NULL deref in integrity_inode_get
Mimi Zohar
zohar at linux.ibm.com
Mon Mar 15 12:41:28 UTC 2021
Hi Dmitry,
On Mon, 2021-03-15 at 11:58 +0100, Dmitry Vyukov wrote:
> Hi,
>
> I am trying to boot 5.12-rc3 with this config:
> https://github.com/google/syzkaller/blob/cc1cff8f1e1a585894796d6eae8c51eef98037e6/dashboard/config/linux/upstream-smack-kasan.config
>
> in qemu:
> qemu-system-x86_64 -enable-kvm -machine q35,nvdimm -cpu
> max,migratable=off -smp 4 -m 4G,slots=4,maxmem=16G -hda
> wheezy.img -kernel arch/x86/boot/bzImage -nographic -vga std
> -soundhw all -usb -usbdevice tablet -bt hci -bt device:keyboard
> -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net
> nic,model=virtio-net-pci -object
> memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M
> -device nvdimm,id=nvdimm1,memdev=pmem1 -append "console=ttyS0
> root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1
> panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8" -pidfile
> vm_pid -m 2G -cpu host
>
> But it crashes on NULL deref in integrity_inode_get during boot:
>
> Run /sbin/init as init process
> BUG: kernel NULL pointer dereference, address: 000000000000001c
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP KASAN
> CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc2+ #97
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> rel-1.13.0-44-g88ab0c15525c-prebuilt.qemu.org 04/01/2014
> RIP: 0010:kmem_cache_alloc+0x2b/0x370 mm/slub.c:2920
> Code: 57 41 56 41 55 41 54 41 89 f4 55 48 89 fd 53 48 83 ec 10 44 8b
> 3d d9 1f 90 0b 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 <8b> 5f
> 1c 4cf
> RSP: 0000:ffffc9000032f9d8 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff888017fc4f00 RCX: 0000000000000000
> RDX: ffff888040220000 RSI: 0000000000000c40 RDI: 0000000000000000
> RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888019263627
> R10: ffffffff83937cd1 R11: 0000000000000000 R12: 0000000000000c40
> R13: ffff888019263538 R14: 0000000000000000 R15: 0000000000ffffff
> FS: 0000000000000000(0000) GS:ffff88802d180000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000000000001c CR3: 000000000b48e000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> integrity_inode_get+0x47/0x260 security/integrity/iint.c:105
> process_measurement+0x33d/0x17e0 security/integrity/ima/ima_main.c:237
> ima_bprm_check+0xde/0x210 security/integrity/ima/ima_main.c:474
> security_bprm_check+0x7d/0xa0 security/security.c:845
> search_binary_handler fs/exec.c:1708 [inline]
> exec_binprm fs/exec.c:1761 [inline]
> bprm_execve fs/exec.c:1830 [inline]
> bprm_execve+0x764/0x19a0 fs/exec.c:1792
> kernel_execve+0x370/0x460 fs/exec.c:1973
> try_to_run_init_process+0x14/0x4e init/main.c:1366
> kernel_init+0x11d/0x1b8 init/main.c:1477
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> Modules linked in:
> CR2: 000000000000001c
> ---[ end trace 22d601a500de7d79 ]---
It looks like integrity_inode_get() fails to alloc memory. Only on
failure to verify the integrity of a file would an error be returned.
I think that is what you would want to happen. Without an "appraise"
policy, this shouldn't happen.
Mimi
More information about the Linux-security-module-archive
mailing list