From: "Mickaël Salaün" <mic@digikod.net>
To: Paul Moore <paul@paul-moore.com>,
Christian Brauner <brauner@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>
Cc: Jann Horn <jannh@google.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Kees Cook <keescook@chromium.org>,
syzbot <syzbot+5446fbf332b0602ede0b@syzkaller.appspotmail.com>,
jmorris@namei.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, serge@hallyn.com,
syzkaller-bugs@googlegroups.com, linux-fsdevel@vger.kernel.org
Subject: Re: [syzbot] [lsm?] general protection fault in hook_inode_free_security
Date: Mon, 8 Jul 2024 16:11:41 +0200 [thread overview]
Message-ID: <20240708.ig8Kucapheid@digikod.net> (raw)
In-Reply-To: <CAHC9VhT-Pm6_nJ-8Xd_B4Fq+jZ0kYnfc3wwNa_jM+4=pg5RVrQ@mail.gmail.com>
On Thu, Jun 27, 2024 at 02:28:03PM -0400, Paul Moore wrote:
> On Thu, Jun 27, 2024 at 9:34 AM Mickaël Salaün <mic@digikod.net> wrote:
> >
> > I didn't find specific issues with Landlock's code except the extra
> > check in hook_inode_free_security(). It looks like inode->i_security is
> > a dangling pointer, leading to UAF.
> >
> > Reading security_inode_free() comments, two things looks weird to me:
> >
> > > /**
> > > * security_inode_free() - Free an inode's LSM blob
> > > * @inode: the inode
> > > *
> > > * Deallocate the inode security structure and set @inode->i_security to NULL.
> >
> > I don't see where i_security is set to NULL.
>
> The function header comments are known to be a bit suspect, a side
> effect of being detached from the functions for many years, this may
> be one of those cases. I tried to fix up the really awful ones when I
> moved the comments back, back I didn't have time to go through each
> one in detail. Patches to correct the function header comments are
> welcome and encouraged! :)
>
> > > */
> > > void security_inode_free(struct inode *inode)
> > > {
> >
> > Shouldn't we add this check here?
> > if (!inode->i_security)
> > return;
>
> Unless I'm remembering something wrong, I believe we *should* always
> have a valid i_security pointer each time we are called, if not
> something has gone wrong, e.g. the security_inode_free() hook is no
> longer being called from the right place. If we add a NULL check, we
> should probably have a WARN_ON(), pr_err(), or something similar to
> put some spew on the console/logs.
>
> All that said, it would be good to hear some confirmation from the VFS
> folks that the security_inode_free() hook is located in a spot such
> that once it exits it's current RCU critical section it is safe to
> release the associated LSM state.
>
> It's also worth mentioning that while we always allocate i_security in
> security_inode_alloc() right now, I can see a world where we allocate
> the i_security field based on need using the lsm_blob_size info (maybe
> that works today? not sure how kmem_cache handled 0 length blobs?).
> The result is that there might be a legitimate case where i_security
> is NULL, yet we still want to call into the LSM using the
> inode_free_security() implementation hook.
>
> > > call_void_hook(inode_free_security, inode);
> > > /*
> > > * The inode may still be referenced in a path walk and
> > > * a call to security_inode_permission() can be made
> > > * after inode_free_security() is called. Ideally, the VFS
> > > * wouldn't do this, but fixing that is a much harder
> > > * job. For now, simply free the i_security via RCU, and
> > > * leave the current inode->i_security pointer intact.
> > > * The inode will be freed after the RCU grace period too.
> >
> > It's not clear to me why this should be safe if an LSM try to use the
> > partially-freed blob after the hook calls and before the actual blob
> > free.
>
> I had the same thought while looking at this just now. At least in
> the SELinux case I think this "works" simply because SELinux doesn't
> do much here, it just drops the inode from a SELinux internal list
> (long story) and doesn't actually release any memory or reset the
> inode's SELinux state (there really isn't anything to "free" in the
> SELinux case). I haven't checked the other LSMs, but they may behave
> similarly.
>
> We may want (need?) to consider two LSM implementation hooks called
> from within security_inode_free(): the first where the existing
> inode_free_security() implementation hook is called, the second inside
> the inode_free_by_rcu() callback immediately before the i_security
> data is free'd.
Couldn't we call everything in inode_free_by_rcu()?
I replied here instead:
https://lore.kernel.org/r/20240708.hohNgieja0av@digikod.net
>
> ... or we find a better placement in the VFS for
> security_inode_free(), is that is possible. It may not be, our VFS
> friends should be able to help here.
Christian? Al?
>
> > > */
> > > if (inode->i_security)
> > > call_rcu((struct rcu_head *)inode->i_security,
> > > inode_free_by_rcu);
> >
> > And then:
> > inode->i_security = NULL;
>
> According to the comment we may still need i_security for permission
> checks. See my comment about decomposing the LSM implementation into
> two hooks to better handle this for LSMs.
That was my though too, but maybe not if the path walk just ends early.
>
> > But why call_rcu()? i_security is not protected by RCU barriers.
>
> I believe the issue is that the inode is protected by RCU and that
> affects the lifetime of the i_security blob.
It seems to be related to commit fa0d7e3de6d6 ("fs: icache RCU free
inodes").
next prev parent reply other threads:[~2024-07-08 14:11 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-08 19:32 [syzbot] [lsm?] general protection fault in hook_inode_free_security syzbot
2024-05-10 0:01 ` Paul Moore
2024-05-15 15:12 ` Mickaël Salaün
2024-05-16 7:31 ` Mickaël Salaün
2024-05-16 13:07 ` Mathieu Desnoyers
2024-06-27 13:33 ` Mickaël Salaün
2024-06-27 13:34 ` Mickaël Salaün
2024-06-27 18:12 ` Kees Cook
2024-06-27 18:45 ` Paul E. McKenney
2024-06-27 19:29 ` Paul Moore
2024-07-08 14:02 ` Mickaël Salaün
2024-07-08 19:25 ` Kees Cook
2024-07-09 5:12 ` Christian Brauner
2024-06-27 18:28 ` Paul Moore
2024-07-08 14:11 ` Mickaël Salaün [this message]
2024-07-08 22:32 ` Paul Moore
2024-07-09 5:46 ` Christian Brauner
2024-07-09 23:13 ` Paul Moore
2024-07-10 5:52 ` Christian Brauner
2024-07-10 12:23 ` Mickaël Salaün
2024-07-10 13:53 ` Mickaël Salaün
2024-07-10 21:22 ` Paul Moore
2024-07-11 0:30 ` Tetsuo Handa
2024-07-11 14:06 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240708.ig8Kucapheid@digikod.net \
--to=mic@digikod.net \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=paulmck@kernel.org \
--cc=serge@hallyn.com \
--cc=syzbot+5446fbf332b0602ede0b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.