1720
> > > >  do_filp_open+0x9b/0x110
> > > >  do_sys_open+0x1bd/0x250
> > > >  do_syscall_64+0x5d/0x1d0
> > > >  entry_SYSCALL_64_after_hwframe+0x65/0xca
> > > >
> > > > (stack trace marked with ? is deleted)
> > > >
> > > > Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> > > > ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
> > > > RCU read-side critical section which contains kmalloc with GFP_KERNEL.
> > > > This implies a possible sleep and violates limitations of RCU read-side
> > > > critical sections on non-PREEMPT systems.
> > > >
> > > > Sleeping within RCU read-side critical section might cause
> > > > synchronize_rcu() returning early and break RCU protection, allowing a
> > > > UAF to happen.
> > > >
> > > > The root cause of this issue could be described as follows:
> > > > >       Thread A        |       Thread B        |
> > > > >                       |ima_match_policy       |
> > > > >                       |  rcu_read_lock        |
> > > > > ima_lsm_update_rule    |                       |
> > > > >  synchronize_rcu      |                       |
> > > > >                       |    kmalloc(GFP_KERNEL)|
> > > > >                       |      sleep            |
> > > > ==> synchronize_rcu returns early
> > > > >  kfree(entry)         |                       |
> > > > >                       |    entry = entry->next|
> > > > ==> UAF happens and entry now becomes NULL (or could be anything).
> > > > >                       |    entry->action      |
> > > > ==> Accessing entry might cause panic.
> > > >
> > > > To fix this issue, we are converting all kmalloc that is called within
> > > > RCU read-side critical section to use GFP_ATOMIC.
> > > >
> > > > Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> > > > Cc: stable@vger.kernel.org
> > > > Signed-off-by: GUO Zihua <guozihua@huawei.com>
> > > > ---
> > > >  security/integrity/ima/ima_policy.c | 2 +-
> > > >  security/selinux/ss/services.c      | 2 +-
> > > >  2 files changed, 2 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > > > index c0556907c2e6..c0cf9b6a01f0 100644
> > > > --- a/security/integrity/ima/ima_policy.c
> > > > +++ b/security/integrity/ima/ima_policy.c
> > > > @@ -410,7 +410,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> > > >          * Immutable elements are copied over as pointers and data; only
> > > >          * lsm rules can change
> > > >          */
> > > > -       nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
> > > > +       nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
> > > >         if (!nentry)
> > > >                 return NULL;
> > > >
> > > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > > > index e88b1b6c4adb..b7cfad1a2964 100644
> > > > --- a/security/selinux/ss/services.c
> > > > +++ b/security/selinux/ss/services.c
> > > > @@ -3549,7 +3549,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> > > >                 return -EINVAL;
> > > >         }
> > > >
> > > > -       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
> > > > +       tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);
> > >
> > > I would suggest passing in gfp flags from the callers and only using
> > > GFP_ATOMIC for the particular call chain that requires atomic
> > > allocations, or re-factoring the caller to perform the allocating
> > > operations outside of the critical section.
> > > Sidebar: the refactoring of the SELinux policy loading logic may have
> > > made it possible to revisit the approaches here to permit holding a
> > > reference to the policy from which the rule was derived so that we
> > > don't have to return -ESTALE in this scenario.
> >
> > That would be really nice, would simplify the code for us.
> >
> > I was wondering if the label comparison would be still reliable after a
> > policy update. I was thinking for example the case where a type is
> > removed from the newer policy, and that type was used in an IMA rule.
>
> The basic idea would be to add a refcount to struct selinux_policy,
> add a reference to the corresponding selinux_policy in
> selinux_audit_rule (same as for ima), and defer the freeing of the
> selinux_policy until the refcount goes to zero. And have
> selinux_audit_rule_match() use the policy from the audit rule instead
> of the global state/active policy. That said, looking at it again, I'm
> not confident that would work since we'd likely end up looking up a
> SID from one policy in the SID table of another...

Actually, that might be ok since on policy reload we convert over all
existing SIDs, so the SIDs themselves don't change.
So we'd look up the SID in the old policy's SID table, obtaining its
old user/role/type/level values, and compare against the values in the
audit rule created from the old policy.
In theory, that should work. YMMV.
diff mbox series

Patch

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index c0556907c2e6..c0cf9b6a01f0 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -410,7 +410,7 @@  static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 	 * Immutable elements are copied over as pointers and data; only
 	 * lsm rules can change
 	 */
-	nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
+	nentry = kmemdup(entry, sizeof(*nentry), GFP_ATOMIC);
 	if (!nentry)
 		return NULL;
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e88b1b6c4adb..b7cfad1a2964 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3549,7 +3549,7 @@  int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 		return -EINVAL;
 	}
 
-	tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
+	tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_ATOMIC);
 	if (!tmprule)
 		return -ENOMEM;
 	context_init(&tmprule->au_ctxt);