Received: by 10.223.176.5 with SMTP id f5csp480601wra;
        Tue, 30 Jan 2018 14:46:56 -0800 (PST)
X-Google-Smtp-Source: AH8x224Rlqp7sFAMFHrIpFB3XU8FYE8Covha0Gl6lZdPmFtD3FWTApf5+TnfNrphd3sPuz/HD74u
X-Received: by 2002:a17:902:6a89:: with SMTP id n9-v6mr26255029plk.212.1517352416703;
        Tue, 30 Jan 2018 14:46:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517352416; cv=none;
        d=google.com; s=arc-20160816;
        b=YI8mAeky8X7J/TbnKPcjVKS+mDoVUBxT/hZGIwYz48MFdzuui3/tPBH6MITM/s+Jn0
         lzPdRhA+Vw4MdRqw5lWXMXsbFPv64kRpBMXHVEhScbcDVCuuSB2w5YtGX2ZntD09QGVc
         i5Aq3gpG/G5xNfXgQ7oOHXfpCo8aFmlvCp3iCg6BM1akGg8n/7pugaKXl+9YA/2rC7Qs
         QyBtUSSCQEBUC4QkZNU1XI2uK7FFj8lkeDHFv3WpUGR6phnILkDvjRMbFVtAPfDC0geN
         hjd7d/ovhB0jcz5+ZHE5qL1t+8fZ4dXcLQwrotAZbjzYpUb8NTLD3G9mhnkQy7rhS+4y
         UW3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=aZ35+3sQItX0tZ1QiHPLOscIjR+j2A/7nPQLNbbAkOw=;
        b=U7BJmM4PnAoj3ul0XaOqbBUEbAGGZhUoKBJHBheNLINqmvzOXu8cAELu2P3IbmFszg
         eSykxuZHydOirrBbD1OAAi7tyz0WxyiaFxS9uIKM/vnR8P9oA5cqLx6oq059K5U1jTr3
         D5t79/RUSLh2P0g4rYnnE8NAYApMV67UjyJxOXxObQDzj1vWqBw8gbEuxE4HTqjqpNdo
         YnAbtm1slgyi2OfBAU96apRlmeY95YgX03Yhf0Wbp6CDEHGTY+tXVjfGZEWxlE6XZUQg
         Z6oBP4Vxt20FazawhqCRMq6CHmvZumXvxS4V+f+IFewJM/iNra8yfKXmEYj/NYHgE2mj
         U9yQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t70si493912pgd.13.2018.01.30.14.46.41;
        Tue, 30 Jan 2018 14:46:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753352AbeA3WqT (ORCPT <rfc822;sujaykul91@gmail.com>
        + 99 others); Tue, 30 Jan 2018 17:46:19 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:36434 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752212AbeA3WqS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Jan 2018 17:46:18 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7C3D6DAD;
        Tue, 30 Jan 2018 22:46:17 +0000 (UTC)
Date:   Tue, 30 Jan 2018 23:46:14 +0100
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Mark Salyzyn <salyzyn@android.com>
Cc:     Stephen Smalley <sds@tycho.nsa.gov>, linux-kernel@vger.kernel.org,
        Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>,
        James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>, selinux@tycho.nsa.gov,
        linux-security-module@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] general protection fault in sock_has_perm
Message-ID: <20180130224614.GA13647@kroah.com>
References: <20180118215853.228182-1-salyzyn@android.com>
 <1516382386.2560.11.camel@tycho.nsa.gov>
 <1516383672.2560.23.camel@tycho.nsa.gov>
 <99c11fa6-ad9a-830c-467e-6a56e78aecf8@android.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <99c11fa6-ad9a-830c-467e-6a56e78aecf8@android.com>
User-Agent: Mutt/1.9.3 (2018-01-21)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jan 30, 2018 at 11:00:04AM -0800, Mark Salyzyn wrote:
> On 01/19/2018 09:41 AM, Stephen Smalley wrote:
> > If we can't safely dereference the sock in these hooks, then that seems
> > to point back to the approach used in my original code, where in
> > ancient history I had sock_has_perm() take the socket and use its inode
> > i_security field instead of the sock.  commit
> > 253bfae6e0ad97554799affa0266052968a45808 switched them to use the sock
> > instead.
> 
> Because of the nature of this problem (hard to duplicate, no clear path), I
> am understandably not comfortable reverting and submitting for testing in
> order to prove this point. It is disruptive because it changes several
> subroutine call signatures.
> 
> AFAIK this looks like a user request racing in without reference counting or
> RCU grace period in the callers (could be viewed as not an issue with
> security code). Effectively fixed in 4.9-stable, but broken in 4.4-stable.
> 
> hygiene, KISS and small, is all I do feel comfortable to submit to
> 4.4-stable without pulling in all the infrastructure improvements.
> 
> -- Mark
> 
> ---
> ?security/selinux/hooks.c | 2 ++
> ?1 file changed, 2 insertions(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 34427384605d..be68992a28cb 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4066,6 +4066,8 @@ static int sock_has_perm(struct task_struct *task,
> struct sock *sk, u32 perms)
> ???? struct lsm_network_audit net = {0,};
> ???? u32 tsid = task_sid(task);
> 
> +??? if (!sksec)
> +??? ??? return -EFAULT;
> ???? if (sksec->sid == SECINITSID_KERNEL)
> ???? ??? return 0;
> 

This looks sane to me as a simple 4.4-only fix.  If the SELinux
maintainer acks it, I can easily queue this up.

thanks,

greg k-h