Revision 2172fa709ab32ca60e86179dc67d0857be8e2c98 authored by Stephen Smalley on 30 January 2014, 16:26:59 UTC, committed by Paul Moore on 05 February 2014, 17:20:51 UTC
Setting an empty security context (length=0) on a file will lead to incorrectly dereferencing the type and other fields of the security context structure, yielding a kernel BUG. As a zero-length security context is never valid, just reject all such security contexts whether coming from userspace via setxattr or coming from the filesystem upon a getxattr request by SELinux. Setting a security context value (empty or otherwise) unknown to SELinux in the first place is only possible for a root process (CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only if the corresponding SELinux mac_admin permission is also granted to the domain by policy. In Fedora policies, this is only allowed for specific domains such as livecd for setting down security contexts that are not defined in the build host policy. Reproducer: su setenforce 0 touch foo setfattr -n security.selinux foo Caveat: Relabeling or removing foo after doing the above may not be possible without booting with SELinux disabled. Any subsequent access to foo after doing the above will also trigger the BUG. BUG output from Matthew Thode: [ 473.893141] ------------[ cut here ]------------ [ 473.962110] kernel BUG at security/selinux/ss/services.c:654! [ 473.995314] invalid opcode: 0000 [#6] SMP [ 474.027196] Modules linked in: [ 474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G D I 3.13.0-grsec #1 [ 474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0 07/29/10 [ 474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti: ffff8805f50cd488 [ 474.183707] RIP: 0010:[<ffffffff814681c7>] [<ffffffff814681c7>] context_struct_compute_av+0xce/0x308 [ 474.219954] RSP: 0018:ffff8805c0ac3c38 EFLAGS: 00010246 [ 474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX: 0000000000000100 [ 474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI: ffff8805e8aaa000 [ 474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09: 0000000000000006 [ 474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12: 0000000000000006 [ 474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15: 0000000000000000 [ 474.453816] FS: 00007f2e75220800(0000) GS:ffff88061fc00000(0000) knlGS:0000000000000000 [ 474.489254] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4: 00000000000207f0 [ 474.556058] Stack: [ 474.584325] ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98 ffff8805f1190a40 [ 474.618913] ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990 ffff8805e8aac860 [ 474.653955] ffff8805c0ac3cb8 000700068113833a ffff880606c75060 ffff8805c0ac3d94 [ 474.690461] Call Trace: [ 474.723779] [<ffffffff811b549b>] ? lookup_fast+0x1cd/0x22a [ 474.778049] [<ffffffff81468824>] security_compute_av+0xf4/0x20b [ 474.811398] [<ffffffff8196f419>] avc_compute_av+0x2a/0x179 [ 474.843813] [<ffffffff8145727b>] avc_has_perm+0x45/0xf4 [ 474.875694] [<ffffffff81457d0e>] inode_has_perm+0x2a/0x31 [ 474.907370] [<ffffffff81457e76>] selinux_inode_getattr+0x3c/0x3e [ 474.938726] [<ffffffff81455cf6>] security_inode_getattr+0x1b/0x22 [ 474.970036] [<ffffffff811b057d>] vfs_getattr+0x19/0x2d [ 475.000618] [<ffffffff811b05e5>] vfs_fstatat+0x54/0x91 [ 475.030402] [<ffffffff811b063b>] vfs_lstat+0x19/0x1b [ 475.061097] [<ffffffff811b077e>] SyS_newlstat+0x15/0x30 [ 475.094595] [<ffffffff8113c5c1>] ? __audit_syscall_entry+0xa1/0xc3 [ 475.148405] [<ffffffff8197791e>] system_call_fastpath+0x16/0x1b [ 475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48 8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7 75 02 <0f> 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8 [ 475.255884] RIP [<ffffffff814681c7>] context_struct_compute_av+0xce/0x308 [ 475.296120] RSP <ffff8805c0ac3c38> [ 475.328734] ---[ end trace f076482e9d754adc ]--- Reported-by: Matthew Thode <mthode@mthode.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
1 parent 6a96e15
pata_at32.c
/*
* AVR32 SMC/CFC PATA Driver
*
* Copyright (C) 2007 Atmel Norway
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version
* 2 as published by the Free Software Foundation.
