iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/kernel
History
GUO Zihua a6176a802c ima: Avoid blocking in RCU read-side critical section 
commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream.

A panic happens in ima_match_policy:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
               BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
      7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
      f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
      44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS:  00007f5195b51740(0000)
GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ima_get_action+0x22/0x30
 process_measurement+0xb0/0x830
 ? page_add_file_rmap+0x15/0x170
 ? alloc_set_pte+0x269/0x4c0
 ? prep_new_page+0x81/0x140
 ? simple_xattr_get+0x75/0xa0
 ? selinux_file_open+0x9d/0xf0
 ima_file_check+0x64/0x90
 path_openat+0x571/0x1720
 do_filp_open+0x9b/0x110
 ? page_counter_try_charge+0x57/0xc0
 ? files_cgroup_alloc_fd+0x38/0x60
 ? __alloc_fd+0xd4/0x250
 ? do_sys_open+0x1bd/0x250
 do_sys_open+0x1bd/0x250
 do_syscall_64+0x5d/0x1d0
 entry_SYSCALL_64_after_hwframe+0x65/0xca

Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.

Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.

The root cause of this issue could be described as follows:
|	Thread A	|	Thread B	|
|			|ima_match_policy	|
|			|  rcu_read_lock	|
|ima_lsm_update_rule	|			|
|  synchronize_rcu	|			|
|			|    kmalloc(GFP_KERNEL)|
|			|      sleep		|
==> synchronize_rcu returns early
|  kfree(entry)		|			|
|			|    entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
|			|    entry->action	|
==> Accessing entry might cause panic.

To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.

Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Cc: stable@vger.kernel.org
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-07-18 13:05:44 +02:00
..
bpf
fs: add file and path permissions helpers
2024-06-21 14:52:58 +02:00
cgroup
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
2024-06-16 13:32:15 +02:00
configs
debug
kdb: Use format-specifiers rather than memset() for padding in kdb_read()
2024-06-16 13:32:35 +02:00
dma
dma-mapping: clear dev->dma_mem to NULL after freeing it
2024-01-25 14:37:45 -08:00
entry
entry/kvm: Exit to user mode when TIF_NOTIFY_SIGNAL is set
2023-01-04 11:39:22 +01:00
events
perf/core: Fix missing wakeup when waiting for context reference
2024-07-05 09:12:44 +02:00
futex
futex: Don't include process MM in futex key on no-MMU
2023-11-20 11:06:44 +01:00
gcov
gcov: add support for GCC 14
2024-07-05 09:12:41 +02:00
irq
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
2024-06-16 13:32:30 +02:00
kcsan
kcsan: Don't expect 64 bits atomic builtins from 32 bits architectures
2023-07-27 08:43:57 +02:00
livepatch
kallsyms: refactor {,module_}kallsyms_on_each_symbol
2024-06-21 14:52:58 +02:00
locking
lockdep: Fix block chain corruption
2023-12-08 08:46:09 +01:00
power
PM: suspend: Set mem_sleep_current during kernel command line setup
2024-04-13 12:58:13 +02:00
printk
printk: Update @console_may_schedule in console_trylock_spinning()
2024-04-13 12:58:54 +02:00
rcu
rcutorture: Fix invalid context warning when enable srcu barrier testing
2024-07-05 09:12:33 +02:00
sched
sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
2024-06-16 13:32:15 +02:00
time
tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device()
2024-07-05 09:12:32 +02:00
trace
tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test
2024-07-05 09:12:43 +02:00
.gitignore
kbuild: update config_data.gz only when the content of .config is changed
2021-05-11 14:47:37 +02:00
acct.c
acct: fix potential integer overflow in encode_comp_t()
2023-01-14 10:16:14 +01:00
async.c
async: Introduce async_schedule_dev_nocall()
2024-02-23 08:41:53 +01:00
audit_fsnotify.c
fsnotify: make allow_dups a property of the group
2024-06-21 14:53:39 +02:00
audit_tree.c
fsnotify: pass flags argument to fsnotify_alloc_group()
2024-06-21 14:53:39 +02:00
audit_watch.c
fsnotify: pass flags argument to fsnotify_alloc_group()
2024-06-21 14:53:39 +02:00
audit.c
audit: Send netlink ACK before setting connection in auditd_set
2024-02-23 08:42:03 +01:00
audit.h
audit: log AUDIT_TIME_* records only from rules
2022-04-08 14:40:00 +02:00
auditfilter.c
ima: Avoid blocking in RCU read-side critical section
2024-07-18 13:05:44 +02:00
auditsc.c
audit: fix possible soft lockup in __audit_inode_child()
2023-09-19 12:20:13 +02:00
backtracetest.c
bounds.c
bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
2024-05-02 16:23:46 +02:00
capability.c
LSM: Signal to SafeSetID when setting group IDs
2020-10-13 09:17:34 -07:00
compat.c
sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
2023-04-05 11:23:45 +02:00
configs.c
context_tracking.c
cpu_pm.c
PM: cpu: Make notifier chain use a raw_spinlock_t
2021-09-15 09:50:40 +02:00
cpu.c
cpu: Re-enable CPU mitigations by default for !X86 architectures
2024-05-02 16:23:44 +02:00
crash_core.c
crash_core, vmcoreinfo: append 'SECTION_SIZE_BITS' to vmcoreinfo
2021-06-23 14:42:52 +02:00
crash_dump.c
cred.c
cred: switch to using atomic_long_t
2023-12-20 15:44:30 +01:00
delayacct.c
dma.c
exec_domain.c
exit.c
mm: optimize the redundant loop of mm_update_owner_next()
2024-07-18 13:05:42 +02:00
extable.c
fail_function.c
kernel/fail_function: fix memory leak with using debugfs_lookup()
2023-03-11 16:40:18 +01:00
fork.c
exec: Simplify unshare_files
2024-06-21 14:52:47 +02:00
freezer.c
Revert "kernel: freezer should treat PF_IO_WORKER like PF_KTHREAD for freezing"
2021-04-07 15:00:14 +02:00
gen_kheaders.sh
kheaders: explicitly define file modes for archived headers
2024-07-05 09:12:44 +02:00
groups.c
LSM: Signal to SafeSetID when setting group IDs
2020-10-13 09:17:34 -07:00
hung_task.c
kernel/hung_task.c: make type annotations consistent
2020-11-02 12:14:19 -08:00
iomem.c
irq_work.c
jump_label.c
jump_label: Fix jump_label_text_reserved() vs __init
2021-07-20 16:05:58 +02:00
kallsyms.c
kallsyms: only build {,module_}kallsyms_on_each_symbol when required
2024-06-21 14:52:58 +02:00
kcmp.c
kcmp: In get_file_raw_ptr use task_lookup_fd_rcu
2024-06-21 14:52:48 +02:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kcov: don't lose track of remote references during softirqs
2024-07-05 09:12:41 +02:00
kexec_core.c
kexec: fix a memory leak in crash_shrink_memory()
2023-07-27 08:43:40 +02:00
kexec_elf.c
kexec_file.c
