Received: by 10.223.176.5 with SMTP id f5csp3014363wra;
        Thu, 1 Feb 2018 09:24:48 -0800 (PST)
X-Google-Smtp-Source: AH8x224hccc9ljDqCDCCwKoVGjlKCmt77UbVapTRKHripH39YWa3Ytj7RC+4now8XbzNcgbpaj9M
X-Received: by 10.98.78.148 with SMTP id c142mr37512753pfb.153.1517505887956;
        Thu, 01 Feb 2018 09:24:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517505887; cv=none;
        d=google.com; s=arc-20160816;
        b=i2DMcFRv39GbQHzXYKSSbmp/jRNPrZIE2q+Mbv/Vr6Tyn8QmEc455SN7Bd6q0kOfbs
         a5W5A5KWRauQCVyHmfHxKtu5LVBdDAELxVn/d8KIANbXsPvZO0BE3IgCHeYkqPTRKbu0
         Xl9gZmcEgdVS+fnPWUruocIpv8bGb0c4lm0UNoQZ5gdi65dIBCC+GZguW9gu7OayyC7Y
         639Mk94CkMVal1fG2034IVFJsty5r5JUuJ5NilrgJvk6a3ZfmmRG14zh0plqRnTBzV3X
         guMgPzdnPo13ny6/ww4aoOMfNKb3N/joA3R8j2DV2whyvr0/1MkwCe9RoKZEynXonsGE
         zTzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=PZIXN6t6zWZxE9DIPhLTYL8lxgeMKeqCGq55aha6gmI=;
        b=OlKQRovQBAy5krEn0TCHLD27rI0KxG6OdckgvgdkLbvY7Wtn6i4csA20nDNHHx917I
         Mxzyd/bLrlIrnxP6eswL9tyctPXn25Ta/BxaHw43mCN6AhkCqpZh3+SKF2kirpey606i
         NrBugSB1l7vAc9hpUOoWIvL0LUyXcmPVyAGscOBgrbVnqsgeGVOnjtyCcSCduQj+h/Tq
         yWwDpBm2q9EVTyYOwTeQLr1I5dxqMO3u9q2Xxs+jlqrzgxhuuoNnnOoQC7sEjGZA5EK6
         19HZ2dI+oxX/wqMoWmuO1K4p633W5AkzDfndgk/5azjexvzmGkptpoC7zmQvLmagUtdO
         TclA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=rCL5WPh3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x13si21815pgt.263.2018.02.01.09.24.31;
        Thu, 01 Feb 2018 09:24:47 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=rCL5WPh3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752664AbeBARXP (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Thu, 1 Feb 2018 12:23:15 -0500
Received: from mail-pl0-f68.google.com ([209.85.160.68]:33476 "EHLO
        mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751378AbeBARXM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Feb 2018 12:23:12 -0500
Received: by mail-pl0-f68.google.com with SMTP id t4so4019573plo.0
        for <linux-kernel@vger.kernel.org>; Thu, 01 Feb 2018 09:23:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding:content-language;
        bh=PZIXN6t6zWZxE9DIPhLTYL8lxgeMKeqCGq55aha6gmI=;
        b=rCL5WPh35ZWyT5msfreZnih4lLoVXdmDOlTt+aAJRbxHMiGfaC6ILnNIoSo8TlC6IQ
         gj4vF3qeDNPK/LJpVsIrV3Ck1Yl7lcWrmOdc+MNfnbUvwSz3m2S3VeE874kGerG6eF/e
         4azUVv9QFUVbBGIgLeAtpxEmqH34T3O5dhZGzuOviHBH6DDf+rKElkxypiPLWmKiIhNe
         gbqegakVmWe9veAMLPXqTr/PUL+lTYcb3HuMxcOaOUofY0gO67m0r4yYmEL+vb7Ca8y0
         5By2GTqy5VtHE/gyLTXT2aGkPqFpCpdmZNA0upocX3LOtu8XA3ifwwcdpnuLx+u+4wY6
         1C/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=PZIXN6t6zWZxE9DIPhLTYL8lxgeMKeqCGq55aha6gmI=;
        b=P6MzRv2j9WyMuBOvQXYr1BPzRk7sb1yP1oSMF7/qOz8tcLC8A0k+0GLE/N9PDNh4k1
         xSJNY7PT0xT1LCvefq0N+mR7b9NSUURIh49VvcTA/KO/k3/RpuEOLHi6suv9NysRrUDG
         UJ0pk+viKgs57cEFDSOjTGAe29Nt2KNLQ0j5GXF7ifWfkgAaGuYT0wzPCmgQJF9WTMet
         xjZEcyEF88+X40SCbTTBD9i/k5iWRHLSFTVLxCIhlxLoENA9Hp9PhRizqLILcvH0wABT
         IFNRvhUv0eC994Temi/e0xOqlsMTI3zDSaFmmvR7KVmjCdgqLKkDBxXUtBcCS2dm67cb
         KqtA==
X-Gm-Message-State: AKwxytdu+s34x5Ae7a3cobCB8xwnAzNU8pihSNHzHDJQ96xmHVaclbb0
        3cClFGTiyWuOgrFW84h9nUeEPg==
X-Received: by 2002:a17:902:bd01:: with SMTP id p1-v6mr12788467pls.172.1517505792159;
        Thu, 01 Feb 2018 09:23:12 -0800 (PST)
Received: from nebulus.mtv.corp.google.com ([2620:0:1000:1612:b4fb:6752:f21f:3502])
        by smtp.googlemail.com with ESMTPSA id j6sm74011pfg.90.2018.02.01.09.23.11
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 01 Feb 2018 09:23:11 -0800 (PST)
Subject: Re: [PATCH v2] general protection fault in sock_has_perm
To:     Stephen Smalley <sds@tycho.nsa.gov>,
        Paul Moore <paul@paul-moore.com>
Cc:     linux-kernel@vger.kernel.org, Greg KH <gregkh@linuxfoundation.org>,
        Eric Dumazet <edumazet@google.com>, selinux@tycho.nsa.gov,
        linux-security-module@vger.kernel.org,
