Re: [PATCH] Selinux/hooks.c: Fix a NULL pointer dereference caused by semop()

[Manfred Spraul <manfred@colorfullife.com>]

[-- Attachment #1: Type: text/plain, Size: 2726 bytes --]

On 01/22/2015 03:44 AM, Ethan Zhao wrote:
> On Wed, Jan 21, 2015 at 1:30 PM, Manfred Spraul
> <manfred@colorfullife.com> wrote:
>> On 01/21/2015 04:53 AM, Ethan Zhao wrote:
>>> On Tue, Jan 20, 2015 at 10:10 PM, Stephen Smalley <sds@tycho.nsa.gov>
>>> wrote:
>>>> On 01/20/2015 04:18 AM, Ethan Zhao wrote:
>>>>>        sys_semget()
>>>>>        ->newary()
>>>>>            ->security_sem_alloc()
>>>>>              ->sem_alloc_security()
>>>>>                    selinux_sem_alloc_security()
>>>>>                    ->ipc_alloc_security() {
>>>>>                      ->rc = avc_has_perm()
>>>>>                                 if (rc) {
>>>>>
>>>>> ipc_free_security(&sma->sem_perm);
>>>>>                                         return rc;
>>>> We free the security structure here to avoid a memory leak on a
>>>> failed/denied semaphore set creation.  In this situation, we return an
>>>> error to the caller (ultimately to newary), it does an
>>>> ipc_rcu_putref(sma, ipc_rcu_free), and it returns an error to the
>>>> caller.  Thus, it never calls ipc_addid() and the semaphore set is not
>>>> created.  So how then can you call semtimedop() on it?
>>> Seems it wouldn't happen after commit
>>> e8577d1f0329d4842e8302e289fb2c22156abef4 ?
>> That was my first guess when I read the bug report - but it can't be the
>> fix, because security_sem_alloc() is before the ipc_addid(), with or without
>> the patch.
>>
>> thread A:
>>              thread B:
>>
>> semtimedop()
>> -> sem_obtain_object_check()
>>              semctl(IPC_RMID)
>>              -> freeary()
>>              -> ipc_rcu_putref()
>>              -> call_rcu()
>> -> somehow a grace period
>>              -> sem_rcu_free()
>>              -> security_sem_free()
>>
>> Perhaps: modify ipc_free_security() to hexdump perm and a few more bytes if
>> the pointer is NULL?
> I tried to ask for vmcore and do more analysis, basically, the race condition
> still exists and open a hole to be DoS.
Is the issue reproducable?
If yes, can you try something like the attached patch?
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5129,6 +5129,8 @@ static int ipc_has_perm(struct kern_ipc_perm
> *ipc_perms,
>         u32 sid = current_sid();
>
>         isec = ipc_perms->security;
> +     if (!isec)
> +             return -EACCES;
>
>         ad.type = LSM_AUDIT_DATA_IPC;
>         ad.u.ipc_id = ipc_perms->key;
ipc_has_perm() runs without any spinlocks/semaphores, only rcu_read_lock().
Testing for ipc_perms->security!=NULL does solve the issue that 
ipc_perm->key could be an access to kfree'd memory: Nothing prevents 
that the kfree could happen just after the test.

I.e.: The patch can't be the right solution.

--
     Manfred

[-- Attachment #2: patch-sem_ipc_has_perm --]
[-- Type: text/plain, Size: 2351 bytes --]

diff --git a/ipc/sem.c b/ipc/sem.c
index 6115146..80371dc 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -248,6 +248,7 @@ static void sem_rcu_free(struct rcu_head *head)
 	struct ipc_rcu *p = container_of(head, struct ipc_rcu, rcu);
 	struct sem_array *sma = ipc_rcu_to_struct(p);
 
+pr_info("sem_rcu_free: sma %p\n",sma);
 	security_sem_free(sma);
 	ipc_rcu_free(head);
 }
@@ -529,6 +530,7 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
 	sma->sem_nsems = nsems;
 	sma->sem_ctime = get_seconds();
 
+pr_info("newary: sma %p becomes visible\n",sma);
 	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
 	if (id < 0) {
 		ipc_rcu_putref(sma, sem_rcu_free);
@@ -1118,6 +1120,7 @@ static void freeary(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
 
 	/* Remove the semaphore set from the IDR */
 	sem_rmid(ns, sma);
+pr_info("freeary: sma %p unlinked\n",sma);
 	sem_unlock(sma, -1);
 	rcu_read_unlock();
 
@@ -1860,6 +1863,9 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
 	if (ipcperms(ns, &sma->sem_perm, alter ? S_IWUGO : S_IRUGO))
 		goto out_rcu_wakeup;
 
+	if (sma->sem_perm.security == NULL) {
+		pr_info("sma %p: sem_perm.security == NULL\n", sma);
+	}
 	error = security_sem_semop(sma, sops, nsops, alter);
 	if (error)
 		goto out_rcu_wakeup;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6da7532..1499787 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5088,6 +5088,7 @@ static int ipc_alloc_security(struct task_struct *task,
 	isec->sclass = sclass;
 	isec->sid = sid;
 	perm->security = isec;
+pr_info("ipc_alloc_security for perm %p.\n", perm);
 
 	return 0;
 }
@@ -5096,6 +5097,7 @@ static void ipc_free_security(struct kern_ipc_perm *perm)
 {
 	struct ipc_security_struct *isec = perm->security;
 	perm->security = NULL;
+pr_info("ipc_free_security for perm %p.\n", perm);
 	kfree(isec);
 }
 
@@ -5129,6 +5131,12 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
 	u32 sid = current_sid();
 
 	isec = ipc_perms->security;
+	if (isec == NULL) {
+		struct sem_array *sma = container_of(ipc_perms, struct sem_array, sem_perm);
+
+		pr_info("sma %p, sem_base %p, deleted %d with NULL isec\n",
+					sma, sma->sem_base, sma->sem_perm.deleted);
+	}
 
 	ad.type = LSM_AUDIT_DATA_IPC;
 	ad.u.ipc_id = ipc_perms->key;