From: Stanislav Kinsbursky <skinsbursky@parallels.com>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <james.l.morris@oracle.com>,
Eric Paris <eparis@parisplace.org>,
<linux-security-module@vger.kernel.org>,
Dave Jones <davej@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: selinux_msg_queue_msgrcv() oops
Date: Thu, 7 Feb 2013 13:16:05 +0400 [thread overview]
Message-ID: <511370D5.4030100@parallels.com> (raw)
In-Reply-To: <CA+ydwtp6fjMKsG4Oo5Ep2WXaykH+5D7MVWSHzUtnUFhr_HkJNw@mail.gmail.com>
06.02.2013 23:51, Tommi Rantala пишет:
> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>> On 02/06/2013 10:21 AM, Tommi Rantala wrote:
>>>
>>> 2013/2/6 Stephen Smalley <sds@tycho.nsa.gov>:
>>>>
>>>> On 02/06/2013 07:56 AM, Tommi Rantala wrote:
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
>>>>> Trinity as the root user (in a qemu VM):
>>>>
>>>>
>>>>
>>>> NULL msg->security at that point is a bug in the ipc subsystem; SELinux
>>>> is
>>>> just the messenger. Normally msg->security is set for every allocated
>>>> msg
>>>> by load_msg() -> security_msg_msg_alloc() ->
>>>> selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
>>>> security_msg_msg_free() -> selinux_msg_msg_free_security(). Looking
>>>> around,
>>>> I see copy_msg() introduced for checkpoint-restore initializes
>>>> dst->security
>>>> to NULL but never sets it properly?
>>>
>>>
>>> I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
>>> analysis seems to be correct.
>>
>>
>> (cc originator of the bug)
>>
>> If I am reading this correctly, then when the copy msg was created, a msg
>> security struct was already allocated
>> (prepare_copy->load_msg->security_msg_msg_alloc). So having copy_msg()
>> clear dst->security is also a memory leak in addition to leading to this
>> oops. Attached is a possible, un-tested fix.
>
> I can still reproduce the exact same oops with the patch applied. I
> also wanted to be sure that copy_msg() is called, so I added a warning
> there, but that never gets triggered. So I suppose the problem is not
> actually related to CONFIG_CHECKPOINT_RESTORE.
>
Hello.
Unfortunately, you are not the first one, who experience problems with Trinity running in KVM.
copy_msg() won't be called unless you'll specify the MSG_COPY flag in msgrcv() flags parameter.
Could you make a small investigation around the problem?
For example, does this problem appear, is you disable CONFIG_CHECKPOINT_RESTORE config option?
--
Best regards,
Stanislav Kinsbursky
prev parent reply other threads:[~2013-02-07 9:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-06 12:56 selinux_msg_queue_msgrcv() oops Tommi Rantala
2013-02-06 14:18 ` Stephen Smalley
2013-02-06 15:21 ` Tommi Rantala
2013-02-06 16:28 ` Stephen Smalley
2013-02-06 19:51 ` Tommi Rantala
2013-02-07 9:16 ` Stanislav Kinsbursky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=511370D5.4030100@parallels.com \
--to=skinsbursky@parallels.com \
--cc=davej@redhat.com \
--cc=eparis@parisplace.org \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=tt.rantala@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.