Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp3479508rwl; Sun, 2 Apr 2023 08:18:42 -0700 (PDT) X-Google-Smtp-Source: AKy350Y8UA3DRiY0dlJSUtmT1r8/aCjOBxoWYVfhqVkB8UOpjeAio1IpeHji69HQUOydgouemi8M X-Received: by 2002:a05:6a20:3956:b0:da:e9fa:9c29 with SMTP id r22-20020a056a20395600b000dae9fa9c29mr16436170pzg.26.1680448722226; Sun, 02 Apr 2023 08:18:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680448722; cv=none; d=google.com; s=arc-20160816; b=ifih2ZwietAfPbZCtgDF1tBmdbHKtGGELCk56PCKsKkWP17CY2bF0+/oB9hFWgHaDI yIp6lT8/8VL38ksXK6fXTlVF/Z+g4RimJwiymh7z1LJjoZ2t2KR0J1DX1O2Rf7kxKh1J X0u0Y8uMhAugmtEvSgBxMampzXeJTxAx1okm85pfnn38kK9enFaYxJIqRgomU2peO5lX hMgFjQLXwfVC9xXSpt1y21z598TCaH7Y3ZI62E84bBhBi0D7I+T2heMDy4FSjVNeZ1IA IA/z961RikHYUInJTVlEcD71ksRZ5WxGk+Po7wlGiQUrJtFzhFIPtmGftDNDEjRquvbB cMmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=srtxwhfavuNLVEqBKCn0HkTlKyHJRXfd1PAURlkq5Mk=; b=SdE7bw3c+UZS0wQVjt8Qtkmeuht4vu2/UUldLjQluZV8K9Q8UU/V5Lve7H4HBdaT8u 4UgzG8pqjdD+br8s/H4cXxwHNbSmayp5HdDJHSKtHbZQ+wUbRGH4CESHJBrN3TnSX/H3 o0YgciQ/6BJmvNG/sD1j0LeLPepY/5QXel/IhjD/xqsqz2wmeqMmquWaHFTj/rIp5jZB SBeAAWju0E2Rwgl1VQelkxdZ6V4rlV3loCJuV92zkrpKcZMT2JI5DafzLWEWBz6XYzCK 1hMiMVMEylwSWsuI9IPXMcLv1tfb1e054OaQoFQk/Aj29DqbGimiW7+8sGAPhdxzWyZn oTQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=MYlRKoZj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w4-20020a656944000000b004fb7e7ef77dsi6560259pgq.693.2023.04.02.08.18.30; Sun, 02 Apr 2023 08:18:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=MYlRKoZj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230444AbjDBPOs (ORCPT + 99 others); Sun, 2 Apr 2023 11:14:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231133AbjDBPOr (ORCPT ); Sun, 2 Apr 2023 11:14:47 -0400 Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E12058A73 for ; Sun, 2 Apr 2023 08:14:44 -0700 (PDT) Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-5419d4c340aso507166847b3.11 for ; Sun, 02 Apr 2023 08:14:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1680448484; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=srtxwhfavuNLVEqBKCn0HkTlKyHJRXfd1PAURlkq5Mk=; b=MYlRKoZjIVEJvrRebWhj3FgQYhVKAb/y7cpWCSsNWAQ/Kkroh4+nCrEmh1ssgfrqI5 IN3wHyxU1XyjYtV4gKmMtGNzowAWze2L8X22m23Y1PCasSarEWHz5N/4t5As59R+eGOv AHcEqvY9sy6gvlG3aqZST+s72xGqnwVjdLj3lTy9l6tV7DC/W91iaRVzZCfB36Y+0SzF Wwi6/EQ4IklUOERei0aziwqjPyXfSwya4MOy8e1M9tfZdF8Ja2o3kQC52mB4kxRWYLBe ryind48KuriOh1gAaysj0ZrbnOxbUJuAkeJEPVwmgRndAo4g7pGlV+vCm5v25gi3k4Ez Q04w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680448484; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=srtxwhfavuNLVEqBKCn0HkTlKyHJRXfd1PAURlkq5Mk=; b=X1WS+4tkqUkFhS3KkP5NLBIFQUC455vrPvYHWs1or+56Jyl0Av3snLbuEpuSQ/Cfou h4Il4gkjpYpgT5H9h8gwEmfzccjDpqa3fRilZyFDWCg7OQGtxTjH1w20+K60jk6FleI2 3MItPeCLswIRnozashuQ0Cw5SsGIFqJv6E4H4hO9h3sYMD0LrcaVQc30yyHkZ//j5YQ4 EHEA1PDaTSlFYQFgE3N9TnpZrJtB3oifog1Ph6QjDKCPw+HMFtxbWoOue+j6IOemtgKg 6QK+sFTNeLK0/e5bp5GfSFyjKBHPgi1aXvpt8XSiux/2GFKVXqFojsA7f4fgTlJMCXwh r9Dg== X-Gm-Message-State: AAQBX9cALKHZRPiq/c45MOfvukmn4NZge27nxZBHaDggyL/uz4xpQYff O0RVqU10O15ONlV3SOsvEpA3km7bBmeJ1dwPcTt2 X-Received: by 2002:a81:bc0c:0:b0:545:612a:c04a with SMTP id a12-20020a81bc0c000000b00545612ac04amr15852261ywi.8.1680448483967; Sun, 02 Apr 2023 08:14:43 -0700 (PDT) MIME-Version: 1.0 References: <20230401214151.1243189-1-vvidic@valentin-vidic.from.hr> In-Reply-To: <20230401214151.1243189-1-vvidic@valentin-vidic.from.hr> From: Paul Moore Date: Sun, 2 Apr 2023 11:14:33 -0400 Message-ID: Subject: Re: [PATCH] security, lsm: security_old_inode_init_security() Handle multi LSM registration To: Valentin Vidic Cc: James Morris , "Serge E. Hallyn" , Christian Brauner , Dave Chinner , Casey Schaufler , John Johansen , Micah Morton , =?UTF-8?Q?G=C3=BCnther_Noack?