Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2791003yba; Mon, 15 Apr 2019 20:42:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqwoc9siKsw4jDdM1CMGTJAE0q3VZhn2aiHjO8r4yjhHxVtC3b73t01q7d8MWWOaMPdSjwM/ X-Received: by 2002:a65:5189:: with SMTP id h9mr73431437pgq.304.1555386177958; Mon, 15 Apr 2019 20:42:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555386177; cv=none; d=google.com; s=arc-20160816; b=i242kLKoJ6F43qzl00/XyqxJUDKIFf3rHURgoMrF8BRJw3cR+ZxWYaqQaV7XNUj1Ij EYEsExGTd+7c2fa6RxMwMCRFAQHwyKb0xwN89EMBi1tptqSB+g+D1AYiRoYkQxnRKKbi MU1NntEQlkTmTEk+0Y0F5k83g4qt9ZcfZM/9+wVaS/a4revmzmW+w8bRPbJvTN08Kyd3 rnp9s7vQipESELrPalhV/GUMCtnakfpOX+FgfS68iFCl+sTDrvb9HbvAQd6Ybx17wcpn Xni58Zn8YGGGVLJDlb5ggWdaSy0FsoSkHSap9JHFhZuDAM8cJnKhmA656ZdVBvFkuk7C 3kgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=knJ4ZxxYb6J3GKaV7EwaY4sfVnSPjwGvsgjyVKDi2yY=; b=NNgPr+Dfp2HGDnA9QQZ6S5aL7ZEL/Uai0ppv6yWWoOyJD/tegOP1vBzQBMCYTM/3Vw NfXiyEkYQjZrEfVA4+qfL6ZEjogoZOXBgiom32AulmOmdQDdNmL/KRcTkcU73mUadjTr 0+wtJTj+dTQogf8E5v5cmwTsvI3C0J40cZ9iAIv9kgj1Tq1xHK6AU5/ZL3lh5smVD5++ tkY23lwaHuBzwIwZUrdDXw3JkdeAlN43CWji3vNm8nxdB+niw4YfsVgVes7MjE0g6gy3 m+ILvDvqNv6XOSWU6o4gDj80KyGPxJtFh0e3KuhmyoxglmIjpyFefEyw4O2EAFgn1WfZ CoDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=LohpepcY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n129si42071621pgn.580.2019.04.15.20.42.42; Mon, 15 Apr 2019 20:42:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=LohpepcY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726837AbfDPDlJ (ORCPT + 99 others); Mon, 15 Apr 2019 23:41:09 -0400 Received: from mail-vk1-f196.google.com ([209.85.221.196]:45654 "EHLO mail-vk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726215AbfDPDlJ (ORCPT ); Mon, 15 Apr 2019 23:41:09 -0400 Received: by mail-vk1-f196.google.com with SMTP id h127so4120056vkd.12 for ; Mon, 15 Apr 2019 20:41:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=knJ4ZxxYb6J3GKaV7EwaY4sfVnSPjwGvsgjyVKDi2yY=; b=LohpepcYBAREZDvlv6AnI67BSEa7If74Bl7iwNw4t+8mv+LJGn/2f9zGdljkXp6wEE VFUBltaB9DOThRYuNwGgdKMWPh8P35D9yUle6LTv1Lpx1odF/gQU6g0iCAr0zw3OgK16 h9O2GQkjc+xEACfn0XkQFCeOpLY+IpyNw0a6k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=knJ4ZxxYb6J3GKaV7EwaY4sfVnSPjwGvsgjyVKDi2yY=; b=tlz9/mLP+sGHzngkWf9qOG2K68VH+WgRqL7DfZrO7Qxd309ZDbCYlmx/jlgqBYwpQp +c8aEy581dzhBjj7d3uSyqkM+HDksXjlPgJt61E9ZBOXmA+8wpvgFIrNh8U8oZlwqoDd +eC/cG3fvZ4xPxm8mWf8m6WGkT6+JDzytVeNQIwCC9t5vhqS+0OZfEBnzU80ucvuEDhn Flv+RVAuZBFghzUy45kTtAQV2VYvsD+eKnZGpY9EVJZxZviDffRJNYz80iXwoW2v3ykY PfcpQFbg0zac2MulmWkoTa+9UiBkHjFUYkmhHfat/fpVOScMJW54SjZRbF4KzhzOaqlm sLJA== X-Gm-Message-State: APjAAAV3jI+lZDpKECLXGBGMV/CaDUMPjKtYyNAE3kkcac0wwZ8iGe+u yVcw/ACBE9/dcwB3N/KvjRmh2xVpmqU= X-Received: by 2002:a1f:1691:: with SMTP id 139mr41954383vkw.25.1555386066647; Mon, 15 Apr 2019 20:41:06 -0700 (PDT) Received: from mail-vs1-f51.google.com (mail-vs1-f51.google.com. [209.85.217.51]) by