Commit ed36f246 authored by liqiong's avatar liqiong Committed by GUO Zihua
Browse files

ima: fix deadlock when traversing "ima_default_rules". 

mainline inclusion
from mainline-v5.16-rc1
commit eb0782bb
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9AAM6
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb0782bbdfd0d7c4786216659277c3fd585afc0e



--------------------------------

The current IMA ruleset is identified by the variable "ima_rules"
that default to "&ima_default_rules". When loading a custom policy
for the first time, the variable is updated to "&ima_policy_rules"
instead. That update isn't RCU-safe, and deadlocks are possible.
Indeed, some functions like ima_match_policy() may loop indefinitely
when traversing "ima_default_rules" with list_for_each_entry_rcu().

When iterating over the default ruleset back to head, if the list
head is "ima_default_rules", and "ima_rules" have been updated to
"&ima_policy_rules", the loop condition (&entry->list != ima_rules)
stays always true, traversing won't terminate, causing a soft lockup
and RCU stalls.

Introduce a temporary value for "ima_rules" when iterating over
the ruleset to avoid the deadlocks.

Signed-off-by: default avatarliqiong <liqiong@nfschina.com>
Reviewed-by: default avatarTHOBY Simon <Simon.THOBY@viveris.fr>
Fixes: 38d859f9 ("IMA: policy can now be updated multiple times")
Reported-by: kernel test robot <lkp@intel.com> (Fix sparse: incompatible types in comparison expression.)
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Conflicts:
	security/integrity/ima/ima_policy.c
[Context conflicts. Besides an additional pair of rcu_read_lock and
unlock has been added to ima_update_policy_flag to mitigate a suspicious
RCU usage warning. This pair of RCU lock was added with commit
4f2946aa ("IMA: introduce a new policy option func=SETXATTR_CHECK")
on mainstream.]
Signed-off-by: default avatarGUO Zihua <guozihua@huawei.com>
parent 93f42c5d

security/integrity/ima/ima_policy.c

+20 −9
Original line number Diff line number Diff line
@@ -245,7 +245,7 @@ static struct ima_rule_entry *arch_policy_entry __ro_after_init; 
static LIST_HEAD(ima_default_rules);

static LIST_HEAD(ima_policy_rules);

static LIST_HEAD(ima_temp_rules);

static struct list_head *ima_rules = &ima_default_rules;

static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules);



static int ima_policy __initdata;
@@ -702,12 +702,14 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 
{

	struct ima_rule_entry *entry;

	int action = 0, actmask = flags | (flags << 1);

	struct list_head *ima_rules_tmp;



	if (template_desc)

		*template_desc = ima_template_desc_current();



	rcu_read_lock();

	list_for_each_entry_rcu(entry, ima_rules, list) {

	ima_rules_tmp = rcu_dereference(ima_rules);

	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {



		if (!(entry->action & actmask))

			continue;
@@ -755,11 +757,15 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 
void ima_update_policy_flag(void)

{

	struct ima_rule_entry *entry;

	struct list_head *ima_rules_tmp;



	list_for_each_entry(entry, ima_rules, list) {

	rcu_read_lock();

	ima_rules_tmp = rcu_dereference(ima_rules);

	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {

		if (entry->action & IMA_DO_MASK)

			ima_policy_flag |= entry->action;

	}

	rcu_read_unlock();



	ima_appraise |= (build_ima_appraise | temp_ima_appraise);

	if (!ima_appraise)
@@ -1019,10 +1025,10 @@ void ima_update_policy(void) 


	list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);



	if (ima_rules != policy) {

	if (ima_rules != (struct list_head __rcu *)policy) {

		ima_policy_flag = 0;

		ima_rules = policy;



		rcu_assign_pointer(ima_rules, policy);

		/*

		 * IMA architecture specific policy rules are specified

		 * as strings and converted to an array of ima_entry_rules
@@ -1117,7 +1123,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, 
		pr_warn("rule for LSM \'%s\' is undefined\n",

			entry->lsm[lsm_rule].args_p);



		if (ima_rules == &ima_default_rules) {

		if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) {

			kfree(entry->lsm[lsm_rule].args_p);

			entry->lsm[lsm_rule].args_p = NULL;

			result = -EINVAL;
@@ -1764,9 +1770,11 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos) 
{

	loff_t l = *pos;

	struct ima_rule_entry *entry;

	struct list_head *ima_rules_tmp;



	rcu_read_lock();

	list_for_each_entry_rcu(entry, ima_rules, list) {

	ima_rules_tmp = rcu_dereference(ima_rules);

	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {

		if (!l--) {

			rcu_read_unlock();

			return entry;
@@ -1785,7 +1793,8 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 
	rcu_read_unlock();

	(*pos)++;



	return (&entry->list == ima_rules) ? NULL : entry;

	return (&entry->list == &ima_default_rules ||

		&entry->list == &ima_policy_rules) ? NULL : entry;

}



void ima_policy_stop(struct seq_file *m, void *v)
@@ -1998,6 +2007,7 @@ bool ima_appraise_signature(enum kernel_read_file_id id) 
	struct ima_rule_entry *entry;

	bool found = false;

	enum ima_hooks func;

	struct list_head *ima_rules_tmp;



	if (id >= READING_MAX_ID)

		return false;
@@ -2009,7 +2019,8 @@ bool ima_appraise_signature(enum kernel_read_file_id id) 
	func = read_idmap[id] ?: FILE_CHECK;



	rcu_read_lock();

	list_for_each_entry_rcu(entry, ima_rules, list) {

	ima_rules_tmp = rcu_dereference(ima_rules);

	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {

		if (entry->action != APPRAISE)

			continue;