BUG: unable to handle kernel paging request in security_compute_sid

Sat Dec 23 11:44:15 UTC 2017

On Fri, Dec 22, 2017 at 11:14 PM, Eric Biggers <ebiggers3 at gmail.com> wrote:
> On Fri, Dec 22, 2017 at 01:38:01PM -0800, syzbot wrote:
>> Hello,
>>
>> syzkaller hit the following crash on
>> 6084b576dca2e898f5c101baef151f7bfdbb606d
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> C reproducer is attached
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>>
>> BUG: unable to handle kernel paging request at 00000000830e2118
>> IP: security_compute_sid.part.11+0x418/0x710
>> security/selinux/ss/services.c:1640
>> PGD 0 P4D 0
>> Oops: 0000 [#1] SMP
>> Dumping ftrace buffer:
>>    (ftrace buffer empty)
>> Modules linked in:
>> CPU: 0 PID: 3391 Comm: kworker/u4:0 Not tainted 4.15.0-rc3-next-20171214+
>> #67
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> RIP: 0010:security_compute_sid.part.11+0x418/0x710
>> security/selinux/ss/services.c:1640
>> RSP: 0018:ffffc90001993c70 EFLAGS: 00010293
>> RAX: ffff880216ba0800 RBX: 0000000000000002 RCX: ffffffff81667b88
>> RDX: 0000000000000000 RSI: 0000000000000005 RDI: ffffffff83fd17a0
>> RBP: ffffc90001993d20 R08: 0000000000000001 R09: 0000000000000001
>> R10: ffffc90001993be0 R11: 0000000000000000 R12: ffff88021694f188
>> R13: 0000000000000010 R14: ffff880216592388 R15: 00000000830e20e0
>> FS:  0000000000000000(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000830e2118 CR3: 000000000301e001 CR4: 00000000001606f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>>  security_compute_sid+0x92/0xa0 security/selinux/ss/services.c:1598
>>  security_transition_sid+0x57/0x70 security/selinux/ss/services.c:1764
>>  selinux_bprm_set_creds+0x215/0x2f0 security/selinux/hooks.c:2423
>>  security_bprm_set_creds+0x41/0x60 security/security.c:332
>>  prepare_binprm+0xae/0x1f0 fs/exec.c:1561
>>  do_execveat_common.isra.30+0x6f7/0xb90 fs/exec.c:1784
>>  do_execve+0x31/0x40 fs/exec.c:1848
>>  call_usermodehelper_exec_async+0x104/0x190 kernel/umh.c:100
>>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
>> Code: 40 74 15 41 83 fd 10 74 0f e8 d5 27 c5 ff 4d 85 ff 75 33 e9 6f 02 00
>> 00 e8 c6 27 c5 ff 4d 85 ff 0f 84 e6 02 00 00 e8 b8 27 c5 ff <41> 80 7f 38 02
>> 0f 84 5c 01 00 00 e8 a8 27 c5 ff 41 8b 06 89 45
>> RIP: security_compute_sid.part.11+0x418/0x710
>> security/selinux/ss/services.c:1640 RSP: ffffc90001993c70
>> CR2: 00000000830e2118
>> ---[ end trace fe59d8175af57ffc ]---
>> Kernel panic - not syncing: Fatal exception
>> Dumping ftrace buffer:
>>    (ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>
> This is yet another one where the reproducer is using AF_ALG and binding to the
> "pcrypt(gcm_base(ctr(aes-aesni),ghash-generic))" algorithm, so it's running into
> the pcrypt_free() bug which is causing slab cache corruption:
>
> https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk
>
> https://patchwork.kernel.org/patch/10126761/
>
> So let's mark it as a duplicate:
>
> #syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)
>
> I wonder if it would be of any help to disable slab cache merging, i.e. set
> CONFIG_SLAB_MERGE_DEFAULT=n?  That would reduce the number of duplicate reports,
> though perhaps at the risk of hiding bugs.

Disabling slab cache merging will only pepper over the real problem.
If we have crypto cache badly corrupted, it still can manifest in
multiple different ways. I think it's the right time to make KASAN
properly detect such invalid frees. I am drafting changes to KASAN,
with them on this reproducer it reports:

BUG: KASAN: double-free or invalid-free in pcrypt_free+0x21/0x30
crypto/pcrypt.c:357
Freed pointer ffff880065034e10

CPU: 2 PID: 3241 Comm: cryptomgr_test Not tainted 4.15.0-rc4-mm1+ #38
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_invalid_free+0x64/0x90 mm/kasan/report.c:337
 kasan_check_slab_object+0xdc/0x100 mm/kasan/kasan.c:499
 kasan_slab_free+0x14/0x70 mm/kasan/kasan.c:526
 __cache_free mm/slab.c:3485 [inline]
 kfree+0xd9/0x260 mm/slab.c:3800
 pcrypt_free+0x21/0x30 crypto/pcrypt.c:357
 crypto_aead_free_instance+0x9e/0xd0 crypto/aead.c:155
 crypto_free_instance+0x6d/0x100 crypto/algapi.c:77
 crypto_destroy_instance+0x3c/0x80 crypto/algapi.c:85
 crypto_alg_put crypto/internal.h:116 [inline]
 crypto_remove_final+0x212/0x370 crypto/algapi.c:331
 crypto_alg_tested+0x445/0x6f0 crypto/algapi.c:320
 cryptomgr_test+0x17/0x30 crypto/algboss.c:226
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524

Allocated by task 3236:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:556
 kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3607
 kmalloc include/linux/slab.h:516 [inline]
 kzalloc include/linux/slab.h:705 [inline]
 pcrypt_create_aead crypto/pcrypt.c:291 [inline]
 pcrypt_create+0x137/0x6c0 crypto/pcrypt.c:346
 cryptomgr_probe+0x74/0x240 crypto/algboss.c:75
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524

The buggy address belongs to the object at ffff880065d5b200
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 80 bytes inside of
 1024-byte region [ffff880065d5b200, ffff880065d5b600)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html