Concurrency issue when modifying selinux rules #3250
Description
Please check before submitting an issue
- I have searched the issues and haven't found anything relevant
- I will upload bugreport file in KernelSU Manager - Settings - Report log
- I know how to reproduce the issue which may not be specific to my device
Describe the bug
Other process maybe reading selinux rules while we are modifying it, causing kernel panics because of UAF:
[ 3.145613][ T918] KernelSU: target type nsfs does not exist
[ 3.145692][ T918] KernelSU: target type nsfs does not exist
[ 3.146104][ T642] Unable to handle kernel paging request at virtual address ffffff868d393600
[ 3.146111][ T642] Mem abort info:
[ 3.146112][ T642] ESR = 0x0000000096000005
[ 3.146114][ T642] EC = 0x25: DABT (current EL), IL = 32 bits
[ 3.146116][ T642] SET = 0, FnV = 0
[ 3.146118][ T642] EA = 0, S1PTW = 0
[ 3.146120][ T642] FSC = 0x05: level 1 translation fault
[ 3.146122][ T642] Data abort info:
[ 3.146123][ T642] ISV = 0, ISS = 0x00000005
[ 3.146125][ T642] CM = 0, WnR = 0
[ 3.146126][ T642] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081bbb000
[ 3.146129][ T642] [ffffff868d393600] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[ 3.146135][ T642] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[ 3.146141][ T642] debug-snapshot dss: context saved(CPU:7)
[ 3.146284][ T642] item - log_kevents is disabled
[ 3.146288][ T642] Modules linked in: wlan(O) google_wlan_mac(O) qrtr_mhi(O) cnss_prealloc(O) cnss_nl(O) cnss2(O) mhi(O) cnss_plat_ipc_qmi_svc(O) wlan_firmware_service(O) qmi_helpers(O) qrtr(O) cnss_utils(O) focal_touch(O) bbd_pps_gpio(O) btpower(O) snd_soc_cs40l26(O) cs40l26_core(O) cl_dsp_core(O) snd_soc_cs35l41_i2c(O) bigwave(O) lwis(O) gxp(O) mali_kbase(O) mali_pixel(O) fps_touch_handler(O) goog_touch_interface(O) janeiro(O) panel_common(O) gs_panel(O) hl7132(O) rt9471_charger(O) max77779_fwupdate(O) ln8411(O) max77779_pmic_i2c(O) max77779_pmic_sgpio(O) max77779_pmic_pinctrl(O) max77779_pmic_irq(O) max77779_i2cm_i2c(O) max77779_i2cm(O) max77779_sp_i2c(O) max77779_sp(O) max77779_fg_i2c(O) max77779_vimon_i2c(O) max77779_vimon(O) max77779_charger_i2c(O) google_ccd(O) google_dock(O) pwm_exynos(O) odpm_whi(O) stmvl53l1(O) usb_f_etr_miu(O) slg51002_core(O) slg51000_core(O) iovad_vendor_hooks(O) slg51002_regulator(O) slg51000_regulator(O) smra(O) pinctrl_slg51002(O)
[ 3.146341][ T642] pinctrl_slg51000(O) mac80211 cfg80211 nfc mac802154 ieee802154_socket ieee802154_6lowpan ieee802154 nhc_udp nhc_routing nhc_mobility nhc_ipv6 nhc_hop nhc_fragment nhc_dest 6lowpan diag tipc l2tp_ppp l2tp_core hidp rfcomm can_gw can_bcm can_raw can 8021q btsdio hci_uart btqca btbcm bluetooth rfkill ftdi_sio usbserial cdc_acm r8153_ecm aqc111 cdc_ncm cdc_eem cdc_ether ax88179_178a asix usbnet r8152 rtl8150 wwan pptp pppox ppp_mppe ppp_deflate bsd_comp ppp_generic slhc slcan vcan can_dev mii libarc4 kheaders gzvm aoc_alsa_dev(O) aoc_usb_driver(O) google_bcl(O) aoc_alsa_dev_util(O) panel_samsung_emul(O) aoc_uwb_platform_drv(O) panel_boe_nt37290(O) panel_samsung_s6e3hc2(O) panel_samsung_sofef01(O) panel_samsung_s6e3fc3_p10(O) panel_samsung_s6e3fc3(O) panel_samsung_s6e3fc5(O) panel_samsung_s6e3fc3_l10(O) panel_samsung_s6e3hc3_c10(O) panel_samsung_s6e3hc3(O) panel_samsung_s6e3hc4(O) exynos_drm_audio(O) aoc_channel_dev(O) aoc_char_dev(O) aoc_uwb_service_dev(O)
