Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp36723imu; Thu, 10 Jan 2019 17:28:35 -0800 (PST) X-Google-Smtp-Source: ALg8bN6484zP32zYko3g65twDI3xIOZ7h3Y0G/uXNXWFytwjE+4S/fhH8vGQ8H4B65L72hS/utQZ X-Received: by 2002:a17:902:e18c:: with SMTP id cd12mr11945935plb.279.1547170115590; Thu, 10 Jan 2019 17:28:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547170115; cv=none; d=google.com; s=arc-20160816; b=CibDaHkKmP3L6O0Z/Sgt8kLf12incfijLr3XlGY8hvtgsi0zOZCrXux9uBQIlWyzMj +uzfkZ0aD/FgnNE/MATZ9gR1X3B9MpVCe8R1mMs5kWSFVAt0L7slQSguxXnmKtj7GCGC y/pCLTURmgt6KltN5V1LXqrCZZUQoxQnXjl7v5hACxOEG5plfaOeVNMiBZKtcE6MO3n3 a2+KoBjxne+3VegfXIV4EtXZeOUrzlCOimz6QV7+oVGdIGKJosiN3lKTZtmNYbpoV8oy 8dume2tTpjw4k6Lp12kFaom4V8z+nF86g9+n4KuwOISHSg0KR6ncJcycr9TyajYthBLy 0+jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YNQYs7ALyOMWiFiNiwUSyAnayUvPH25Nlsm5tjQ2dc4=; b=xqtrORezpYq+9Dm84VV/eqtv4CU8sbb/ze2O1HCQshsFcn0yv2DEZmDWcUpU2Xgw4e qG4NuiRcXwkvAWQ0Sf5UO3Ux4IZ5fk/o3ZZcmY+06Uom/RaSnxBPcOYXXlnExAM4l1o3 OZW5p8xnz7WKPd3LplPzKW1TiF1untrbDgJaQn+FXhIiTn8RqUsKYhrKSxbpNVOYl9Yg An1uy5Jq0qzReD05zQjK+BhYLWD6B1bHapHStvJC7Xv4h0e4LS6iwvaKPQOHmiSYMXUk ei+TVBGZdh+3QJj4cBTMHT601E3ihXjN9gGScH9iAYMfHzay4ZJZn2004taD7I7OL232 S3hw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=fRWA1Gch; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 35si4466810pgn.278.2019.01.10.17.28.19; Thu, 10 Jan 2019 17:28:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=fRWA1Gch; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729234AbfAKB1N (ORCPT + 99 others); Thu, 10 Jan 2019 20:27:13 -0500 Received: from mail-lf1-f68.google.com ([209.85.167.68]:38581 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729063AbfAKB1N (ORCPT ); Thu, 10 Jan 2019 20:27:13 -0500 Received: by mail-lf1-f68.google.com with SMTP id a8so9681874lfk.5 for ; Thu, 10 Jan 2019 17:27:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YNQYs7ALyOMWiFiNiwUSyAnayUvPH25Nlsm5tjQ2dc4=; b=fRWA1GchJJKSjm8TY3AvQcU+BJQ0bROBfUeUsvWPDvln/quMDlsxY33WIwUqwjYrDx cRdiNlVyzBsSpL0P3WKgKFVdpnJQ7h4lh56CfUFbjsB+KYzYf4A5k3m8o76ZvGSsXIbM trvNo/JH3yVaFSxcWfjyANVmHkm6OJH31MpNo+hg411ZUUKmo6worncJT4N9wYQfgKF5 LtR/cFs/LsQhBPBKeHbx9JYUCX1f2FssiZ7MROuc7IlkR5M3AJ7PvAlvjrT0I/HlGCEG 6h0UB8jIpdVq2jPHn5yitGGy8Zq/w3Z0IIwtgy1H45MBXYznd7tHR/IjWJMKpWlXiprk T0jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YNQYs7ALyOMWiFiNiwUSyAnayUvPH25Nlsm5tjQ2dc4=; b=rSOgp4/jSZtuOnut9HVDg1ocK5uyzeIdUpsc2EQMJZ9r3oSTgEzId+/Pynk0w9HXUx r8roFI92Yc8LWk8HcXntSvsQdLnQ81Ar5AnnyiJCoq/5ASNU7xbm7BZjKuAiVjoNTJre /S0C53AzjYZS0qmqpW54b/kFv21MyNNtyp8z91Lo+BeDO73RCtQdkMDYKbbblPFwt7Nl xUo7AkkLFk5VB8yJQfRGKEOhxallYjJRRKJlT92fJxJ5mfv1M6uEPaSr8ZdmTmqxy15U Mlb74VyzvMiCTFw32SCX46sjL9OKUQ02P0gQlw3L79RIJUiuk5LyiMk136bZtI7zBJhm JL4g== X-Gm-Message-State: AJcUukcrFX9qxBpq986TIMlWx2Vj0ygKWGBKWTcqWMFNkRiD1IeXx3OY Q0MVZyDwxY7WyqYgxLa4XWbtJbxil1abuAWSyoUz X-Received: by 2002:a19:8fce:: with SMTP id s75mr6810260lfk.151.1547170030257; Thu, 10 Jan 2019 17:27:10 -0800 (PST) MIME-Version: 1.0 References: <0000000000001a9aa0057f084a81@google.com> In-Reply-To: