Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753541AbbDANHY (ORCPT ); Wed, 1 Apr 2015 09:07:24 -0400 Received: from mailout2.samsung.com ([203.254.224.25]:61383 "EHLO mailout2.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753277AbbDANHW (ORCPT ); Wed, 1 Apr 2015 09:07:22 -0400 X-AuditID: cbfee68d-f79296d000004278-dd-551bed8888a4 Date: Wed, 01 Apr 2015 13:07:20 +0000 (GMT) From: Maninder Singh Subject: Re: Re: [Fix kernel crash in cipso_v4_sock_delattr ] To: Casey Schaufler , Maninder Singh , Paul Moore Cc: "davem@davemloft.net" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Vaneet Narang , AJEET YADAV Reply-to: maninder1.s@samsung.com MIME-version: 1.0 X-MTR: 20150401130129077@maninder1.s Msgkey: 20150401130129077@maninder1.s X-EPLocale: en_US.windows-1252 X-Priority: 3 X-EPWebmail-Msg-Type: personal X-EPWebmail-Reply-Demand: 0 X-EPApproval-Locale: X-EPHeader: ML X-MLAttribute: X-RootMTR: 20150401130129077@maninder1.s X-ParentMTR: X-ArchiveUser: X-CPGSPASS: N X-ConfirmMail: N,general Content-type: text/plain; charset=windows-1252 MIME-version: 1.0 Message-id: <1233624800.241631427893638492.JavaMail.weblogic@epmlwas09b> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsWyRsSkTrfjrXSowaH3ehaXd81hc2D0+LxJ LoAxissmJTUnsyy1SN8ugSvj2rIFTAXLNCp+TTBpYJyj3sXIySEkoCaxaO9jti5GDg4JAROJ Sa3SIGEJATGJC/fWA4W5gEqWMko0LNnEDpEwkehtfcUCkZjDKNHVtAsswSKgInFl0XEmEJtN QF/i7N51zCC2sICtxLnjs8AmiQg0MUo8eL2KGcRhFvjGKLF913Z2iDMUJdbfeMIIYvMKCEqc nPmEBWKdisSpp6uZIOKqEnMWNjNCxOUklky9zARh80rMaH/KAhOf9nUNM4QtLXF+1gZGmH8W f38MFeeXOHZ7B1SvgMTUMwcZId7XlPi52xQizCexZuFbFpjyXaeWM8Osur9lLlSrhMTWlies IDYz0PlTuh+yQ9gGEkcWzWFF9wqvgIfEsQ3T2UF+lxCYyCHx+XYP2wRGpVlI6mYhmTULySxk NQsYWVYxiqYWJBcUJ6UXGeoVJ+YWl+al6yXn525iBKaG0/+e9e5gvH3A+hCjAAejEg+vRoR0 qBBrYllxZe4hRlNgRE1klhJNzgcmoLySeENjMyMLUxNTYyNzSzMlcV5FqZ/BQgLpiSWp2amp BalF8UWlOanFhxiZODilGhi9i07o6NZwftNldtn4xH5ftVxbsevnOVu2Jmx+o3Tr84ZFqss+ +y/w23iduSqrS+mWY/VGxqXyh29mh84WUTghLiUxQ8n23KYV4T2J06VW8ratWcHhfyvQ+9GL tm2LDXrnWOtO3Wd8t5OXMU0y0uC/rcPUrfMiE1993VUxUyj81S5Tay9u/pdKLMUZiYZazEXF iQBXVAdWCAMAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrOKsWRmVeSWpSXmKPExsVy+t/tXt2Ot9KhBvtfq1lc3jWHzYHR4/Mm uQDGqDSbjNTElNQihdS85PyUzLx0WyXv4HjneFMzA0NdQ0sLcyWFvMTcVFslF58AXbfMHKCh SgpliTmlQKGAxOJiJX07m6L80pJUhYz84hJbpWhDcyM9IwM9UyM9Q9NYK0MDAyNToJqEtIxr yxYwFSzTqPg1waSBcY56FyMnh5CAmsSivY/ZQGwJAROJ3tZXLBC2mMSFe+uB4lxANXMYJbqa drGDJFgEVCSuLDrOBGKzCehLnN27jhnEFhawlTh3fBZYg4hAE6PEg9ermEEcZoFvjBLbd21n h1inKLH+xhNGEJtXQFDi5MwnUOtUJE49Xc0EEVeVmLOwmREiLiexZOplJgibV2JG+1MWmPi0 r2uYIWxpifOzNjDCnL34+2OoOL/Esds7oHoFJKaeOQhUwwFka0r83G0KEeaTWLPwLQtM+a5T y5lhVt3fMheqVUJia8sTVhCbGej8Kd0P2SFsA4kji+awonuFV8BD4tiG6ewTGGVnIUnNQtI+ C0k7spoFjCyrGEVTC5ILipPSK4z1ihNzi0vz0vWS83M3MYIT0bPFOxj/n7c+xCjAwajEw9sY JR0qxJpYVlyZe4hRgoNZSYSX/SlQiDclsbIqtSg/vqg0J7X4EKMpMNomMkuJJucDk2ReSbyh sYm5qbGphYGhubmZkjjv/3O5IUIC6YklqdmpqQWpRTB9TBycUg2Muh/3hB6bVr5wtYlWyf9J d8I5Q0qnHedbILG7Z2FRuSSTa+EcFosIwc5SoyttF202ed/gijv+Stv/ikm26w6Fn2fkWFbL Zv5ZcKcwxuL1W2/9LzZ3JdhOPpBeGbLKYFHTsYxzcybfv3Xi7IsVtYtb7Oc26aycwPFswoWz FVLGpfqiEzQWtc/IVGIpzkg01GIuKk4EAHCBqcBaAwAA DLP-Filter: Pass X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id t31D7Tuc003069 Content-Length: 3851 Lines: 74 We have run trinity tool on smack enable system. like below:- #./trinity -c sendto --dangerous After some time we are able to crash the kernel:- [] (cipso_v4_sock_delattr+0x0/0x74) from [] (netlbl_sock_delattr+0x18/0x1c) r4:00000000 r3:c07872f8 [] (netlbl_sock_delattr+0x0/0x1c) from [] (smack_netlabel+0x88/0x9c) [] (smack_netlabel+0x0/0x9c) from [] (smack_netlabel_send+0x12c/0x144) r7:d9cee3c0 r6:d7b01ef4 r5:c076f408 r4:d88c84c0 [] (smack_netlabel_send+0x0/0x144) from [] (smack_socket_sendmsg+0x54/0x60) [] (smack_socket_sendmsg+0x0/0x60) from [] (security_socket_sendmsg+0x28/0x2c) [] (security_socket_sendmsg+0x0/0x2c) from [] (sock_sendmsg+0x68/0xc0) [] (sock_sendmsg+0x0/0xc0) from [] (SyS_sendto+0xd8/0x110) r7:01400118 r6:0000007f r5:da308a00 r4:c076f408 [] (SyS_sendto+0x0/0x110) from [] (ret_fast_syscall+0x0/0x48) Code: e5903200 e1a04000 e3530000 089da818 (e5d33016) [SELP] while loop ... please attach T32... And after further debugging we find this crash always come with Netlink socket. And except thi API "netlbl_sock_delattr" all other related Netlabel APIs have check to validate socket family. Thats why we added socket family check for this API "netlbl_sock_delattr" and resolves our issue. Thanks Maninder Singh On 3/30/2015 10:09 PM, Maninder Singh wrote: > We are currently using 3.10.58 kernel and we are facing this issue for samck enabled system. > and as we can check in other APIs like netlbl_sock_getattr and netlbl_conn_setattr have this preventive check so we added this check for netlbl_sock_delattr also. > > And regarding patch re-submission, actually we have run checkpatch.pl before submission(successfull) But when we submit the patch our editor changes tabs into space, we will resubmitt the patch ASAP. Further review shows that the Smack code in 3.10.72 (I don't believe it changed after 3.10.58) already checks for the address family being AF_INET. This would indicate that the netlink code is sending garbage to security_socket_sendmsg(). Can you provide a more specific test case? I would like to see if this problem is present in newer kernels. > > Maninder Singh > ------- Original Message ------- > Sender : Casey Schaufler > Date : Mar 31, 2015 02:25 (GMT+09:00) > Title : Re: [Fix kernel crash in cipso_v4_sock_delattr ] > > On 3/30/2015 4:32 AM, Paul Moore wrote: >> On Monday, March 30, 2015 11:09:00 AM Maninder Singh wrote: >>> Dear All, >>> we found One Kernel Crash issue in cipso_v4_sock_delattr :- >>> As Cipso supports only inet sockets so cipso_v4_sock_delattr will crash when >>> try to access any other socket type. cipso_v4_sock_delattr access >>> sk_inet->inet_opt which may contain not NULL but invalid address. we found >>> this issue with netlink socket.(reproducible by trinity using sendto system >>> call .) >> Hello, >> >> First, please go read the Documentation/SubmittingPatches from the kernel >> sources; your patch needs to be resubmitted and the instructions in that file >> will show you how to do it correctly next time. >> >> Second, this appears to only affect Smack based systems, yes? SELinux based >> systems should have the proper checking in place to prevent this (the checks >> are handled in the LSM). > This looks like a problem that was fixed some time ago. > The current Smack code clearly checks for this. What kernel > version are you testing against? > >> That said, it probably wouldn't hurt to add the >> extra checking to netlbl_sock_delattr(). If you properly resubmit your patch >> I'll ACK it. >> >> -Paul ????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m???? ????????I?