[ 3.146405][ T642] cpif(O) aoc_control_dev(O) aoc_tbn_service_dev(O) hardlockup_debug(O) ehld(O) exynos_coresight(O) google_charger(O) panel_samsung_drv(O) google_cpm(O) exynos_coresight_etm(O) max77759_charger(O) pca9468(O) aoc_core(O) pcie_exynos_gs(O) acpm_mbox_test(O) sjtag_driver(O) g2d(O) s2mpg1x_gpio(O) max77779_fg(O) tcpci_max77759(O) s3c2410_wdt(O) ufs_exynos_gs(O) gsa_gsc(O) s2mpg12_powermeter(O) s2mpg12_regulator(O) rtc_s2mpg12(O) max77729_pmic(O) zcomp_cpu(O) zcomp_eh(O) exynos_drm(O) exynos_mfc(O) smfc(O) gsa(O) bc_max77759(O) bcm_dbg(O) exynos_pm(O) dbgcore_dump(O) eh(O) pixel_em(O) etm2dram(O) exynos_adv_tracer_s2d(O) s2mpg12_mfd(O) google_battery(O) max1720x_battery(O) google_dual_batt_gauge(O) max77779_charger(O) max77729_uic(O) max777x9_contaminant(O) p9221(O) exynos_acme(O) pixel_reboot(O) s2mpg13_powermeter(O) s2mpg13_regulator(O) exynos_devfreq(O) samsung_dma_heap(O) samsung_iommu(O) s2mpg13_spmic_thermal(O) zram_gs(O) slc_acpm(O) snd_soc_cs35l41_spi(O)
[ 3.146452][ T642] usb_psy(O) exynos_dm(O) acpm_flexpmu_dbg(O) bts(O) exynos_adv_tracer(O) gs_thermal(O) debug_snapshot_debug_kinfo(O) exynos_debug_test(O) exynos_ecc_handler(O) exynos_tty(O) trusty_virtio(O) google_bms(O) s2mpg13_mfd(O) gpu_cooling(O) gs_governor_memlat(O) i2c_exynos5(O) itmon(O) keydebug(O) max77729_charger(O) max77759_contaminant(O) max77779_contaminant(O) pcie_exynos_gs201_rc_cal(O) phy_exynos_mipi(O) phy_exynos_mipi_dsim(O) pixel_stat_mm(O) power_stats(O) sbb_mux(O) slc_pmon(O) snd_soc_cs35l41(O) trusty_ipc(O) xhci_exynos(O) trusty_test(O) slc_dummy(O) trusty_log(O) usbc_cooling_dev(O) st21nfc(O) shm_ipc(O) spi_s3c64xx(O) exynos_pd_dbg(O) trusty_core(O) samsung_dma(O) arm_dsu_pmu at24 audiometrics(O) bcm47765(O) cp_thermal_zone(O) cpif_page(O) drm_display_helper debug_reboot(O) exynos_bcm_dbg_dump(O) exynos_cpuhp(O) exynos_pcie_iommu(O) goodixfp(O) exynos_seclog(O) google_modemctl(O) logbuffer(O) google_tcpci_shim(O) gs_drm_connector(O)
[ 3.146498][ T642] gs_governor_utils(O) hardlockup_watchdog(O) heatmap(O) i2c_acpm(O) i2c_dev keycombo(O) mailbox_wc(O) max20339(O) max77759_helper(O) pixel_debug_test(O) max77779_pmic(O) pixel_boot_metrics(O) pl330(O) pixel_stat_sysfs(O) s2mpg12_key(O) pmic_class(O) samsung_iommu_group(O) samsung_secure_iova(O) sg snd_soc_wm_adsp(O) slc_pt(O) spidev softdog sscoredump(O) st33spi(O) zsmalloc st54spi(O) touch_bus_negotiator(O) sysrq_hook(O) touch_offload(O) ufs_pixel_fips140(O) usb_f_dm1(O) usb_f_dm(O) vh_cgroup(O) vh_mm(O) vh_fs(O) vh_preemptirq_long(O) vh_thermal(O) fips140 kernelsu(O) pkvm_s2mpu(O) exynos_pd(O) clk_exynos_gs(O) dwc3_exynos_usb(O) gvotable(O) phy_exynos_usbdrd_super(O) exynos_pd_hsi0(O) exynos_pm_qos(O) exynos_cpupm(O) exynos_mct(O) pinctrl_exynos_gs(O) pixel_metrics(O) vh_sched(O) cmupmucal(O) gs_acpm(O) kernel_top(O) systrace(O) ect_parser(O) gs_chipid(O) sched_tp(O) gs_perf_mon(O) dss(O) pixel_suspend_diag(O) exynos_pmu_if(O) exynos_pd_el3(O)
[ 3.146551][ T642] CPU: 7 PID: 642 Comm: RenderEngine Tainted: G O 6.1.145-android14-11-gc1de4747ac59-ab14219743 #1
[ 3.146554][ T642] Hardware name: GS201 LYNX MP 1.0 based on GS201 (DT)
