From: "Guozihua (Scott)" <guozihua@huawei.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>, <dmitry.kasatkin@gmail.com>,
<sds@tycho.nsa.gov>, <eparis@parisplace.org>,
Greg KH <gregkh@linuxfoundation.org>, <sashal@kernel.org>,
<selinux@vger.kernel.org>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>, <stable@vger.kernel.org>
Subject: Re: [RFC] IMA LSM based rule race condition issue on 4.19 LTS
Date: Mon, 19 Dec 2022 15:10:55 +0800 [thread overview]
Message-ID: <381efcb7-604f-7f89-e950-efc142350417@huawei.com> (raw)
In-Reply-To: <CAHC9VhT0SRWMi2gQKaBPOj1owqUh-24O9L2DyOZ8JDgEr+ZQiQ@mail.gmail.com>
On 2022/12/16 11:04, Paul Moore wrote:
> On Thu, Dec 15, 2022 at 9:36 PM Guozihua (Scott) <guozihua@huawei.com> wrote:
>> On 2022/12/16 5:04, Paul Moore wrote:
>
> ...
>
>>> How bad is the backport really? Perhaps it is worth doing it to see
>>> what it looks like?
>>>
>> It might not be that bad, I'll try to post a version next Monday.
>
> Thanks for giving it a shot.
>
When I am trying a partial backport of b16942455193 ("ima: use the lsm
policy update notifier"), I took a closer look into it and if we rip off
the RCU and the notifier part, there would be a potential UAF issue when
multiple processes are calling ima_lsm_update_rule() and
ima_match_rules() at the same time. ima_lsm_update_rule() would free the
old rule if the new rule is successfully copied and initialized, leading
to ima_match_rules() accessing a freed rule.
To reserve the mainline solution, we would have to either introduce RCU
for rule access, which would work better with notifier mechanism or the
same rule would be updated multiple times, or we would have to introduce
a lock for LSM based rule update.
--
Best
GUO Zihua
next prev parent reply other threads:[~2022-12-19 7:11 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-09 7:00 [RFC] IMA LSM based rule race condition issue on 4.19 LTS Guozihua (Scott)
2022-12-09 7:12 ` Greg KH
2022-12-09 7:53 ` Guozihua (Scott)
2022-12-09 8:46 ` Greg KH
2022-12-09 8:59 ` Guozihua (Scott)
2022-12-09 9:00 ` Greg KH
2022-12-09 9:11 ` Guozihua (Scott)
2022-12-09 9:22 ` Greg KH
2022-12-09 9:32 ` Guozihua (Scott)
2022-12-09 9:38 ` Guozihua (Scott)
2022-12-09 10:27 ` Greg KH
2022-12-12 2:39 ` Guozihua (Scott)
2022-12-13 15:30 ` Mimi Zohar
2022-12-14 1:33 ` Guozihua (Scott)
2022-12-14 12:19 ` Mimi Zohar
2022-12-15 8:51 ` Guozihua (Scott)
2022-12-15 10:49 ` Mimi Zohar
2022-12-15 13:15 ` Guozihua (Scott)
2022-12-15 14:30 ` Mimi Zohar
2022-12-15 21:04 ` Paul Moore
2022-12-16 2:36 ` Guozihua (Scott)
2022-12-16 3:04 ` Paul Moore
2022-12-19 7:10 ` Guozihua (Scott) [this message]
2022-12-19 13:11 ` Mimi Zohar
2022-12-20 1:11 ` Guozihua (Scott)
2022-12-21 10:51 ` Guozihua (Scott)
2022-12-23 8:04 ` Guozihua (Scott)
2022-12-24 3:41 ` Guozihua (Scott)
2022-12-24 7:47 ` Guozihua (Scott)
2023-01-06 1:05 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=381efcb7-604f-7f89-e950-efc142350417@huawei.com \
--to=guozihua@huawei.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-integrity@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox