Received: by 2002:a05:7412:8d23:b0:f7:29d7:fb05 with SMTP id bj35csp7110rdb;
        Fri, 15 Dec 2023 20:19:32 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGYwld3qk2g3NA+ZzqY0GjRe6n79BTXE+3aDjllgIEHhDYCYHYdCvq5pSeBRdTC4L0bcXCn
X-Received: by 2002:a17:907:280f:b0:a1f:4d21:301a with SMTP id eb15-20020a170907280f00b00a1f4d21301amr13660168ejc.13.1702700372228;
        Fri, 15 Dec 2023 20:19:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702700372; cv=none;
        d=google.com; s=arc-20160816;
        b=KPfcw8FnG/u5xfGVrrjMm11Xs/05IqEDwraOHMyKCWhei5VNjfsM98bLqkGAIGVUuq
         Z9bV/YF2dj7Va0Uxy0loXojQMPHrMZ58LmCrucmH35xINH5uPkdVISDQSzaHkepDxQ7j
         Z138qSFNg3fWH8r2+UuAEiOnRW7IW6z9F9AB0cYE+y+QXwGrT48f7Dsc937NjZXW8ff4
         B2wSdcpKqN59xg7onN8QCb93uSmkza2mYlz7bSOhflhZlWJdSa5K1Ph/nN0twACT1uCn
         OXHcTi2lHdjc0xa56amWPNlVhpM7qeIiXMMh91OI8lsHG+BV22jx2rdbPp6z79CmU+Qg
         P7xA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date;
        bh=fs75Af97lPyqfkdPTsWrxo4MTnGAhdxehKZaJA8ch2c=;
        fh=diHC4e9hIpS8KlE53cCnKa5i2f6S+Qld/xxTynLw1jU=;
        b=PzjZZ5ZVYizOTW118qHcJCm/w0bsEz855FgRvpUmlfWurP+iRNtCaUHpRghIpl6AiP
         R/gtYoiQ6BWXp/lT7ekgZZ47OtQ43WU3FPsovPvUsRWKae/laEmag155mIAsyefPRUgz
         fgyDZKo9I6lj8hzNlyG2NkAyZXx9ekBy6QjNasCUL6MmRnGJozyjX0Od6u/LJ9A6M8Sp
         6oiQTCX4z/8Mf2KydHm1fSAD4uYl2eJhg/ArBnylCxYrc5KqwtXO2YkthF+1AgXo6F7v
         6Bmp0rQZGzcPmCxX1kWmFpAJpxoonx2mIKjgooCtiNhVjmn5AwZpAjqv0gCryi0PyhIK
         P1pg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel+bounces-2042-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-2042-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-2042-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id z5-20020a05640240c500b005519bcc5894si4081638edb.591.2023.12.15.20.19.32
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 15 Dec 2023 20:19:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-2042-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel+bounces-2042-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-2042-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id F35C11F259F9
	for <linux.lists.archive@gmail.com>; Sat, 16 Dec 2023 04:19:31 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3E29610A1F;
	Sat, 16 Dec 2023 04:19:22 +0000 (UTC)
X-Original-To: linux-kernel@vger.kernel.org
Received: from mail.hallyn.com (mail.hallyn.com [178.63.66.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27D3C13FEA;
	Sat, 16 Dec 2023 04:19:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hallyn.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mail.hallyn.com
Received: by mail.hallyn.com (Postfix, from userid 1001)
	id 37D7A928; Fri, 15 Dec 2023 22:11:16 -0600 (CST)
Date: Fri, 15 Dec 2023 22:11:16 -0600
From: "Serge E. Hallyn" <serge@hallyn.com>
To: "T. Williams" <tdwilliamsiv@gmail.com>
Cc: jmorris@namei.org, serge@hallyn.com, Paul Moore <paul@paul-moore.com>,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fixing userspace memory dereference in security.c
Message-ID: <20231216041116.GA78578@mail.hallyn.com>
References: <CADN=F_ke996vNXDNz6vZ_As0Ms5Q2X7aT3t-SSGRiqdeKd6gCQ@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CADN=F_ke996vNXDNz6vZ_As0Ms5Q2X7aT3t-SSGRiqdeKd6gCQ@mail.gmail.com>

On Wed, Oct 06, 2021 at 07:03:56PM -0400, T. Williams wrote:
>  security/security.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/security/security.c b/security/security.c
> index 9ffa9e9c5c55..7c41b5d732ab 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1737,6 +1737,8 @@ int security_kernel_read_file(struct file *file, enum
> kernel_read_file_id id,
>         int ret;
> 
>         ret = call_int_hook(kernel_read_file, 0, file, id, contents);
> +       if (ret > 0)
> +               return -EINVAL;
>         if (ret)
>                 return ret;
>         return ima_read_file(file, id, contents);
> -- 
> 2.25.1
> 
> This commit is to fix a userspace address dereference found by
> syzkaller.
> The crash is triggered by passing a file descriptor to an incorrectly
> formed kernel module to finit_module.
> 
> Kernel/module.c:4175 : Within the finit_module, info.len is set to the
> return value from kernel_read_file_from_fd. This value is then
> dereferenced by memcmp within module_sig_check from inside load_module.
> The value is 0xb000000 so the kernel dereferences user memory and kernel
> panics.

Hi,

thanks for sending this.  For some reason, I can't seem to find this
message-id in lore.kernel.org to see if there were ever any replies.

There is indeed a problem, although I think a more concise explanation
is:

1. security_kernel_read_file() returns any non-zero return value to mean
permission denied
2. kernel_read_file() returns > 0 meaning number of bytes read
3. hen kernel_read_file() gets any non-zero rv from security_kernel_read_file(),
it returns that value unchanged.

Since kernel_read_file() is the only caller of security_kernel_read_file(),
I think your patch is good, except you should also change the comment above
it to read

 * Return: Returns 0 if permission is granted, < 0 on error.

Reviewed-by: Serge Hallyn <serge@hallyn.com>

I think the reason it's not been a practical problem is because while
security_kernel_read_file() will honor a >0 error from an LSM, no
LSM implementation of that hook does that.  (Only loadpin and selinux
implement it)

-serge