security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Shi Weihua <shiwh@cn.fujitsu.com>
To: zohar@us.ibm.com, Ingo Molnar <mingo@elte.hu>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd
Date: Mon, 01 Feb 2010 13:06:44 +0800	[thread overview]
Message-ID: <4B666164.3090504@cn.fujitsu.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 2873 bytes --]

Hi, Mimi

Used the latest LTP to test 2.6.33-rc6, a Kernel BUG occured on my x86_64 (OS: Fedora 12).
The message from dmesg is as following.
The LTP case is testcases/kernel/syscalls/pipe/pipe06.c. For seeing code easily, I
recreated a simple code to reproduce this BUG. please check the code in the attached.

I bisected a commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd,
    --------
    commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd
    Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
    Date:   Thu Oct 22 17:30:13 2009 -0400

         LSM: imbed ima calls in the security hooks
    --------
Maybe you should fix it ;-)

--------------------------------------------------------------------------
BUG: unable to handle kernel NULL pointer dereference at 00000000000000ae
IP: [<ffffffff811e3057>] ima_file_free+0x2e/0x1fb
PGD 13a08e067 PUD 139fdf067 PMD 0
Oops: 0000 [#2] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.1/0000:19:00.0/0000:1a:00.0/irq
CPU 1
Pid: 1868, comm: a.out Tainted: G      D    2.6.33-rc6 #1 D2671/PRIMERGY
RIP: 0010:[<ffffffff811e3057>]  [<ffffffff811e3057>] ima_file_free+0x2e/0x1fb
RSP: 0018:ffff88013a713e48  EFLAGS: 00010202
RAX: ffff8801325a70c0 RBX: ffff88013a1c1f00 RCX: 0000041500000415
RDX: 000004143a713e68 RSI: ffffffff81a3a080 RDI: ffff88013a1c1f00
RBP: ffff88013a713e88 R08: ffff88013b75c8c0 R09: ffff88013a713ec8
R10: ffff88013a713df8 R11: ffff88013a713e08 R12: ffff88013a1c1f00
R13: 0000000000000000 R14: 00000000ffffffe8 R15: ffff88013a713f38
FS:  00007f6e5ea48700(0000) GS:ffff880028280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000ae CR3: 000000013a101000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process a.out (pid: 1868, threadinfo ffff88013a712000, task ffff880137e20000)
Stack:
 000004143a713e68 0000041500000415 ffff88013fc03500 ffff88013a1c1f00
<0> ffff880133d3a000 ffff88013a1c1f00 00000000ffffffe8 ffff88013a713f38
<0> ffff88013a713ea8 ffffffff811c87f9 ffff88013a713ea8 ffff88013a1c1f00
Call Trace:
 [<ffffffff811c87f9>] security_file_free+0x2d/0x31
 [<ffffffff81106767>] put_filp+0x22/0x36
 [<ffffffff8110c53c>] free_write_pipe+0x2f/0x34
 [<ffffffff8110d161>] do_pipe_flags+0xdc/0xf6
 [<ffffffff8110d19c>] sys_pipe2+0x21/0x63
 [<ffffffff8110d1ee>] sys_pipe+0x10/0x12
 [<ffffffff81009c72>] system_call_fastpath+0x16/0x1b
Code: e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 0f 1f 44 00 00 83 3d a2 50 bb 00 00 48 8b 47 18 49 89 fc 4c 8b 68 10 0f 84 bb 01 00 00 <41> 0f b7 85 ae 00 00 00 25 00 f0 00 00 3d 00 80 00 00 0f 85 a3
RIP  [<ffffffff811e3057>] ima_file_free+0x2e/0x1fb
 RSP <ffff88013a713e48>
CR2: 00000000000000ae
---[ end trace 1d8416bb1c67accb ]---
--------------------------------------------------------------------------

Shi Weihua

[-- Attachment #2: pipe.c --]
[-- Type: text/plain, Size: 394 bytes --]

#include <fcntl.h>
#include <errno.h>

int pipe_ret, pipes[2];

int main(int ac, char **av)
{
	int i, numb_fds;

        numb_fds = getdtablesize();

	for (i = 0; i < numb_fds; i++) {
		pipe_ret = pipe(pipes);
		if (pipe_ret < 0) {
			if (errno != EMFILE)
				printf ("got unexpected error - %d", errno);
			else
				printf ("got expected error - %d", errno);
			break;
		 }
	 }

	return 0;
}

next             reply	other threads:[~2010-02-01  5:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-02-01  5:06 Shi Weihua [this message]
2010-02-01 17:05 ` security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd Mimi Zohar
2010-02-01 18:03 ` hooanon05
2010-02-01 18:35   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B666164.3090504@cn.fujitsu.com \
    --to=shiwh@cn.fujitsu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=zohar@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.