Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932303AbdCFU1u (ORCPT <rfc822;w@1wt.eu>);
        Mon, 6 Mar 2017 15:27:50 -0500
Received: from mail-pg0-f65.google.com ([74.125.83.65]:34493 "EHLO
        mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932161AbdCFU1f (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 Mar 2017 15:27:35 -0500
Message-ID: <1488828542.9415.391.camel@edumazet-glaptop3.roam.corp.google.com>
Subject: Re: [PATCH v2] selinux: check for address length in
 selinux_socket_bind()
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Alexander Potapenko <glider@google.com>
Cc: dvyukov@google.com, kcc@google.com, keescook@chromium.org,
        edumazet@google.com, paul@paul-moore.com, sds@tycho.nsa.gov,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        selinux@tycho.nsa.gov
Date: Mon, 06 Mar 2017 11:29:02 -0800
In-Reply-To: <20170306184614.20056-1-glider@google.com>
References: <20170306184614.20056-1-glider@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.10.4-0ubuntu2 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1352
Lines: 42

On Mon, 2017-03-06 at 19:46 +0100, Alexander Potapenko wrote:
> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
> uninitialized memory in selinux_socket_bind():
> 
...
> Signed-off-by: Alexander Potapenko <glider@google.com>
> ---
> Changes since v1:
>  - fixed patch description
>  - fixed addrlen tests to match those in inet_bind() and inet6_bind()
>    (per comment from Eric Dumazet)
> ---
>  security/selinux/hooks.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0a4b4b040e0a..ddc4aca6c840 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4351,10 +4351,19 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
>  		u32 sid, node_perm;
>  
>  		if (family == PF_INET) {
> +			if (addrlen < sizeof(struct sockaddr_in)) {
> +				err = -EINVAL;
> +				goto out;
> +			}
>  			addr4 = (struct sockaddr_in *)address;
>  			snum = ntohs(addr4->sin_port);
>  			addrp = (char *)&addr4->sin_addr.s_addr;
> +
>  		} else {
> +			if (addrlen < SIN6_LEN_RFC2133) {
> +				err = -EINVAL;
> +				goto out;
> +			}
>  			addr6 = (struct sockaddr_in6 *)address;
>  			snum = ntohs(addr6->sin6_port);
>  			addrp = (char *)&addr6->sin6_addr.s6_addr;

Acked-by: Eric Dumazet <edumazet@google.com>