On Jan 29, 2025 Huacai Chen <chenhua...@loongson.cn> wrote:
>
> When audit is enabled in a kernel build, and there are no LSMs active
> that support LSM labeling, it is possible that local variable lsmctx
> in the AUDIT_SIGNAL_INFO handler in audit_receive_msg() could be used
> before it is properly initialize. Then kmalloc() will try to allocate
> a large amount of memory with the uninitialized length.
>
> This patch corrects this problem by initializing the lsmctx to a safe
> value when it is declared, which avoid errors like:
>
> WARNING: CPU: 2 PID: 443 at mm/page_alloc.c:4727 __alloc_pages_noprof
> pc 900000000304d588 ra 9000000003059644 tp 9000000107774000 sp
> 9000000107777890
> a0 0000000000040cc0 a1 0000000000000012 a2 0000000000000000 a3
> 0000000000000000
> a4 9000000107777bd0 a5 0000000000000280 a6 0000000000000010 a7
> 0000000000000000
> t0 9000000004b4c000 t1 0000000000000001 t2 1f3f37829c264c80 t3
> 000000000000002e
> t4 0000000000000000 t5 00000000000003f6 t6 90000001066b6310 t7
> 000000000000002f
> t8 000000000000003c u0 00000000000000b4 s9 900000010006f880 s0
> 9000000004a4b000
> s1 0000000000000000 s2 9000000004a4b000 s3 9000000106673400 s4
> 9000000107777af0
> s5 90000001066b6300 s6 0000000000000012 s7 fffffffffffff000 s8
> 0000000000000004
> ra: 9000000003059644 ___kmalloc_large_node+0x84/0x1e0
> ERA: 900000000304d588 __alloc_pages_noprof+0x4c8/0x1040
> CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
> PRMD: 00000004 (PPLV0 +PIE -PWE)
> EUEN: 00000007 (+FPE +SXE +ASXE -BTE)
> ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
> ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)
> PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
> CPU: 2 UID: 0 PID: 443 Comm: auditd Not tainted 6.13.0-rc1+ #1899
> Stack : ffffffffffffffff 0000000000000000 9000000002debf5c 9000000107774000
> 90000001077774f0 0000000000000000 90000001077774f8 900000000489e480
> 9000000004b380e8 9000000004b380e0 9000000107777380 0000000000000001
> 0000000000000001 9000000004a4b000 1f3f37829c264c80 90000001001a9b40
> 9000000107774000 9000000004b080e8 00000000000003d4 9000000004b080e8
> 9000000004a580e8 000000000000002d 0000000006ebc000 900000010006f880
> 00000000000000b4 0000000000000000 0000000000000004 0000000000001277
> 900000000489e480 90000001066b6300 0000000000000012 fffffffffffff000
> 0000000000000004 900000000489e480 9000000002def6a8 00007ffff2ba4065
> 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d
> ...
> Call Trace:
> [<9000000002def6a8>] show_stack+0x30/0x148
> [<9000000002debf58>] dump_stack_lvl+0x68/0xa0
> [<9000000002e0fe18>] __warn+0x80/0x108
> [<900000000407486c>] report_bug+0x154/0x268
> [<90000000040ad468>] do_bp+0x2a8/0x320
> [<9000000002dedda0>] handle_bp+0x120/0x1c0
> [<900000000304d588>] __alloc_pages_noprof+0x4c8/0x1040
> [<9000000003059640>] ___kmalloc_large_node+0x80/0x1e0
> [<9000000003061504>] __kmalloc_noprof+0x2c4/0x380
> [<9000000002f0f7ac>] audit_receive_msg+0x764/0x1530
> [<9000000002f1065c>] audit_receive+0xe4/0x1c0
> [<9000000003e5abe8>] netlink_unicast+0x340/0x450
> [<9000000003e5ae9c>] netlink_sendmsg+0x1a4/0x4a0
> [<9000000003d9ffd0>] __sock_sendmsg+0x48/0x58
> [<9000000003da32f0>] __sys_sendto+0x100/0x170
> [<9000000003da3374>] sys_sendto+0x14/0x28
> [<90000000040ad574>] do_syscall+0x94/0x138
> [<9000000002ded318>] handle_syscall+0xb8/0x158
>
> Fixes: 6fba89813ccf333d ("lsm: ensure the correct LSM context releaser")
> Signed-off-by: Huacai Chen <chenhua...@loongson.cn>
> ---
> V2: Update commit message and CC list.
> V3: Update commit message again (thanks to Paul).
>
> kernel/audit.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
The backtrace in the commit description still exceeded the width of an 80
character wide terminal :( I trimmed the problem sections of the
backtrace and merged this into audit/stable-6.14; as soon as I can get a
clean kernel build I'll send this up to Linus.
--
paul-moore.com