*/
#define DEBUG
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/device.h>
#include <linux/platform_device.h>
#include <linux/delay.h>
#include <linux/interrupt.h>
#include <linux/irq.h>
#include <linux/slab.h>
#include <scsi/scsi_host.h>
#include <linux/ata.h>
#include <linux/libata.h>
#include <linux/err.h>
#include <linux/io.h>
#include <mach/board.h>
#include <mach/smc.h>
#define DRV_NAME "pata_at32"
#define DRV_VERSION "0.0.3"
/*
* CompactFlash controller memory layout relative to the base address:
*
* Attribute memory: 0000 0000 -> 003f ffff
* Common memory: 0040 0000 -> 007f ffff
* I/O memory: 0080 0000 -> 00bf ffff
* True IDE Mode: 00c0 0000 -> 00df ffff
* Alt IDE Mode: 00e0 0000 -> 00ff ffff
*
* Only True IDE and Alt True IDE mode are needed for this driver.
*
* True IDE mode => CS0 = 0, CS1 = 1 (cmd, error, stat, etc)
* Alt True IDE mode => CS0 = 1, CS1 = 0 (ctl, alt_stat)
*/
#define CF_IDE_OFFSET 0x00c00000
#define CF_ALT_IDE_OFFSET 0x00e00000
#define CF_RES_SIZE 2048
/*
* Define DEBUG_BUS if you are doing debugging of your own EBI -> PATA
* adaptor with a logic analyzer or similar.
*/
#undef DEBUG_BUS
/*
* ATA PIO modes
*
* Name | Mb/s | Min cycle time | Mask
* --------+-------+----------------+--------
* Mode 0 | 3.3 | 600 ns | 0x01
* Mode 1 | 5.2 | 383 ns | 0x03
* Mode 2 | 8.3 | 240 ns | 0x07
* Mode 3 | 11.1 | 180 ns | 0x0f
* Mode 4 | 16.7 | 120 ns | 0x1f
*
* Alter PIO_MASK below according to table to set maximal PIO mode.
*/
enum {
PIO_MASK = ATA_PIO4,
};
/*
* Struct containing private information about device.
*/
struct at32_ide_info {
unsigned int irq;
struct resource res_ide;
struct resource res_alt;
void __iomem *ide_addr;
void __iomem *alt_addr;
unsigned int cs;
struct smc_config smc;
};
/*
* Setup SMC for the given ATA timing.
*/
static int pata_at32_setup_timing(struct device *dev,
struct at32_ide_info *info,
const struct ata_timing *ata)
{
struct smc_config *smc = &info->smc;
struct smc_timing timing;
int active;
int recover;
memset(&timing, 0, sizeof(struct smc_timing));
/* Total cycle time */
timing.read_cycle = ata->cyc8b;
/* DIOR <= CFIOR timings */
timing.nrd_setup = ata->setup;
timing.nrd_pulse = ata->act8b;
timing.nrd_recover = ata->rec8b;
/* Convert nanosecond timing to clock cycles */
smc_set_timing(smc, &timing);
/* Add one extra cycle setup due to signal ring */
smc->nrd_setup = smc->nrd_setup + 1;
active = smc->nrd_setup + smc->nrd_pulse;
recover = smc->read_cycle - active;
/* Need at least two cycles recovery */
if (recover < 2)
smc->read_cycle = active + 2;
/* (CS0, CS1, DIR, OE) <= (CFCE1, CFCE2, CFRNW, NCSX) timings */
smc->ncs_read_setup = 1;
smc->ncs_read_pulse = smc->read_cycle - 2;
/* Write timings same as read timings */
smc->write_cycle = smc->read_cycle;
smc->nwe_setup = smc->nrd_setup;
smc->nwe_pulse = smc->nrd_pulse;
smc->ncs_write_setup = smc->ncs_read_setup;
smc->ncs_write_pulse = smc->ncs_read_pulse;
/* Do some debugging output of ATA and SMC timings */
dev_dbg(dev, "ATA: C=%d S=%d P=%d R=%d\n",
ata->cyc8b, ata->setup, ata->act8b, ata->rec8b);
dev_dbg(dev, "SMC: C=%d S=%d P=%d NS=%d NP=%d\n",
smc->read_cycle, smc->nrd_setup, smc->nrd_pulse,
smc->ncs_read_setup, smc->ncs_read_pulse);
/* Finally, configure the SMC */
return smc_set_configuration(info->cs, smc);
}
/*
* Procedures for libATA.