= , Al Viro , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Vivek Goyal Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 1, 2023 at 5:42=E2=80=AFPM Valentin Vidic wrote: > > Copying files to an ocfs2 filesystem causes a crash with NULL pointer > dereference in strlen. > > [ 27.386786] BUG: kernel NULL pointer dereference, address: 00000000000= 00000 > [ 27.386818] #PF: supervisor read access in kernel mode > [ 27.386832] #PF: error_code(0x0000) - not-present page > [ 27.386844] PGD 0 P4D 0=3D20 > [ 27.386855] Oops: 0000 [#1] PREEMPT SMP PTI > [ 27.386867] CPU: 0 PID: 1792 Comm: cp Not tainted 6.1.0-5-amd64 #1 De= bian 6.1.12-1 > [ 27.386887] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1= .14.0-2 04/01/2014 > [ 27.386904] RIP: 0010:strlen+0x0/0x20 > [ 27.386928] Code: b6 07 38 d0 74 14 48 83 c7 01 84 c0 74 05 48 39 f7 7= 5 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 <= 80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc > [ 27.386966] RSP: 0018:ffffa33340e4fbc0 EFLAGS: 00010202 > [ 27.386980] RAX: ffff8b578c3b1800 RBX: 0000000000000001 RCX: 000000000= 0000000 > [ 27.386996] RDX: 0000000000000100 RSI: ffff8b57843d86e8 RDI: 000000000= 0000000 > [ 27.387012] RBP: ffff8b57849ca608 R08: ffffa33340e4fc7c R09: ffffa3334= 0e4fc84 > [ 27.387027] R10: ffff8b578f1e6000 R11: ffffa33340e4fc80 R12: ffffa3334= 0e4fcb8 > [ 27.387043] R13: ffffa33340e4fc84 R14: 00000000000041c0 R15: ffffa3334= 0e4fc7c > [ 27.387059] FS: 00007f7b36d50500(0000) GS:ffff8b57bec00000(0000) knlG= S:0000000000000000 > [ 27.387077] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 27.387091] CR2: 0000000000000000 CR3: 000000003cfe2003 CR4: 000000000= 0370ef0 > [ 27.387111] Call Trace: > [ 27.387130] > [ 27.387141] ocfs2_calc_xattr_init+0x7d/0x330 [ocfs2] > [ 27.387382] ocfs2_mknod+0x471/0x1020 [ocfs2] > [ 27.387471] ? preempt_count_add+0x6a/0xa0 > [ 27.387487] ? _raw_spin_lock+0x13/0x40 > [ 27.387506] ocfs2_mkdir+0x44/0x130 [ocfs2] > [ 27.387583] ? security_inode_mkdir+0x3e/0x70 > [ 27.387598] vfs_mkdir+0x9c/0x140 > [ 27.387617] do_mkdirat+0x142/0x170 > [ 27.387631] __x64_sys_mkdirat+0x47/0x80 > [ 27.387643] do_syscall_64+0x58/0xc0 > [ 27.387659] ? vfs_fstatat+0x5b/0x70 > [ 27.387671] ? __do_sys_newfstatat+0x3f/0x80 > [ 27.387684] ? fpregs_assert_state_consistent+0x22/0x50 > [ 27.387698] ? exit_to_user_mode_prepare+0x3c/0x1c0 > [ 27.387712] ? syscall_exit_to_user_mode+0x17/0x40 > [ 27.387726] ? do_syscall_64+0x67/0xc0 > [ 27.387738] ? exit_to_user_mode_prepare+0x3c/0x1c0 > [ 27.387752] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Similar to security_dentry_init_security fix in 7f5056b9e7b, the problem > is that ocfs2 checks the return code from security_old_inode_init_securit= y > and if the return code is 0, it assumes everything is fine and continues > to call strlen(name), which crashes. > > Typically SELinux LSM returns 0 and sets name to "security.selinux" and > it is not a problem. Or if SELinux is not compiled in or disabled, it > returns -EOPNOTSUP and ocfs2 deals with it. > > However if BPF LSM is enabled, it registeres every hook and returns the > default return value, in this case 0. > > This patch copies the behaviour of security_dentry_init_security() to > allow only one LSM to initialize security context (or return the default > value of -EOPNOTSUP). > > Signed-off-by: Valentin Vidic > --- > include/linux/lsm_hook_defs.h | 2 +- > security/security.c | 16 ++++++++++++++-- > 2 files changed, 15 insertions(+), 3 deletions(-) Hi Valentin, Thanks for the problem report and a patch. It's always good to get bug reports, and it's even better when they come with a patch :) If you have the time, could you try a patch we have queued up in the lsm/next branch? We are in the process of removing security_old_inode_init_security() and transitioning all the callers over to security_inode_init_security(), and I believe the ocfs2 patch for this should solve the problem you are seeing, can you test it on your system and let us know? https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git/patch/?id= =3Dde3004c874e740304cc4f4a83d6200acb511bbda --=20 paul-moore.com