[v4,2/8] LSM: Maintain a table of LSM attribute data
Commit Message
As LSMs are registered add their lsm_id pointers to a table.
This will be used later for attribute reporting.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 18 ++++++++++++++++++
security/security.c | 18 ++++++++++++++++++
2 files changed, 36 insertions(+)
Comments
Greeting,
FYI, we noticed UBSAN:array-index-out-of-bounds_in_security/security.c due to commit (built with gcc-11):
commit: 541d81106c1f677b6140c5eb894dda23b6422614 ("[PATCH v4 2/8] LSM: Maintain a table of LSM attribute data")
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Maintain-a-table-of-LSM-attribute-data/20221230-083536
base: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git 03c4c7f88709fac0e20b6a48357c73d6fc50e544
patch link: https://lore.kernel.org/all/20221229233454.43880-3-casey@schaufler-ca.com/
patch subject: [PATCH v4 2/8] LSM: Maintain a table of LSM attribute data
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
[ 335.323207][ T0] UBSAN: array-index-out-of-bounds in security/security.c:529:13
[ 335.324261][ T0] index 4 is out of range for type 'lsm_id *[4]'
[ 335.324964][ T0] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-rc1-00003-g541d81106c1f #1
[ 335.325955][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
[ 335.327092][ T0] Call Trace:
[ 335.327472][ T0] <TASK>
[ 335.327802][ T0] dump_stack_lvl (??:?)
[ 335.328350][ T0] ubsan_epilogue (ubsan.c:?)
[ 335.328350][ T0] __ubsan_handle_out_of_bounds (??:?)
[ 335.328350][ T0] ? __register_sysctl_paths (??:?)
[ 335.328350][ T0] security_add_hooks (??:?)
[ 335.328350][ T0] safesetid_security_init (lsm.c:?)
[ 335.328350][ T0] initialize_lsm (security.c:?)
[ 335.328350][ T0] ordered_lsm_init (security.c:?)
[ 335.328350][ T0] security_init (??:?)
[ 335.328350][ T0] start_kernel (??:?)
[ 335.328350][ T0] secondary_startup_64_no_verify (??:?)
[ 335.328350][ T0] </TASK>
[ 335.328356][ T0] ================================================================================
[ 335.329401][ T0] Kernel panic - not syncing: security_add_hooks Too many LSMs registered.
[ 335.330386][ T0] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-rc1-00003-g541d81106c1f #1
[ 335.331405][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
[ 335.332607][ T0] Call Trace:
[ 335.332957][ T0] <TASK>
[ 335.333282][ T0] dump_stack_lvl (??:?)
[ 335.333799][ T0] panic (??:?)
[ 335.334242][ T0] security_add_hooks (??:?)
[ 335.334793][ T0] safesetid_security_init (lsm.c:?)
[ 335.335426][ T0] initialize_lsm (security.c:?)
[ 335.335920][ T0] ordered_lsm_init (security.c:?)
[ 335.336458][ T0] security_init (??:?)
[ 335.337004][ T0] start_kernel (??:?)
[ 335.337510][ T0] secondary_startup_64_no_verify (??:?)
[ 335.338178][ T0] </TASK>
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <yujie.liu@intel.com>
| Link: https://lore.kernel.org/oe-lkp/202301022326.638b5c49-yujie.liu@intel.com
To reproduce:
# build kernel
cd linux
cp config-6.2.0-rc1-00003-g541d81106c1f .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
@@ -139,6 +139,24 @@ enum lockdown_reason {
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
+/* The capability module is accounted for by CONFIG_SECURITY */
+#define LSMID_ENTRIES ( \
+ (IS_ENABLED(CONFIG_SECURITY) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_IMA) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
+
+extern u32 lsm_active_cnt;
+extern struct lsm_id *lsm_idlist[];
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
@@ -28,6 +28,7 @@
#include <linux/backing-dev.h>
#include <linux/string.h>
#include <linux/msg.h>
+#include <uapi/linux/lsm.h>
#include <net/flow.h>
#define MAX_LSM_EVM_XATTR 2
@@ -341,6 +342,12 @@ static void __init report_lsm_order(void)
pr_cont("\n");
}
+/*
+ * Current index to use while initializing the lsm id list.
+ */
+u32 lsm_active_cnt __lsm_ro_after_init;
+struct lsm_id *lsm_idlist[LSMID_ENTRIES] __lsm_ro_after_init;
+
static void __init ordered_lsm_init(void)
{
struct lsm_info **lsm;
@@ -388,6 +395,7 @@ static void __init ordered_lsm_init(void)
for (lsm = ordered_lsms; *lsm; lsm++)
initialize_lsm(*lsm);
+ init_debug("lsm count = %d\n", lsm_active_cnt);
kfree(ordered_lsms);
}
@@ -513,6 +521,16 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
{
int i;
+ /*
+ * A security module may call security_add_hooks() more
+ * than once. Landlock is one such case.
+ */
+ if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt -1] != lsmid)
+ lsm_idlist[lsm_active_cnt++] = lsmid;
+
+ if (lsm_active_cnt > LSMID_ENTRIES)
+ panic("%s Too many LSMs registered.\n", __func__);
+
for (i = 0; i < count; i++) {
hooks[i].lsmid = lsmid;
hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);