Thread (24 messages) 24 messages, 8 authors, 2024-07-11

Re: [syzbot] [lsm?] general protection fault in hook_inode_free_security

From: Mickaël Salaün <mic@digikod.net>
Date: 2024-07-08 14:11:52
Also in: linux-fsdevel, lkml

On Thu, Jun 27, 2024 at 02:28:03PM -0400, Paul Moore wrote:
On Thu, Jun 27, 2024 at 9:34 AM Mickaël Salaün [off-list ref] wrote:
quoted
I didn't find specific issues with Landlock's code except the extra
check in hook_inode_free_security().  It looks like inode->i_security is
a dangling pointer, leading to UAF.

Reading security_inode_free() comments, two things looks weird to me:
quoted
/**
 * security_inode_free() - Free an inode's LSM blob
 * @inode: the inode
 *
 * Deallocate the inode security structure and set @inode->i_security to NULL.
I don't see where i_security is set to NULL.
The function header comments are known to be a bit suspect, a side
effect of being detached from the functions for many years, this may
be one of those cases.  I tried to fix up the really awful ones when I
moved the comments back, back I didn't have time to go through each
one in detail.  Patches to correct the function header comments are
welcome and encouraged! :)
quoted
quoted
 */
void security_inode_free(struct inode *inode)
{
Shouldn't we add this check here?
if (!inode->i_security)
        return;
Unless I'm remembering something wrong, I believe we *should* always
have a valid i_security pointer each time we are called, if not
something has gone wrong, e.g. the security_inode_free() hook is no
longer being called from the right place.  If we add a NULL check, we
should probably have a WARN_ON(), pr_err(), or something similar to
put some spew on the console/logs.

All that said, it would be good to hear some confirmation from the VFS
folks that the security_inode_free() hook is located in a spot such
that once it exits it's current RCU critical section it is safe to
release the associated LSM state.

It's also worth mentioning that while we always allocate i_security in
security_inode_alloc() right now, I can see a world where we allocate
the i_security field based on need using the lsm_blob_size info (maybe
that works today?  not sure how kmem_cache handled 0 length blobs?).
The result is that there might be a legitimate case where i_security
is NULL, yet we still want to call into the LSM using the
inode_free_security() implementation hook.
quoted
quoted
      call_void_hook(inode_free_security, inode);
      /*
       * The inode may still be referenced in a path walk and
       * a call to security_inode_permission() can be made
       * after inode_free_security() is called. Ideally, the VFS
       * wouldn't do this, but fixing that is a much harder
       * job. For now, simply free the i_security via RCU, and
       * leave the current inode->i_security pointer intact.
       * The inode will be freed after the RCU grace period too.
It's not clear to me why this should be safe if an LSM try to use the
partially-freed blob after the hook calls and before the actual blob
free.
I had the same thought while looking at this just now.  At least in
the SELinux case I think this "works" simply because SELinux doesn't
do much here, it just drops the inode from a SELinux internal list
(long story) and doesn't actually release any memory or reset the
inode's SELinux state (there really isn't anything to "free" in the
SELinux case).  I haven't checked the other LSMs, but they may behave
similarly.

We may want (need?) to consider two LSM implementation hooks called
from within security_inode_free(): the first where the existing
inode_free_security() implementation hook is called, the second inside
the inode_free_by_rcu() callback immediately before the i_security
data is free'd.
Couldn't we call everything in inode_free_by_rcu()?
I replied here instead:
https://lore.kernel.org/r/20240708.hohNgieja0av@digikod.net (local)
... or we find a better placement in the VFS for
security_inode_free(), is that is possible.  It may not be, our VFS
friends should be able to help here.
Christian? Al?
quoted
quoted
       */
      if (inode->i_security)
              call_rcu((struct rcu_head *)inode->i_security,
                       inode_free_by_rcu);
And then:
inode->i_security = NULL;
According to the comment we may still need i_security for permission
checks.  See my comment about decomposing the LSM implementation into
two hooks to better handle this for LSMs.
That was my though too, but maybe not if the path walk just ends early.
quoted
But why call_rcu()?  i_security is not protected by RCU barriers.
I believe the issue is that the inode is protected by RCU and that
affects the lifetime of the i_security blob.
It seems to be related to commit fa0d7e3de6d6 ("fs: icache RCU free
inodes").
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help