Re: selinux_msg_queue_msgrcv() oops

From: Stanislav Kinsbursky
Date: Thu Feb 07 2013 - 04:17:14 EST

Next message: Alexander Shiyan: "Re[2]: [PATCH] mfd: syscon: Added support for using platform driver resources"
Previous message: Tomi Valkeinen: "Re: [PATCH v3 00/10] video: da8xx-fb: runtime timing configuration"
In reply to: Tommi Rantala: "Re: selinux_msg_queue_msgrcv() oops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

06.02.2013 23:51, Tommi Rantala ÐÐÑÐÑ:

2013/2/6 Stephen Smalley <sds@xxxxxxxxxxxxx>:
On 02/06/2013 10:21 AM, Tommi Rantala wrote:

2013/2/6 Stephen Smalley <sds@xxxxxxxxxxxxx>:

On 02/06/2013 07:56 AM, Tommi Rantala wrote:

Hello,

I'm hitting an oops in selinux_msg_queue_msgrcv() when fuzzing with
Trinity as the root user (in a qemu VM):

NULL msg->security at that point is a bug in the ipc subsystem; SELinux
is
just the messenger. Normally msg->security is set for every allocated
msg
by load_msg() -> security_msg_msg_alloc() ->
selinux_msg_msg_alloc_security(), and freed/cleared upon free_msg() ->
security_msg_msg_free() -> selinux_msg_msg_free_security(). Looking
around,
I see copy_msg() introduced for checkpoint-restore initializes
dst->security
to NULL but never sets it properly?

I am indeed building with CONFIG_CHECKPOINT_RESTORE=y, so your
analysis seems to be correct.

(cc originator of the bug)

If I am reading this correctly, then when the copy msg was created, a msg
security struct was already allocated
(prepare_copy->load_msg->security_msg_msg_alloc). So having copy_msg()
clear dst->security is also a memory leak in addition to leading to this
oops. Attached is a possible, un-tested fix.

I can still reproduce the exact same oops with the patch applied. I
also wanted to be sure that copy_msg() is called, so I added a warning
there, but that never gets triggered. So I suppose the problem is not
actually related to CONFIG_CHECKPOINT_RESTORE.

Hello.
Unfortunately, you are not the first one, who experience problems with Trinity running in KVM.

copy_msg() won't be called unless you'll specify the MSG_COPY flag in msgrcv() flags parameter.

Could you make a small investigation around the problem?
For example, does this problem appear, is you disable CONFIG_CHECKPOINT_RESTORE config option?

--
Best regards,
Stanislav Kinsbursky
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexander Shiyan: "Re[2]: [PATCH] mfd: syscon: Added support for using platform driver resources"
Previous message: Tomi Valkeinen: "Re: [PATCH v3 00/10] video: da8xx-fb: runtime timing configuration"
In reply to: Tommi Rantala: "Re: selinux_msg_queue_msgrcv() oops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]