From: Paul Moore Date: Thu, 10 Jan 2019 20:26:58 -0500 Message-ID: Subject: Re: general protection fault in ebitmap_destroy To: Stephen Smalley Cc: syzbot , Eric Paris , linux-kernel@vger.kernel.org, peter.enderborg@sony.com, selinux@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 9, 2019 at 11:11 AM Stephen Smalley wrote: > On Wed, 2019-01-09 at 07:41 -0800, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: a88cc8da0279 Merge branch 'akpm' (patches from > > Andrew) > > git tree: upstream > > console output: > > https://syzkaller.appspot.com/x/log.txt?x=1722da4f400000 > > kernel config: > > https://syzkaller.appspot.com/x/.config?x=edf1c3031097c304 > > dashboard link: > > https://syzkaller.appspot.com/bug?extid=6664500f0f18f07a5c0e > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: > > https://syzkaller.appspot.com/x/repro.syz?x=12d43580c00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the > > commit: > > Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com > > > > SELinux: failed to load policy > > sel_write_load: 238 callbacks suppressed > > SELinux: failed to load policy > > kasan: CONFIG_KASAN_INLINE enabled > > kasan: GPF could be caused by NULL-ptr deref or user memory access > > general protection fault: 0000 [#1] PREEMPT SMP KASAN > > CPU: 0 PID: 9316 Comm: syz-executor2 Not tainted 5.0.0-rc1+ #16 > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > BIOS > > Google 01/01/2011 > > RIP: 0010:ebitmap_destroy+0x32/0xf0 security/selinux/ss/ebitmap.c:334 > > Code: 49 89 fd 41 54 53 e8 9d e6 36 fe 4d 85 ed 0f 84 99 00 00 00 e8 > > 8f e6 > > 36 fe 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 > > 00 0f > > 85 98 00 00 00 49 be 00 00 00 00 00 fc ff df 4d 8b > > RSP: 0018:ffff88808967f5c0 EFLAGS: 00010202 > > RAX: dffffc0000000000 RBX: ffff88808967f6a8 RCX: dffffc0000000000 > > RDX: 0000000000000001 RSI: ffffffff834b1081 RDI: 0000000000000008 > > RBP: ffff88808967f5e0 R08: ffff8880972a8140 R09: ffffed1015cc5b90 > > R10: ffffed1015cc5b8f R11: ffff8880ae62dc7b R12: ffff888099d993c0 > > R13: 0000000000000008 R14: ffff888099d993c0 R15: ffff88808967f648 > > FS: 00007f70cd9e5700(0000) GS:ffff8880ae600000(0000) > > knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00000000015e7938 CR3: 0000000096c4a000 CR4: 00000000001406f0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > sens_destroy+0x49/0xa0 security/selinux/ss/policydb.c:735 > > sens_read+0x25d/0x460 security/selinux/ss/policydb.c:1636 > > policydb_read+0xed9/0x60d0 security/selinux/ss/policydb.c:2430 > > security_load_policy+0x423/0x1830 > > security/selinux/ss/services.c:2129 > > sel_write_load+0x25a/0x470 security/selinux/selinuxfs.c:565 > > __vfs_write+0x116/0xb40 fs/read_write.c:485 > > vfs_write+0x20c/0x580 fs/read_write.c:549 > > ksys_write+0x105/0x260 fs/read_write.c:598 > > __do_sys_write fs/read_write.c:610 [inline] > > __se_sys_write fs/read_write.c:607 [inline] > > __x64_sys_write+0x73/0xb0 fs/read_write.c:607 > > do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x457ec9 > > Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 > > 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 > > f0 ff > > ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:00007f70cd9e4c78 EFLAGS: 00000246 ORIG_RAX: > > 0000000000000001 > > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 > > RDX: 000000000000005c RSI: 0000000020000000 RDI: 0000000000000003 > > RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f70cd9e56d4 > > R13: 00000000004c720f R14: 00000000004dc9a0 R15: 00000000ffffffff > > Modules linked in: > > ---[ end trace 78ea480790940b53 ]--- > > RIP: 0010:ebitmap_destroy+0x32/0xf0 security/selinux/ss/ebitmap.c:334 > > Code: 49 89 fd 41 54 53 e8 9d e6 36 fe 4d 85 ed 0f 84 99 00 00 00 e8 > > 8f e6 > > 36 fe 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 > > 00 0f > > 85 98 00 00 00 49 be 00 00 00 00 00 fc ff df 4d 8b > > RSP: 0018:ffff88808967f5c0 EFLAGS: 00010202 > > RAX: dffffc0000000000 RBX: ffff88808967f6a8 RCX: dffffc0000000000 > > RDX: 0000000000000001 RSI: ffffffff834b1081 RDI: 0000000000000008 > > RBP: ffff88808967f5e0 R08: ffff8880972a8140 R09: ffffed1015cc5b90 > > R10: ffffed1015cc5b8f R11: ffff8880ae62dc7b R12: ffff888099d993c0 > > R13: 0000000000000008 R14: ffff888099d993c0 R15: ffff88808967f648 > > FS: 00007f70cd9e5700(0000) GS:ffff8880ae700000(0000) > > knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 000000000073c000 CR3: 0000000096c4a000 CR4: 00000000001406e0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Possible fix below > > From cc9324299f32db326447a28a836c462fc16bc945 Mon Sep 17 00:00:00 2001 > From: Stephen Smalley > Date: Wed, 9 Jan 2019 10:55:10 -0500 > Subject: [PATCH] selinux: fix GPF on invalid policy > > levdatum->level can be NULL if we encounter an error while loading > the policy during sens_read prior to initializing it. Make sure > sens_destroy handles that case correctly. > > Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com > Signed-off-by: Stephen Smalley > --- > security/selinux/ss/policydb.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c > index a50d625e7946..c1c31e33657a 100644 > --- a/security/selinux/ss/policydb.c > +++ b/security/selinux/ss/policydb.c > @@ -732,7 +732,8 @@ static int sens_destroy(void *key, void *datum, void *p) > kfree(key); > if (datum) { > levdatum = datum; > - ebitmap_destroy(&levdatum->level->cat); > + if (levdatum->level) > + ebitmap_destroy(&levdatum->level->cat); > kfree(levdatum->level); > } > kfree(datum); > -- > 2.20.1 ... > > syzbot can test patches for this bug, for details see: > > https://goo.gl/tpsmEJ#testing-patches I'm not sure if this particular bug is one that syzbot can reproduce (I recall a different message when it had a reproducer), but it would be nice to get some syzbot test verification if possible when posting (see the link above for the magic). Regardless, this looks like a good fix to me; I'm going to merge it into the stable-5.0 tree and assuming all goes well I'll probably send it up to Linus early next week. -- paul moore www.paul-moore.com