*/
static void pata_at32_set_piomode(struct ata_port *ap, struct ata_device *adev)
{
struct ata_timing timing;
struct at32_ide_info *info = ap->host->private_data;
int ret;
/* Compute ATA timing */
ret = ata_timing_compute(adev, adev->pio_mode, &timing, 1000, 0);
if (ret) {
dev_warn(ap->dev, "Failed to compute ATA timing %d\n", ret);
return;
}
/* Setup SMC to ATA timing */
ret = pata_at32_setup_timing(ap->dev, info, &timing);
if (ret) {
dev_warn(ap->dev, "Failed to setup ATA timing %d\n", ret);
return;
}
}
static struct scsi_host_template at32_sht = {
ATA_PIO_SHT(DRV_NAME),
};
static struct ata_port_operations at32_port_ops = {
.inherits = &ata_sff_port_ops,
.cable_detect = ata_cable_40wire,
.set_piomode = pata_at32_set_piomode,
};
static int __init pata_at32_init_one(struct device *dev,
struct at32_ide_info *info)
{
struct ata_host *host;
struct ata_port *ap;
host = ata_host_alloc(dev, 1);
if (!host)
return -ENOMEM;
ap = host->ports[0];
/* Setup ATA bindings */
ap->ops = &at32_port_ops;
ap->pio_mask = PIO_MASK;
ap->flags |= ATA_FLAG_SLAVE_POSS;
/*
* Since all 8-bit taskfile transfers has to go on the lower
* byte of the data bus and there is a bug in the SMC that
* makes it impossible to alter the bus width during runtime,
* we need to hardwire the address signals as follows:
*
* A_IDE(2:0) <= A_EBI(3:1)
*
* This makes all addresses on the EBI even, thus all data
* will be on the lower byte of the data bus. All addresses
* used by libATA need to be altered according to this.
*/
ap->ioaddr.altstatus_addr = info->alt_addr + (0x06 << 1);
ap->ioaddr.ctl_addr = info->alt_addr + (0x06 << 1);
ap->ioaddr.data_addr = info->ide_addr + (ATA_REG_DATA << 1);
ap->ioaddr.error_addr = info->ide_addr + (ATA_REG_ERR << 1);
ap->ioaddr.feature_addr = info->ide_addr + (ATA_REG_FEATURE << 1);
ap->ioaddr.nsect_addr = info->ide_addr + (ATA_REG_NSECT << 1);
ap->ioaddr.lbal_addr = info->ide_addr + (ATA_REG_LBAL << 1);
ap->ioaddr.lbam_addr = info->ide_addr + (ATA_REG_LBAM << 1);
ap->ioaddr.lbah_addr = info->ide_addr + (ATA_REG_LBAH << 1);
ap->ioaddr.device_addr = info->ide_addr + (ATA_REG_DEVICE << 1);
ap->ioaddr.status_addr = info->ide_addr + (ATA_REG_STATUS << 1);
ap->ioaddr.command_addr = info->ide_addr + (ATA_REG_CMD << 1);
/* Set info as private data of ATA host */
host->private_data = info;
/* Register ATA device and return */
return ata_host_activate(host, info->irq, ata_sff_interrupt,
IRQF_SHARED | IRQF_TRIGGER_RISING,
&at32_sht);
}
/*
* This function may come in handy for people analyzing their own
* EBI -> PATA adaptors.
