selinux: KASAN; slab-out-of-bounds in avc_lookup

Message ID	20241210010030.2854024-1-quic_jiangenj@quicinc.com (mailing list archive)
State	Under Review
Delegated to:	Paul Moore
Headers	show Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FF7CAD24; Tue, 10 Dec 2024 01:00:48 +0000 (UTC) From: Joey Jiao <quic_jiangenj@quicinc.com> To: Paul Moore <paul@paul-moore.com>, Stephen Smalley <stephen.smalley.work@gmail.com>, Ondrej Mosnacek <omosnace@redhat.com>, "open list:SELINUX SECURITY MODULE" <selinux@vger.kernel.org>, open list <linux-kernel@vger.kernel.org> CC: <kernel@quicinc.com>, <quic_jiangenj@quicinc.com> Subject: [PATCH] selinux: KASAN; slab-out-of-bounds in avc_lookup Date: Tue, 10 Dec 2024 09:00:29 +0800 Message-ID: <20241210010030.2854024-1-quic_jiangenj@quicinc.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	selinux: KASAN; slab-out-of-bounds in avc_lookup \| expand selinux: KASAN; slab-out-of-bounds in avc_lookup

Message ID

20241210010030.2854024-1-quic_jiangenj@quicinc.com (mailing list archive)

State

Under Review

Delegated to:

Paul Moore

Headers

From: Joey Jiao <quic_jiangenj@quicinc.com>
To: Paul Moore <paul@paul-moore.com>,
        Stephen Smalley
	<stephen.smalley.work@gmail.com>,
        Ondrej Mosnacek <omosnace@redhat.com>,
        "open list:SELINUX SECURITY MODULE" <selinux@vger.kernel.org>,
        open list
	<linux-kernel@vger.kernel.org>
CC: <kernel@quicinc.com>, <quic_jiangenj@quicinc.com>
Subject: [PATCH] selinux: KASAN; slab-out-of-bounds in avc_lookup
Date: Tue, 10 Dec 2024 09:00:29 +0800
Message-ID: <20241210010030.2854024-1-quic_jiangenj@quicinc.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

selinux: KASAN; slab-out-of-bounds in avc_lookup | expand

Commit Message

Joey Jiao Dec. 10, 2024, 1 a.m. UTC

From: "Jiao, Joey" <quic_jiangenj@quicinc.com>

BUG: KASAN: slab-out-of-bounds in avc_lookup+0x174/0x298
Read of size 8 at addr ffffff8846ef70b1 by task spdaemon/1037

Call trace:
 dump_backtrace+0xf0/0x13c
 show_stack+0x18/0x28
 dump_stack_lvl+0xd0/0x128
 print_report+0x13c/0x6f8
 kasan_report+0xe8/0x148
 __asan_load8+0x98/0xa0
 avc_lookup+0x174/0x298
 avc_has_perm_noaudit+0x60/0x12c
 selinux_inode_permission+0x278/0x3cc
 security_inode_permission+0x84/0xc8
 inode_permission+0xb8/0x2b8
 link_path_walk+0x178/0x7c0
 path_lookupat+0x6c/0x298
 filename_lookup+0x11c/0x2e4
 vfs_statx+0xb4/0x3f0
 vfs_fstatat+0xfc/0x3e4
 __arm64_sys_newfstatat+0x88/0x340
 invoke_syscall+0x6c/0x17c
 el0_svc_common+0xf8/0x138
 do_el0_svc+0x30/0x40
 el0_svc+0x3c/0x70
 el0t_64_sync_handler+0x68/0xbc
 el0t_64_sync+0x19c/0x1a0

To fix this, protect the rcu read access

Signed-off-by: Jiao, Joey <quic_jiangenj@quicinc.com>
---
 security/selinux/avc.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Paul Moore Dec. 11, 2024, 6:02 p.m. UTC | #1

On Mon, Dec 9, 2024 at 8:00 PM Joey Jiao <quic_jiangenj@quicinc.com> wrote:
> From: "Jiao, Joey" <quic_jiangenj@quicinc.com>
>
> BUG: KASAN: slab-out-of-bounds in avc_lookup+0x174/0x298
> Read of size 8 at addr ffffff8846ef70b1 by task spdaemon/1037
>
> Call trace:
>  dump_backtrace+0xf0/0x13c
>  show_stack+0x18/0x28
>  dump_stack_lvl+0xd0/0x128
>  print_report+0x13c/0x6f8
>  kasan_report+0xe8/0x148
>  __asan_load8+0x98/0xa0
>  avc_lookup+0x174/0x298
>  avc_has_perm_noaudit+0x60/0x12c
>  selinux_inode_permission+0x278/0x3cc
>  security_inode_permission+0x84/0xc8
>  inode_permission+0xb8/0x2b8
>  link_path_walk+0x178/0x7c0
>  path_lookupat+0x6c/0x298
>  filename_lookup+0x11c/0x2e4
>  vfs_statx+0xb4/0x3f0
>  vfs_fstatat+0xfc/0x3e4
>  __arm64_sys_newfstatat+0x88/0x340
>  invoke_syscall+0x6c/0x17c
>  el0_svc_common+0xf8/0x138
>  do_el0_svc+0x30/0x40
>  el0_svc+0x3c/0x70
>  el0t_64_sync_handler+0x68/0xbc
>  el0t_64_sync+0x19c/0x1a0
>
> To fix this, protect the rcu read access
>
> Signed-off-by: Jiao, Joey <quic_jiangenj@quicinc.com>
> ---
>  security/selinux/avc.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index 32eb67fb3e42..ded3823d4451 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -528,6 +528,7 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
>
>         hvalue = avc_hash(ssid, tsid, tclass);
>         head = &selinux_avc.avc_cache.slots[hvalue];
> +       rcu_read_lock();
>         hlist_for_each_entry_rcu(node, head, list) {
>                 if (ssid == node->ae.ssid &&
>                     tclass == node->ae.tclass &&
> @@ -536,6 +537,7 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
>                         break;
>                 }
>         }
> +       rcu_read_unlock();
>
>         return ret;
>  }
> --
> 2.47.1

Thanks for the bug report, do you have any more information about the
kernel that demonstrated this problem?

I'm asking because when I look at the kernel sources, all callers of
avc_search_node() should already be holding the RCU read lock:

  avc_has_extended_perms() or avc_has_perm_noaudit()
    avc_lookup()
      avc_search_node()

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 32eb67fb3e42..ded3823d4451 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -528,6 +528,7 @@  static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
 
 	hvalue = avc_hash(ssid, tsid, tclass);
 	head = &selinux_avc.avc_cache.slots[hvalue];
+	rcu_read_lock();
 	hlist_for_each_entry_rcu(node, head, list) {
 		if (ssid == node->ae.ssid &&
 		    tclass == node->ae.tclass &&
@@ -536,6 +537,7 @@  static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
 			break;
 		}
 	}
+	rcu_read_unlock();
 
 	return ret;
 }

selinux: KASAN; slab-out-of-bounds in avc_lookup

Commit Message

Comments

Patch