Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752399AbdCCRfC (ORCPT ); Fri, 3 Mar 2017 12:35:02 -0500 Received: from mail-qk0-f169.google.com ([209.85.220.169]:36310 "EHLO mail-qk0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751799AbdCCRev (ORCPT ); Fri, 3 Mar 2017 12:34:51 -0500 MIME-Version: 1.0 In-Reply-To: <20170303172330.83421-1-glider@google.com> References: <20170303172330.83421-1-glider@google.com> From: Alexander Potapenko Date: Fri, 3 Mar 2017 18:26:25 +0100 Message-ID: Subject: Re: [PATCH] selinux: check for address length in selinux_socket_bind() To: Dmitriy Vyukov , Kostya Serebryany , Kees Cook , Eric Dumazet , Paul Moore , sds@tycho.nsa.gov Cc: LKML , Networking , selinux@tycho.nsa.gov Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v23HZGxD012053 Content-Length: 4973 Lines: 112 On Fri, Mar 3, 2017 at 6:23 PM, Alexander Potapenko wrote: > KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of > uninitialized memory in packet_bind_spkt(): Should be "in selinux_socket_bind()", will fix in the next patch version. > ================================================================== > BUG: KMSAN: use of unitialized memory > inter: 0 > CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48 > ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550 > 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002 > Call Trace: > [< inline >] __dump_stack lib/dump_stack.c:15 > [] dump_stack+0x238/0x290 lib/dump_stack.c:51 > [] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008 > [] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424 > [] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288 > [] security_socket_bind+0x1ec/0x240 security/security.c:1240 > [] SYSC_bind+0x358/0x5f0 net/socket.c:1366 > [] SyS_bind+0x82/0xa0 net/socket.c:1356 > [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 > [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:? > chained origin: 00000000ba6009bb > [] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67 > [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322 > [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337 > [] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530 > [] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380 > [] SYSC_bind+0x129/0x5f0 net/socket.c:1356 > [] SyS_bind+0x82/0xa0 net/socket.c:1356 > [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 > [] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:? > origin description: ----address@SYSC_bind (origin=00000000b8c00900) > ================================================================== > > (the line numbers are relative to 4.8-rc6, but the bug persists upstream) > > , when I run the following program as root: > > ======================================================= > #include > #include > #include > > int main(int argc, char *argv[]) { > struct sockaddr addr; > int size = 0; > if (argc > 1) { > size = atoi(argv[1]); > } > memset(&addr, 0, sizeof(addr)); > int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); > bind(fd, &addr, size); > return 0; > } > ======================================================= > > (for different values of |size| other error reports are printed). > > This happens because bind() unconditionally copies |size| bytes of > |addr| to the kernel, leaving the rest uninitialized. Then > security_socket_bind() reads the IP address bytes, including the > uninitialized ones, to determine the port, or e.g. pass them further to > sel_netnode_find(), which uses them to calculate a hash. > > Signed-off-by: Alexander Potapenko > --- > security/selinux/hooks.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0a4b4b040e0a..eba54489b11b 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4351,10 +4351,19 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in > u32 sid, node_perm; > > if (family == PF_INET) { > + if (addrlen != sizeof(struct sockaddr_in)) { > + err = -EINVAL; > + goto out; > + } > addr4 = (struct sockaddr_in *)address; > snum = ntohs(addr4->sin_port); > addrp = (char *)&addr4->sin_addr.s_addr; > + > } else { > + if (addrlen != sizeof(struct sockaddr_in6)) { > + err = -EINVAL; > + goto out; > + } > addr6 = (struct sockaddr_in6 *)address; > snum = ntohs(addr6->sin6_port); > addrp = (char *)&addr6->sin6_addr.s6_addr; > -- > 2.12.0.rc1.440.g5b76565f74-goog > -- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg