Re: SELinux related kernel oops

[Stephen Smalley <sds tycho nsa gov>]

On Thu, 2006-03-23 at 16:04 -0500, Jack Neely wrote:
> Folks,
> 
> I received a strange kernel oops that I'm trying to dig up some more
> information about before I start filing bug reports.
> 
>     http://anduril.pams.ncsu.edu/~slack/oops-20060323
> 
> This is a RHEL 4 server running kernel 2.6.9-22.0.2.ELsmp with SELinux
> in enforcing mode.  It has an Apple XRAID attached via an LSI fiber
> channel card that Apple ships and a SCSI HD array.  (Software raid.)
> The server is a fairly busy NFS server.  Loads between 1 and 2 are
> common.
> 
> Any ideas where this came from and how to avoid it in the future?

Hmm...per the security_compute_av output just prior to the Oops, an
illegal (and out of bounds) security class value (14080) was passed to
the permission checking code, which later causes the Oops in
avc_dump_query when it tries to use that as an index into an array of
class string names for display.  That should likely bounds check the
class value to avoid an Oops, but that isn't the real bug - the question
is how we ended up with an invalid class value here.  The class value
comes from the inode security structure, and is initially set to
SECCLASS_FILE (6) when the inode is allocated, then adjusted based on
the inode mode upon d_instantiate/d_splice_alias to match the file type.
Certainly shouldn't be 14080 aka 0x3700.

-- 
Stephen Smalley
National Security Agency