Commit b0acacde authored Oct 30, 2024 by GUO Zihua Committed by Gu Bowen Oct 30, 2024

ima: Avoid blocking in RCU read-side critical section

stable inclusion
from stable-v6.6.39
commit 28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB0WVE

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88



--------------------------------

commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream.

A panic happens in ima_match_policy:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
               BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
      7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
      f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
      44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS:  00007f5195b51740(0000)
GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ima_get_action+0x22/0x30
 process_measurement+0xb0/0x830
 ? page_add_file_rmap+0x15/0x170
 ? alloc_set_pte+0x269/0x4c0
 ? prep_new_page+0x81/0x140
 ? simple_xattr_get+0x75/0xa0
 ? selinux_file_open+0x9d/0xf0
 ima_file_check+0x64/0x90
 path_openat+0x571/0x1720
 do_filp_open+0x9b/0x110
 ? page_counter_try_charge+0x57/0xc0
 ? files_cgroup_alloc_fd+0x38/0x60
 ? __alloc_fd+0xd4/0x250
 ? do_sys_open+0x1bd/0x250
 do_sys_open+0x1bd/0x250
 do_syscall_64+0x5d/0x1d0
 entry_SYSCALL_64_after_hwframe+0x65/0xca

Commit c7423dbd ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.

Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.

The root cause of this issue could be described as follows:
|	Thread A	|	Thread B	|
|			|ima_match_policy	|
|			|  rcu_read_lock	|
|ima_lsm_update_rule	|			|
|  synchronize_rcu	|			|
|			|    kmalloc(GFP_KERNEL)|
|			|      sleep		|
==> synchronize_rcu returns early
|  kfree(entry)		|			|
|			|    entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
|			|    entry->action	|
==> Accessing entry might cause panic.

To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.

Fixes: c7423dbd ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Cc: stable@vger.kernel.org
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gu Bowen <gubowen5@huawei.com>

parent daa64b10

include/linux/lsm_hook_defs.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -390,7 +390,7 @@ LSM_HOOK(int, 0, key_getsecurity, struct key key, char *buffer)

		#ifdef CONFIG_AUDIT
		LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr,
		void **lsmrule)
		void **lsmrule, gfp_t gfp)
		LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule)
		LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule)
		LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)

include/linux/security.h

+3 −2

Original line number	Diff line number	Diff line
		@@ -1953,7 +1953,8 @@ static inline int security_key_getsecurity(struct key key, char *_buffer)

		#ifdef CONFIG_AUDIT
		#ifdef CONFIG_SECURITY
		int security_audit_rule_init(u32 field, u32 op, char rulestr, void *lsmrule);
		int security_audit_rule_init(u32 field, u32 op, char rulestr, void *lsmrule,
		gfp_t gfp);
		int security_audit_rule_known(struct audit_krule *krule);
		int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
		void security_audit_rule_free(void *lsmrule);
		@@ -1961,7 +1962,7 @@ void security_audit_rule_free(void *lsmrule);
		#else

		static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr,
		void **lsmrule)
		void **lsmrule, gfp_t gfp)
		{
		return 0;
		}

kernel/auditfilter.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -529,7 +529,8 @@ static struct audit_entry audit_data_to_entry(struct audit_rule_data data,
		entry->rule.buflen += f_val;
		f->lsm_str = str;
		err = security_audit_rule_init(f->type, f->op, str,
		(void **)&f->lsm_rule);
		(void **)&f->lsm_rule,
		GFP_KERNEL);
		/* Keep currently invalid fields around in case they
		* become valid after a policy reload. */
		if (err == -EINVAL) {
		@@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df,

		/* our own (refreshed) copy of lsm_rule */
		ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
		(void **)&df->lsm_rule);
		(void **)&df->lsm_rule, GFP_KERNEL);
		/* Keep currently invalid fields around in case they
		* become valid after a policy reload. */
		if (ret == -EINVAL) {

security/apparmor/audit.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule)
		}
		}

		int aa_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule)
		int aa_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule, gfp_t gfp)
		{
		struct aa_audit_rule *rule;

		@@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule)
		return -EINVAL;
		}

		rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
		rule = kzalloc(sizeof(struct aa_audit_rule), gfp);

		if (!rule)
		return -ENOMEM;

		/* Currently rules are treated as coming from the root ns */
		rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
		GFP_KERNEL, true, false);
		gfp, true, false);
		if (IS_ERR(rule->label)) {
		int err = PTR_ERR(rule->label);
		aa_audit_rule_free(rule);

security/apparmor/include/audit.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -193,7 +193,7 @@ static inline int complain_error(int error)
		}

		void aa_audit_rule_free(void *vrule);
		int aa_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule);
		int aa_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule, gfp_t gfp);
		int aa_audit_rule_known(struct audit_krule *rule);
		int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);