Thread (11 messages) 11 messages, 2 authors, 2018-01-15

BUG: unable to handle kernel NULL pointer dereference in sidtab_search_core

From: dvyukov@google.com (Dmitry Vyukov)
Date: 2017-12-22 16:59:37
Also in: lkml, selinux

Possibly related (same subject, not in this thread)

On Fri, Dec 22, 2017 at 5:03 PM, Paul Moore [off-list ref] wrote:
quoted
quoted
quoted
quoted
wrote:
quoted
Hello,

syzkaller hit the following crash on
6084b576dca2e898f5c101baef151f7bfdbb606d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


SELinux: security_compute_sid:  unrecognized SID 1
SELinux: security_compute_sid:  unrecognized SID 1
SELinux: security_compute_sid:  unrecognized SID 1
SELinux: security_compute_sid:  unrecognized SID 1
SELinux: security_compute_sid:  unrecognized SID 1
BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
IP: sidtab_search_core+0x88/0x110 security/selinux/ss/sidtab.c:100
PGD 0 P4D 0
Oops: 0000 [#1] SMP
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4252 Comm: kworker/u4:1 Not tainted 4.15.0-rc3-next-20171214+
#67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:sidtab_search_core+0x88/0x110 security/selinux/ss/sidtab.c:100
RSP: 0018:ffffc900028abc18 EFLAGS: 00010293
RAX: ffff8802131a87c0 RBX: 0000000000000001 RCX: ffffffff8165d978
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff83fd17a0
RBP: ffffc900028abc40 R08: 0000000000000001 R09: 0000000000000001
R10: ffffc900028abbe0 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: ffff880214d93800
FS:  0000000000000000(0000) GS:ffff88021fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000001 CR3: 0000000214e31000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 sidtab_search+0x1f/0x30 security/selinux/ss/sidtab.c:111
 security_compute_sid.part.11+0xe2/0x710 security/selinux/ss/services.c:1618
 security_compute_sid+0x92/0xa0 security/selinux/ss/services.c:1598
 security_transition_sid+0x57/0x70 security/selinux/ss/services.c:1764
 selinux_bprm_set_creds+0x215/0x2f0 security/selinux/hooks.c:2423
 security_bprm_set_creds+0x41/0x60 security/security.c:332
 prepare_binprm+0xae/0x1f0 fs/exec.c:1561
 do_execveat_common.isra.30+0x6f7/0xb90 fs/exec.c:1784
 do_execve+0x31/0x40 fs/exec.c:1848
 call_usermodehelper_exec_async+0x104/0x190 kernel/umh.c:100
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
Code: 8b 5b 50 48 85 db 75 e5 e8 e6 c9 c5 ff 49 8b 5f 18 48 85 db 75 10 eb
43 e8 d6 c9 c5 ff 48 8b 5b 50 48 85 db 74 35 e8 c8 c9 c5 ff <44> 8b 23 41 83
fc 02 76 e4 e8 ba c9 c5 ff 41 83 fc 03 75 1c 48
RIP: sidtab_search_core+0x88/0x110 security/selinux/ss/sidtab.c:100 RSP:
ffffc900028abc18
CR2: 0000000000000001
---[ end trace 571c0ea6c6959387 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
Based on the reproducer and the stack trace, I'm guessing the system
is attempting to load a kernel module for a a defined, but unloaded,
protocol.  Looking quickly at the SELinux bprm and sidtab code,
nothing obvious is jumping out at me.  Considering the number of false
positives I've been seeing from syzbot lately, I'm assuming this is
more of the same.
Hi Paul,

What are these false positives? Please elaborate.
There is no single false positive that I am aware of. All the ones
that were debugged are real kernel bugs.
I've replied to several of the syzbot automated reports with the
"invalid" response.  I haven't been keeping track, but it seems like
approximately 50% of the SELinux related reports don't make sense upon
inspection.
Can you please point me to some of these bugs? I don't see anything
like this in my inbox, in google group nor in database.
Not easily, no.  I don't keep track of these reports once I've
responded to the syzbot mail.

There must be traces of this in database and on mailing lists (even if
you drop syzkaller-bugs@ syzbot will re-add it). So far I did not find
any traces...
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help