kexec: support purgatories with .text.hot sections
2023-06-21 15:45:37 +02:00
kexec_internal.h
panic, kexec: make __crash_kexec() NMI safe
2023-04-20 12:10:29 +02:00
kexec.c
panic, kexec: make __crash_kexec() NMI safe
2023-04-20 12:10:29 +02:00
kheaders.c
kheaders: Use array declaration instead of char
2023-05-17 11:47:33 +02:00
kmod.c
kprobes.c
kprobes: Fix possible use-after-free issue on kprobe registration
2024-05-02 16:23:36 +02:00
ksysfs.c
kexec: turn all kexec_mutex acquisitions into trylocks
2023-04-20 12:10:29 +02:00
kthread.c
exit: Implement kthread_exit
2024-06-21 14:53:28 +02:00
latencytop.c
Makefile
futex: Move to kernel/futex/
2023-01-14 10:15:20 +01:00
module_signature.c
module: harden ELF info handling
2021-03-25 09:04:11 +01:00
module_signing.c
module: harden ELF info handling
2021-03-25 09:04:11 +01:00
module-internal.h
module.c
NFSD: Remove svc_serv_ops::svo_module
2024-06-21 14:53:37 +02:00
notifier.c
nsproxy.c
padata.c
padata: Disable BH when taking works lock on MT path
2024-07-05 09:12:33 +02:00
panic.c
panic: Flush kernel log buffer at the end
2024-04-13 12:59:40 +02:00
params.c
params: lift param_set_uint_minmax to common code
2024-06-16 13:32:26 +02:00
pid_namespace.c
zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING
2024-07-05 09:12:33 +02:00
pid.c
kernel/pid.c: implement additional checks upon pidfd_create() parameters
2024-06-21 14:53:17 +02:00
profile.c
profiling: fix shift too large makes kernel panic
2022-08-21 15:16:05 +02:00
ptrace.c
ptrace: Reimplement PTRACE_KILL by always sending SIGKILL
2022-06-09 10:20:49 +02:00
range.c
kernel.h: split out min()/max() et al. helpers
2020-10-16 11:11:19 -07:00
reboot.c
kernel/reboot: emergency_restart: Set correct system_state
2023-11-28 16:54:58 +00:00
regset.c
relay.c
relayfs: fix out-of-bounds access in relay_file_read
2023-05-17 11:47:34 +02:00
resource.c
dax/kmem: Fix leak of memory-hotplug resources
2023-03-11 16:40:04 +01:00
rseq.c
rseq: Remove broken uapi field layout on 32-bit little endian
2022-04-08 14:40:03 +02:00
scftorture.c
scftorture: Forgive memory-allocation failure if KASAN
2023-09-23 11:01:05 +02:00
scs.c
seccomp.c
seccomp: Invalidate seccomp mode to catch death failures
2024-03-01 13:16:46 +01:00
signal.c
task_work: unconditionally run task_work from get_signal()
2023-01-04 11:39:23 +01:00
smp.c
smp: Fix offline cpu check in flush_smp_call_function_queue()
2022-04-20 09:23:29 +02:00
smpboot.c
sched/core: Initialize the idle task with preemption disabled
2021-07-14 16:55:50 +02:00
smpboot.h
softirq.c
softirq: Add debug check to __raise_softirq_irqoff()
2020-09-16 15:18:56 +02:00
stackleak.c
gcc-plugins/stackleak: Use noinstr in favor of notrace
2022-02-23 12:01:00 +01:00
stacktrace.c
stacktrace: Remove reliable argument from arch_stack_walk() callback
2020-09-18 14:24:16 +01:00
static_call.c
static_call: Fix unused variable warn w/o MODULE
2021-09-08 08:49:00 +02:00
stop_machine.c
stop_machine, rcu: Mark functions as notrace
2020-10-26 12:12:27 +01:00
sys_ni.c
syscalls: fix compat_sys_io_pgetevents_time64 usage
2024-07-05 09:12:55 +02:00
sys.c
fs: add file and path permissions helpers
2024-06-21 14:52:58 +02:00
sysctl-test.c
sysctl.c
sysctl: introduce new proc handler proc_dobool
2024-06-21 14:53:18 +02:00
task_work.c
task_work: add helper for more targeted task_work canceling
2023-01-04 11:39:23 +01:00
taskstats.c
taskstats: move specifying netlink policy back to ops
2020-10-02 19:11:12 -07:00
test_kprobes.c
torture.c
torture: Fix hang during kthread shutdown phase
2023-08-30 16:23:17 +02:00
tracepoint.c
tracepoint: Use rcu get state and cond sync for static call updates
2021-09-03 10:09:30 +02:00
tsacct.c
taskstats: Cleanup the use of task->exit_code
2022-01-27 10:54:33 +01:00
ucount.c
fanotify: configurable limits via sysfs
2024-06-21 14:53:06 +02:00
uid16.c
uid16.h
umh.c
usermodehelper: reset umask to default before executing user process
2020-10-06 10:31:52 -07:00
up.c
smp: Fix smp_call_function_single_async prototype
2021-05-14 09:50:46 +02:00
user_namespace.c
Revert "Add a reference to ucounts for each cred"
2021-09-08 08:49:00 +02:00
user-return-notifier.c
user.c
usermode_driver.c
bpf: Fix umd memory leak in copy_process()
2021-03-30 14:32:03 +02:00
utsname_sysctl.c
utsname.c
watch_queue.c
watch_queue: fix IOC_WATCH_QUEUE_SET_SIZE alloc error paths
2023-03-17 08:45:13 +01:00
watchdog_hld.c
watchdog/perf: more properly prevent false positives with turbo modes
2023-07-27 08:43:40 +02:00
watchdog.c
watchdog: move softlockup_panic back to early_param
2023-11-28 16:54:56 +00:00
workqueue_internal.h
workqueue.c
Revert "workqueue: remove unused cancel_work()"
2023-12-08 08:46:13 +01:00