*/
#ifdef DEBUG_BUS
static void __init pata_at32_debug_bus(struct device *dev,
struct at32_ide_info *info)
{
const int d1 = 0xff;
const int d2 = 0x00;
int i;
/* Write 8-bit values (registers) */
iowrite8(d1, info->alt_addr + (0x06 << 1));
iowrite8(d2, info->alt_addr + (0x06 << 1));
for (i = 0; i < 8; i++) {
iowrite8(d1, info->ide_addr + (i << 1));
iowrite8(d2, info->ide_addr + (i << 1));
}
/* Write 16 bit values (data) */
iowrite16(d1, info->ide_addr);
iowrite16(d1 << 8, info->ide_addr);
iowrite16(d1, info->ide_addr);
iowrite16(d1 << 8, info->ide_addr);
}
#endif
static int __init pata_at32_probe(struct platform_device *pdev)
{
const struct ata_timing initial_timing =
{XFER_PIO_0, 70, 290, 240, 600, 165, 150, 600, 0};
struct device *dev = &pdev->dev;
struct at32_ide_info *info;
struct ide_platform_data *board = dev_get_platdata(&pdev->dev);
struct resource *res;
int irq;
int ret;
if (!board)
return -ENXIO;
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
if (!res)
return -ENXIO;
/* Retrive IRQ */
irq = platform_get_irq(pdev, 0);
if (irq < 0)
return irq;
/* Setup struct containing private information */
info = kzalloc(sizeof(struct at32_ide_info), GFP_KERNEL);
if (!info)
return -ENOMEM;
info->irq = irq;
info->cs = board->cs;
/* Request memory resources */
info->res_ide.start = res->start + CF_IDE_OFFSET;
info->res_ide.end = info->res_ide.start + CF_RES_SIZE - 1;
info->res_ide.name = "ide";
info->res_ide.flags = IORESOURCE_MEM;
ret = request_resource(res, &info->res_ide);
if (ret)
goto err_req_res_ide;
info->res_alt.start = res->start + CF_ALT_IDE_OFFSET;
info->res_alt.end = info->res_alt.start + CF_RES_SIZE - 1;
info->res_alt.name = "alt";
info->res_alt.flags = IORESOURCE_MEM;
ret = request_resource(res, &info->res_alt);
if (ret)
goto err_req_res_alt;
/* Setup non-timing elements of SMC */
info->smc.bus_width = 2; /* 16 bit data bus */
info->smc.nrd_controlled = 1; /* Sample data on rising edge of NRD */
info->smc.nwe_controlled = 0; /* Drive data on falling edge of NCS */
info->smc.nwait_mode = 3; /* NWAIT is in READY mode */
info->smc.byte_write = 0; /* Byte select access type */
info->smc.tdf_mode = 0; /* TDF optimization disabled */
info->smc.tdf_cycles = 0; /* No TDF wait cycles */
/* Setup SMC to ATA timing */
ret = pata_at32_setup_timing(dev, info, &initial_timing);
if (ret)
goto err_setup_timing;
/* Map ATA address space */
ret = -ENOMEM;
info->ide_addr = devm_ioremap(dev, info->res_ide.start, 16);
info->alt_addr = devm_ioremap(dev, info->res_alt.start, 16);
if (!info->ide_addr || !info->alt_addr)
goto err_ioremap;
#ifdef DEBUG_BUS
pata_at32_debug_bus(dev, info);
#endif
/* Setup and register ATA device */
ret = pata_at32_init_one(dev, info);
if (ret)
goto err_ata_device;
return 0;
err_ata_device:
err_ioremap:
err_setup_timing:
release_resource(&info->res_alt);
err_req_res_alt:
release_resource(&info->res_ide);
err_req_res_ide:
kfree(info);
return ret;
}
static int __exit pata_at32_remove(struct platform_device *pdev)
{
struct ata_host *host = platform_get_drvdata(pdev);
struct at32_ide_info *info;
if (!host)
return 0;
info = host->private_data;
ata_host_detach(host);
if (!info)
return 0;
release_resource(&info->res_ide);
release_resource(&info->res_alt);
kfree(info);
return 0;
}
/* work with hotplug and coldplug */
MODULE_ALIAS("platform:at32_ide");
static struct platform_driver pata_at32_driver = {
.remove = __exit_p(pata_at32_remove),
.driver = {
.name = "at32_ide",
.owner = THIS_MODULE,
},
};
module_platform_driver_probe(pata_at32_driver, pata_at32_probe);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("AVR32 SMC/CFC PATA Driver");
MODULE_AUTHOR("Kristoffer Nyborg Gregertsen <kngregertsen@norway.atmel.com>");
MODULE_VERSION(DRV_VERSION);
Computing file changes ...