[ 3.146557][ T642] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 3.146560][ T642] pc : context_struct_compute_av.73+0x88/0x3dc
[ 3.146568][ T642] lr : type_attribute_bounds_av+0x108/0x174
[ 3.146572][ T642] sp : ffffffc01014b8a0
[ 3.146573][ T642] x29: ffffffc01014b8e0 x28: ffffff8019cd7938 x27: ffffff8019cd7990
[ 3.146577][ T642] x26: ffffffc01014bbb8 x25: 000000000000000b x24: ffffff800ce0b008
[ 3.146580][ T642] x23: ffffff8019cd7808 x22: 000000000000000b x21: 0000000066656360
[ 3.146583][ T642] x20: ffffffc01014b940 x19: ffffff8026e30000 x18: ffffffc00d16d070
[ 3.146586][ T642] x17: 0000000009e482ed x16: 00000000074d3f17 x15: 00000000e6546b64
[ 3.146589][ T642] x14: 000000001b873593 x13: 0000000000000001 x12: 0000000100000001
[ 3.146592][ T642] x11: 0000000000000000 x10: 00000000ffffffff x9 : 0000000666563600
[ 3.146595][ T642] x8 : ffffff800e3ff700 x7 : ffffffc01014bcd8 x6 : 00000000c040803b
[ 3.146598][ T642] x5 : ffffffc01014bbb8 x4 : ffffffc01014b940 x3 : 000000000000000b
[ 3.146601][ T642] x2 : ffffffc01014b958 x1 : ffffffc01014b9a0 x0 : ffffff8019cd7808
[ 3.146604][ T642] Call trace:
[ 3.146606][ T642] context_struct_compute_av.73+0x88/0x3dc
[ 3.146609][ T642] type_attribute_bounds_av+0x108/0x174
[ 3.146612][ T642] security_compute_av+0x594/0x83c
[ 3.146614][ T642] avc_compute_av+0x60/0x254
[ 3.146617][ T642] avc_has_extended_perms+0x274/0x3e0
[ 3.146619][ T642] ioctl_has_perm+0x120/0x158
[ 3.146622][ T642] selinux_file_ioctl+0x1d4/0x238
[ 3.146625][ T642] security_file_ioctl+0x5c/0x80
[ 3.146629][ T642] __arm64_sys_ioctl+0x48/0xe4
[ 3.146636][ T642] invoke_syscall+0x58/0x118
[ 3.146641][ T642] el0_svc_common+0xb4/0xf4
[ 3.146644][ T642] do_el0_svc+0x24/0x80
[ 3.146647][ T642] el0_svc+0x2c/0x90
[ 3.146651][ T642] el0t_64_sync_handler+0x68/0xb4
[ 3.146653][ T642] el0t_64_sync+0x1a4/0x1a8
[ 3.146657][ T642] Code: 51000535 d37c7ea9 f85f8108 781f43b6 (f8696a7b)
[ 3.146659][ T642] ---[ end trace 0000000000000000 ]---
[ 3.146662][ T642] Kernel panic - not syncing: Oops: Fatal exception
[ 3.146663][ T642] SMP: stopping secondary CPUs
[ 3.147688][ T642] task:ksud state:D stack:0 pid:918 ppid:1 flags:0x04000400
[ 3.147691][ T642] Call trace:
[ 3.147692][ T642] __switch_to+0x15c/0x2cc
[ 3.147695][ T642] __schedule+0x608/0x9f0
[ 3.147698][ T642] schedule+0x7c/0xe8
[ 3.147701][ T642] synchronize_rcu_expedited+0x4f8/0x6d0
[ 3.147704][ T642] synchronize_rcu+0x3c/0x228
[ 3.147706][ T642] synchronize_net+0x20/0x30
[ 3.147711][ T642] selinux_netcache_avc_callback+0x24/0x38
[ 3.147713][ T642] avc_ss_reset+0x68/0xbc
[ 3.147716][ T642] handle_sepolicy+0xafc/0x1f48 [kernelsu]
[ 3.147737][ T642] do_set_sepolicy+0xf0/0x180 [kernelsu]
[ 3.147755][ T642] anon_ksu_ioctl+0x200/0x258 [kernelsu]
[ 3.147772][ T642] __arm64_sys_ioctl+0xa8/0xe4
[ 3.147776][ T642] invoke_syscall+0x58/0x118
[ 3.147779][ T642] el0_svc_common+0x88/0xf4
[ 3.147782][ T642] do_el0_svc+0x24/0x80
[ 3.147785][ T642] el0_svc+0x2c/0x90
[ 3.147787][ T642] el0t_64_sync_handler+0x68/0xb4
[ 3.147789][ T642] el0t_64_sync+0x1a4/0x1a8
To Reproduce
No response
Expected behavior
No response
Screenshots
No response
Logs
No response
Device info
- Device:
- OS Version:
- KernelSU Version:
- Kernel Version:
Additional context
No response