[PATCH openEuler-1.0-LTS 1/3] selinux: further adjust init order for file_alloc_security hook

27 Feb 2023

From: "GONG, Ruiqi" gongruiqi1@huawei.com
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DRJ1
CVE: NA
----------------------------------------
After backporting commit cfff75d8973a ("selinux: reorder hooks to make
runtime disable less broken") to the 4.19 kernel of openEuler-1.0-LTS,
another kernel panic was triggered by running the POC of the
aforementioned commit:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
PGD 800000001840b067 P4D 800000001840b067 PUD 1840c067 PMD 0
Oops: 0002 [#1] SMP PTI
CPU: 7 PID: 273 Comm: exe Tainted: G           OE     4.19.90+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:selinux_file_open+0x49/0xf0
Code: 00 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 4c 89 e7 e8 a6 ec ff ff 49 8b 44 24 38 48 c7 c7 e0 a5 13 97 8b 40 1c <89> 45 08 e8 6f 80 ff ff ba 02 00 00 00 89 45 0c 8b 43 44 8b 73 40
RSP: 0018:ffffbb7300867ba0 EFLAGS: 00010246
RAX: 0000000000000003 RBX: ffff9dc301961400 RCX: 00000000000081ed
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff9713a5e0
RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9dc301fedcb0
R10: 0000000000000007 R11: 7fffffffffffffff R12: ffff9dc30204fd70
R13: 0000000000000000 R14: ffff9dc301961410 R15: ffffbb7300867c70
FS:  0000000000d258c0(0000) GS:ffff9dc33e9c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000000022bc000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ? generic_permission+0x10a/0x190
 security_file_open+0x26/0x90
 do_dentry_open+0xd9/0x380
 do_last+0x197/0x8d0
 path_openat+0x89/0x280
 do_filp_open+0x91/0x100
 do_open_execat+0x79/0x180
 __do_execve_file.isra.0+0x6dd/0x8b0
 __x64_sys_execve+0x35/0x40
 do_syscall_64+0x63/0x250
 ? async_page_fault+0x8/0x30
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x49a5db
Code: 41 89 01 eb da 66 2e 0f 1f 84 00 00 00 00 00 f7 d8 64 41 89 01 eb d6 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe7b1cebd8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000000000d27ee0 RCX: 000000000049a5db
RDX: 0000000000d27f08 RSI: 0000000000d27ee0 RDI: 0000000000d27f48
RBP: 0000000000d27f48 R08: fefefefefefefeff R09: fefefeff666d686f
R10: 0000000000d25b90 R11: 0000000000000246 R12: 0000000000d27f08
R13: 0000000000655894 R14: 0000000000d27f08 R15: 0000000000d26ed0
Modules linked in: e1000(OE)
CR2: 0000000000000008
---[ end trace e4eb884974c22e2d ]---
RIP: 0010:selinux_file_open+0x49/0xf0
Code: 00 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 4c 89 e7 e8 a6 ec ff ff 49 8b 44 24 38 48 c7 c7 e0 a5 13 97 8b 40 1c <89> 45 08 e8 6f 80 ff ff ba 02 00 00 00 89 45 0c 8b 43 44 8b 73 40
RSP: 0018:ffffbb7300867ba0 EFLAGS: 00010246
RAX: 0000000000000003 RBX: ffff9dc301961400 RCX: 00000000000081ed
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff9713a5e0
RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9dc301fedcb0
R10: 0000000000000007 R11: 7fffffffffffffff R12: ffff9dc30204fd70
R13: 0000000000000000 R14: ffff9dc301961410 R15: ffffbb7300867c70
FS:  0000000000d258c0(0000) GS:ffff9dc33e9c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000000022bc000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x14400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
The problem was caused by selinux_file_open() accessing a file's fsec
being NULL, which indicated that the file_alloc_security hook should be
deleted later (at least after the file_open hook) when disabling SELinux
at runtime. Here I put it into the "allocating" part.
Signed-off-by: GONG, Ruiqi gongruiqi1@huawei.com
Reviewed-by: Wang Weiyang wangweiyang2@huawei.com
Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com
Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cd26c1199353..85ac12d6b2f4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7040,7 +7040,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
    LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
LSM_HOOK_INIT(file_permission, selinux_file_permission),
-	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
    LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
    LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
    LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
@@ -7207,6 +7206,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
    LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
    LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
    LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
+	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
    LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
    LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
    LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS 1/3] selinux: further adjust init order for file_alloc_security hook