        Eric Paris <eparis@parisplace.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        stable <stable@vger.kernel.org>, James Morris <jmorris@namei.org>
References: <20180201153708.63506-1-salyzyn@android.com>
 <CAHC9VhSdR9UGpYhod5xhA76EbSKHzTW5rEiYWMovC0t6gfowig@mail.gmail.com>
 <5fb5622d-e58b-c174-3d5c-bfe55569b88e@android.com>
 <1517504530.1750.55.camel@tycho.nsa.gov>
From:   Mark Salyzyn <salyzyn@android.com>
Message-ID: <1445a6b4-1c4e-b684-62f6-1a6ff4af3fed@android.com>
Date:   Thu, 1 Feb 2018 09:23:10 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <1517504530.1750.55.camel@tycho.nsa.gov>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 02/01/2018 09:02 AM, Stephen Smalley wrote:
> On Thu, 2018-02-01 at 08:20 -0800, Mark Salyzyn wrote:
>> On 02/01/2018 08:00 AM, Paul Moore wrote:
>>> On Thu, Feb 1, 2018 at 10:37 AM, Mark Salyzyn <salyzyn@android.com>
>>> wrote:
>>>> In the absence of commit a4298e4522d6 ("net: add SOCK_RCU_FREE
>>>> socket
>>>> flag") and all the associated infrastructure changes to take
>>>> advantage
>>>> of a RCU grace period before freeing, there is a heightened
>>>> possibility that a security check is performed while an ill-timed
>>>> setsockopt call races in from user space.  It then is prudent to
>>>> null
>>>> check sk_security, and if the case, reject the permissions.
>>>>
>>>> . . .
>>>> ---[ end trace 7b5aaf788fef6174 ]---
>>>>
>>>> Signed-off-by: Mark Salyzyn <salyzyn@android.com>
>>>> Signed-off-by: Paul Moore <paul@linuxfoundation.org>
>>> No, in the previous thread I gave my ack, not my sign-off; please
>>> be
>>> more careful in the future.  It may seem silly, especially in this
>>> particular case, but it is an important distinction when things
>>> like
>>> the DCO are concerned.
>>>
>>> Anyway, here is my ack again.
>>>
>>> Acked-by: Paul Moore <paul@paul-moore.com>
>>>
>> Ok, both Greg KH and yours should be considered Acked-By. Been
>> overstepping this boundary for _years_. AFAIK Signed-off-by is still
>> pending from Stephen Smalley <sds@tycho.nsa.gov> before this can roll
>> in.
>>
>> Lesson lurned
> No, Paul's Acked-by is sufficient, and at most, I would only add
> another Acked-by or Reviewed-by, not a Signed-off-by.  Signed-off-by is
> only needed when one had something to do with the writing of the patch
> or was in the path by which it was merged.
>
> I don't object to this patch but I have a hard time adding another ack
> because I don't truly understand the root cause or how this fixes it.
> Let's say sk_prot_free() calls security_sk_free() calls
> selinux_sk_free_security() which sets sk->sk_security to NULL, and then
> we proceed to free the sksec and then sk_prot_free() frees the sk
> itself.  Now another sock is allocated (or perhaps a different object
> altogether), reuses that memory, and whatever sk->sk_security happens
> to contain is set to non-NULL.  We'll just blithely proceed past your
> check and who knows what will happen from that point onward.
>
The way I read this is this is part of an RCU operation. Multiple 
readers are holding on to the object, but as soon as a new writer comes 
in it _immediately_ frees the sk_security of the 'old' reader copies in 
order to make the 'new' writer copy. Any pending readers continue 
operations until they get tripped on the too aggressively released NULL 
sk_security reference.

Commits came in between 4.4 and 4.9 (edumazet@google.com) to restructure 
and fix this and add the appropriate RCU grace period to the 'old' 
reader copies for the sk_security resource so that it would be freed 
after all the readers had exited. Problem goes away.

My proposal will break any 'old' readers by blocking their access during 
the transition rather than panic the kernel. New readers coming in after 
the writer will progress fine.

This is not a 'bug' in the security layer, this is a bandaid to the 
security layer regarding the bad behavior of the callers.

I have not analyzed the code enough to 100% prove my assertion above, in 
part because I can not duplicate the problem w/o kasan+fuzzing, so still 
treat this as a hunch.

-- Mark