[PATCH openEuler-1.0-LTS] ima: fix deadlock when traversing "ima_default_rules". - Kernel

7 May 2024

From: liqiong liqiong@nfschina.com
mainline inclusion
from mainline-v5.16-rc1
commit eb0782bbdfd0d7c4786216659277c3fd585afc0e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9AAM6
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The current IMA ruleset is identified by the variable "ima_rules"
that default to "&ima_default_rules". When loading a custom policy
for the first time, the variable is updated to "&ima_policy_rules"
instead. That update isn't RCU-safe, and deadlocks are possible.
Indeed, some functions like ima_match_policy() may loop indefinitely
when traversing "ima_default_rules" with list_for_each_entry_rcu().
When iterating over the default ruleset back to head, if the list
head is "ima_default_rules", and "ima_rules" have been updated to
"&ima_policy_rules", the loop condition (&entry->list != ima_rules)
stays always true, traversing won't terminate, causing a soft lockup
and RCU stalls.
Introduce a temporary value for "ima_rules" when iterating over
the ruleset to avoid the deadlocks.
Signed-off-by: liqiong liqiong@nfschina.com
Reviewed-by: THOBY Simon Simon.THOBY@viveris.fr
Fixes: 38d859f991f3 ("IMA: policy can now be updated multiple times")
Reported-by: kernel test robot lkp@intel.com (Fix sparse: incompatible types in comparison expression.)
Signed-off-by: Mimi Zohar zohar@linux.ibm.com
Conflicts:
    security/integrity/ima/ima_policy.c
[Context conflicts. Besides an additional pair of rcu_read_lock and
unlock has been added to ima_update_policy_flag to mitigate a suspicious
RCU usage warning. This pair of RCU lock was added with commit
4f2946aa0c45 ("IMA: introduce a new policy option func=SETXATTR_CHECK")
on mainstream.]
Signed-off-by: GUO Zihua guozihua@huawei.com
---
 security/integrity/ima/ima_policy.c | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 08eae4df759e..3098894ea026 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -196,7 +196,7 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
 static LIST_HEAD(ima_default_rules);
 static LIST_HEAD(ima_policy_rules);
 static LIST_HEAD(ima_temp_rules);
-static struct list_head *ima_rules = &ima_default_rules;
+static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules);
static int ima_policy __initdata;
@@ -515,9 +515,11 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 {
    struct ima_rule_entry *entry;
    int action = 0, actmask = flags | (flags << 1);
+	struct list_head *ima_rules_tmp;
rcu_read_lock();
-	list_for_each_entry_rcu(entry, ima_rules, list) {
+	ima_rules_tmp = rcu_dereference(ima_rules);
+	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
if (!(entry->action & actmask))
    		continue;
@@ -560,11 +562,15 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 void ima_update_policy_flag(void)
 {
    struct ima_rule_entry *entry;
+	struct list_head *ima_rules_tmp;
-	list_for_each_entry(entry, ima_rules, list) {
+ 	rcu_read_lock();
+	ima_rules_tmp = rcu_dereference(ima_rules);
+	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
    	if (entry->action & IMA_DO_MASK)
    		ima_policy_flag |= entry->action;
    }
+	rcu_read_unlock();
ima_appraise |= (build_ima_appraise | temp_ima_appraise);
    if (!ima_appraise)
@@ -683,9 +689,9 @@ void ima_update_policy(void)
list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
-	if (ima_rules != policy) {
+	if (ima_rules != (struct list_head __rcu *)policy) {
    	ima_policy_flag = 0;
-		ima_rules = policy;
+		rcu_assign_pointer(ima_rules, policy);
    }
    ima_update_policy_flag();
 }
@@ -760,7 +766,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
    	pr_warn("rule for LSM '%s' is undefined\n",
    		(char *)entry->lsm[lsm_rule].args_p);
-		if (ima_rules == &ima_default_rules) {
+		if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) {
    		kfree(entry->lsm[lsm_rule].args_p);
    		entry->lsm[lsm_rule].args_p = NULL;
    		result = -EINVAL;
@@ -1188,9 +1194,11 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos)
 {
    loff_t l = *pos;
    struct ima_rule_entry *entry;
+	struct list_head *ima_rules_tmp;
rcu_read_lock();
-	list_for_each_entry_rcu(entry, ima_rules, list) {
+	ima_rules_tmp = rcu_dereference(ima_rules);
+	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
    	if (!l--) {
    		rcu_read_unlock();
    		return entry;
@@ -1209,7 +1217,8 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos)
    rcu_read_unlock();
    (*pos)++;
-	return (&entry->list == ima_rules) ? NULL : entry;
+	return (&entry->list == &ima_default_rules ||
+		&entry->list == &ima_policy_rules) ? NULL : entry;
 }
void ima_policy_stop(struct seq_file *m, void *v)
-- 
2.34.1


    