From: John Stultz <johnstul@us.ibm.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Paul Moore <paul@paul-moore.com>,
lkml <linux-kernel@vger.kernel.org>,
James Morris <james.l.morris@oracle.com>,
selinux@tycho.nsa.gov, Eric Dumazet <edumazet@google.com>,
john.johansen@canonical.com
Subject: Re: NULL pointer dereference in selinux_ip_postroute_compat
Date: Wed, 08 Aug 2012 12:14:42 -0700 [thread overview]
Message-ID: <5022BAA2.90606@us.ibm.com> (raw)
In-Reply-To: <502198B4.8040503@linaro.org>
On 08/07/2012 03:37 PM, John Stultz wrote:
> On 08/07/2012 03:17 PM, Serge E. Hallyn wrote:
>> Quoting Paul Moore (paul@paul-moore.com):
>>> On Tue, Aug 7, 2012 at 5:58 PM, John Stultz <john.stultz@linaro.org>
>>> wrote:
>>>> On 08/07/2012 02:50 PM, Paul Moore wrote:
>>>>> On Tue, Aug 7, 2012 at 2:12 PM, John Stultz <john.stultz@linaro.org>
>>>>> wrote:
>>>>>> Hi,
>>>>>> With my kvm environment using 3.6-rc1+, I'm seeing NULL
>>>>>> pointer
>>>>>> dereferences in selinux_ip_postroute_compat(). It looks like the
>>>>>> sksec
>>>>>> value
>>>>>> is null and we die in the following line:
>>>>>>
>>>>>> if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
>>>>>>
>>>>>> This triggers every time I shutdown the machine, but has also
>>>>>> triggered
>>>>>> randomly after a few hours.
[snip]
>> The problem seems to be that selinux_nf_ip_init() was called, which
>> registers the selinux_ipv4_ops (and ipv6). Those should not get
>> registered
>> if selinux ends up not being loaded (as in, if apparmor is loaded
>> first),
>> since as you've found here the selinux lsm hooks won't be called to set
>> call selinux_sk_alloc_security().
> This sounds about right:
> root@testvm:~# dmesg | grep SELinux
> [ 0.004578] SELinux: Initializing.
> [ 0.005704] SELinux: Starting in permissive mode
> [ 2.235034] SELinux: Registering netfilter hooks
>
>> I assume what's happening is that
>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE was
>> set to 1, but selinux ended up being set to disabled after the
>> __initcall(selinux_nf_ip_init) ran? Weird.
> This looks right as well:
>
> # zcat config.gz | grep SELINUX
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
> CONFIG_SECURITY_SELINUX_DISABLE=y
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
> CONFIG_DEFAULT_SECURITY_SELINUX=y
>
>
> Since the problem isn't completely obvious, I'm starting a bisection
> to narrow this down some more.
So I bisected this down and it seems to be the following commit:
commit be9f4a44e7d41cee50ddb5f038fc2391cbbb4046
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Jul 19 07:34:03 2012 +0000
ipv4: tcp: remove per net tcp_sock
It doesn't revert totally cleanly, but after fixing up the rejections
and booting with this patch removed on top of Linus' head the oops on
shutdown goes away.
thanks
-john
next prev parent reply other threads:[~2012-08-08 19:15 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-07 18:12 NULL pointer dereference in selinux_ip_postroute_compat John Stultz
2012-08-07 21:50 ` Paul Moore
2012-08-07 21:50 ` Paul Moore
2012-08-07 21:58 ` John Stultz
2012-08-07 22:01 ` Paul Moore
2012-08-07 22:01 ` Paul Moore
2012-08-07 22:17 ` Serge E. Hallyn
2012-08-07 22:17 ` Serge E. Hallyn
2012-08-07 22:23 ` Paul Moore
2012-08-07 22:23 ` Paul Moore
2012-08-07 22:37 ` John Stultz
2012-08-08 19:14 ` John Stultz [this message]
2012-08-08 19:26 ` Paul Moore
2012-08-08 19:26 ` Paul Moore
2012-08-08 19:38 ` Eric Dumazet
2012-08-08 19:49 ` John Stultz
2012-08-08 20:04 ` Eric Dumazet
2012-08-08 19:50 ` Paul Moore
2012-08-08 19:50 ` Paul Moore
2012-08-08 20:04 ` Eric Dumazet
2012-08-08 19:59 ` Eric Paris
2012-08-08 19:59 ` Eric Paris
2012-08-08 20:09 ` Eric Dumazet
2012-08-08 20:32 ` Eric Dumazet
2012-08-08 20:46 ` Paul Moore
2012-08-08 20:46 ` Paul Moore
2012-08-08 21:54 ` Eric Dumazet
2012-08-09 0:00 ` Casey Schaufler
2012-08-09 0:00 ` Casey Schaufler
2012-08-09 13:30 ` Paul Moore
2012-08-09 13:30 ` Paul Moore
2012-08-09 14:27 ` Eric Dumazet
2012-08-09 15:04 ` Paul Moore
2012-08-09 15:04 ` Paul Moore
2012-08-09 14:50 ` [PATCH] ipv4: tcp: security_sk_alloc() needed for unicast_sock Eric Dumazet
2012-08-09 15:07 ` Paul Moore
2012-08-09 15:07 ` Paul Moore
2012-08-09 15:36 ` Eric Dumazet
2012-08-09 15:59 ` Paul Moore
2012-08-09 15:59 ` Paul Moore
2012-08-09 16:05 ` Eric Paris
2012-08-09 16:05 ` Eric Paris
2012-08-09 16:09 ` Paul Moore
2012-08-09 16:09 ` Paul Moore
2012-08-09 17:46 ` Eric Dumazet
2012-08-09 20:06 ` Eric Paris
2012-08-09 20:19 ` Paul Moore
2012-08-09 20:19 ` Paul Moore
2012-08-09 20:19 ` Paul Moore
2012-08-09 21:29 ` Eric Dumazet
2012-08-09 21:53 ` Casey Schaufler
2012-08-09 21:53 ` Casey Schaufler
2012-08-09 22:05 ` Eric Dumazet
2012-08-09 22:26 ` Casey Schaufler
2012-08-09 22:26 ` Casey Schaufler
2012-08-09 22:26 ` Casey Schaufler
2012-08-09 23:38 ` David Miller
2012-08-09 23:56 ` [PATCH] ipv4: tcp: unicast_sock should not land outside of TCP stack Eric Dumazet
2012-08-10 4:05 ` David Miller
2012-08-08 20:35 ` NULL pointer dereference in selinux_ip_postroute_compat Paul Moore
2012-08-08 20:35 ` Paul Moore
2012-08-08 20:51 ` Eric Paris
2012-08-08 20:51 ` Eric Paris
2012-08-08 21:03 ` Paul Moore
2012-08-08 21:03 ` Paul Moore
2012-08-08 21:09 ` Eric Paris
2012-08-08 21:09 ` Eric Paris
2012-08-08 19:29 ` Eric Dumazet
2012-08-08 16:58 ` John Johansen
2012-08-07 22:26 ` John Stultz
2012-08-07 22:31 ` John Stultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5022BAA2.90606@us.ibm.com \
--to=johnstul@us.ibm.com \
--cc=edumazet@google.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.