smtp.gmail.com with ESMTPSA id p8sm21444270vsd.14.2019.04.15.20.41.05 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Apr 2019 20:41:05 -0700 (PDT) Received: by mail-vs1-f51.google.com with SMTP id g187so10725152vsc.8 for ; Mon, 15 Apr 2019 20:41:05 -0700 (PDT) X-Received: by 2002:a67:f04e:: with SMTP id q14mr43589866vsm.133.1555386064658; Mon, 15 Apr 2019 20:41:04 -0700 (PDT) MIME-Version: 1.0 References: <6e4428ca-3da1-a033-08f7-a51e57503989@huawei.com> <20190415134331.GC22204@redhat.com> <20190415150520.GA13257@redhat.com> In-Reply-To: From: Kees Cook Date: Mon, 15 Apr 2019 22:40:52 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: kernel BUG at kernel/cred.c:434! To: Paul Moore Cc: Oleg Nesterov , Casey Schaufler , "chengjian (D)" , NeilBrown , Anna Schumaker , Kees Cook , "linux-kernel@vger.kernel.org" , Al Viro , "Xiexiuqi (Xie XiuQi)" , Li Bin , Jason Yan , Peter Zijlstra , Ingo Molnar , Linux Security Module list , SELinux Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 15, 2019 at 11:20 AM Paul Moore wrote: > > On Mon, Apr 15, 2019 at 11:05 AM Oleg Nesterov wrote: > > On 04/15, Paul Moore wrote: > > > > > > On Mon, Apr 15, 2019 at 9:43 AM Oleg Nesterov wrote: > > > > Well, acct("/proc/self/attr/current") doesn't look like a good idea, but I do > > > > not know where should we put the additional check... And probably > > > > "echo /proc/self/attr/current > /proc/sys/kernel/core_pattern" can hit the > > > > same problem, do_coredump() does override_creds() too. > > > > > > > > May be just add > > > > > > > > if (current->cred != current->real_cred) > > > > return -EACCES; > > > > > > > > into proc_pid_attr_write(), I dunno. > > > > > > Is the problem that do_acct_process() is calling override_creds() and > > > the returned/old credentials are being freed before do_acct_process() > > > can reinstall the creds via revert_creds()? Presumably because the > > > process accounting is causing the credentials to be replaced? > > > > Afaics, the problem is that do_acct_process() does override_creds() and > > then __kernel_write(). Which calls proc_pid_attr_write(), which in turn calls > > selinux_setprocattr(), which does another prepare_creds() + commit_creds(); > > and commit_creds() hits > > > > BUG_ON(task->cred != old); > > Gotcha. In the process of looking at the backtrace I forgot about the > BUG_ON() at the top of the oops message. > > I wonder what terrible things would happen if we changed the BUG_ON() > in commit_creds to simple returning an error an error code to the > caller. There is a warning/requirement in commit_creds() function > header comment that it should always return 0. Would callers be expected to call abort_creds() on failure? There are a number of places where it'd need fixing up. And would likely be best with a __must_check marking. It seems like avoiding the pathological case might be simpler? -- Kees Cook