Received: by 10.223.185.116 with SMTP id b49csp1077797wrg; Sat, 3 Mar 2018 14:57:00 -0800 (PST) X-Google-Smtp-Source: AG47ELvBSqEwHujd8MwRoGPS0iE6USVMrXr4Mm2ulQT67GHvaYuukuS/FR1DcwsKZlYHRKjPyLeQ X-Received: by 10.98.163.67 with SMTP id s64mr10363473pfe.67.1520117819992; Sat, 03 Mar 2018 14:56:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520117819; cv=none; d=google.com; s=arc-20160816; b=CycFemPgem/syO0ea8OSZvrCBr34ReDRqD/RwRtkmkNrCIryH01G8o+ATWwGBekrD7 CQVf0/TSHHxrx4NBbqKCseIb12XCo9yOwcTT/Vzdipe1Ry8gM8iayY0D45HO9I68bBjg y7KqlyVij1Dusv+H3ZPG+y4b8ThT2JniJ86wC0zDShjqHggMQjumdDYBAziYUtUbNQJ4 Cy9CoxvICz/+rlT3BHwhJ0U/9sWGHngh/qadFq3l3CnFRL7hiKYocQ3K/tjhbw+OQaSr uf9UVlb2nAMtTLEkEAFTUqtwJA4F9GixWrQVuvBfU37JUmhoka8FXIkqGHtDkNkJeNo1 JlCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=x7ckiXURAmsgvv3UD+MMexR5HfI3/X5U/pFtopSLO6E=; b=HZ3BNlN8v88uQ3p9F3EMDlIiX2eHYzqPU/VthKs0ENS/uweSUQcWwMH6ojuS3ek8A4 xntk7tO7/FDCXNG7m00kmsVZr0Veulao6hCCaYQcH9krSna5XanQoTLnQcL87t9JevWg OnrnlrlTRyvm7UFggfqPJFYu0Q8Ha7oy6AZCYESsgXauXbFoNwicYFl4mdEPOjuEJwkD NbGFQjxVvWoTYx+CMPTQ2+3/29gJJD0/B+MaYXB5+Iy9F1TZEQewGocXd/zvSQM0DQjR 9zHvC8OxknQpTrIaGXR0gzDgkbdXkTV//xalUVF6kadWvPzRngRsivnvbnA6GyIdIF+P Uodg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=HFUfA5Zo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n3si2057474pgr.189.2018.03.03.14.56.46; Sat, 03 Mar 2018 14:56:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=HFUfA5Zo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935395AbeCCWzy (ORCPT + 99 others); Sat, 3 Mar 2018 17:55:54 -0500 Received: from mail-cys01nam02on0110.outbound.protection.outlook.com ([104.47.37.110]:31968 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S935361AbeCCWk7 (ORCPT ); Sat, 3 Mar 2018 17:40:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=x7ckiXURAmsgvv3UD+MMexR5HfI3/X5U/pFtopSLO6E=; b=HFUfA5ZorWwYyxd9y7dHzDq3zz+rVTn+uSC0RUbTqcLY/mKAGBUSRiZ2yhPwSLeLG1AaZMr5meNuN62pnCM/OzBMqKHZDytbq0qwEZCkfjhEJNIN7A36u4QSudCtU7MKxaftFvF4OIcsiSuYYX3vUwlJ4zNNmjfczI6bkf+PQIE= Received: from MW2PR2101MB1034.namprd21.prod.outlook.com (52.132.149.10) by MWHSPR01MB344.namprd21.prod.outlook.com (10.174.251.167) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.3; Sat, 3 Mar 2018 22:40:56 +0000 Received: from MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0]) by MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0%3]) with mapi id 15.20.0567.006; Sat, 3 Mar 2018 22:40:56 +0000 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Alexander Potapenko , Paul Moore , Sasha Levin Subject: [PATCH AUTOSEL for 3.18 06/63] selinux: check for address length in selinux_socket_bind() Thread-Topic: [PATCH AUTOSEL for 3.18 06/63] selinux: check for address length in selinux_socket_bind() Thread-Index: AQHTsz+cVdCDNA2NZEmRalp3avdfwg== Date: Sat, 3 Mar 2018 22:33:12 +0000 Message-ID: <20180303223228.27323-6-alexander.levin@microsoft.com> References: <20180303223228.27323-1-alexander.levin@microsoft.com> In-Reply-To: <20180303223228.27323-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MWHSPR01MB344;7:A6OSrEYPjWBtWoGHen1+nhcEe2YLzfXLrk7GYnXP2a0+PXDPvYPEtBnmrnw3JLX1gyV/f6zODxpOGr7f1+NpfZL28tMd2jTTiHZDvvH2sfQtjobGuS+245pvgaVy7rLo50MuoMDE6S+WwHaFDYDoaKdwR2SShsPL2oZHfJI/yWJTESosn8bkOJMpyTj2rIUJBUQu0la9IUPG6rRLZ/FfM0nJQSGc30S/cMX4M5W0lQM4aqKBc32ffrqYP75wDJxq x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 804aa832-1973-4d96-e525-08d58157d462 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MWHSPR01MB344; x-ms-traffictypediagnostic: MWHSPR01MB344: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(20558992708506)(89211679590171)(192374486261705)(211936372134217)(153496737603132); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(3231220)(944501244)(52105095)(93006095)(93001095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011);SRVR:MWHSPR01MB344;BCL:0;PCL:0;RULEID:;SRVR:MWHSPR01MB344; x-forefront-prvs: 0600F93FE1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(376002)(346002)(39860400002)(366004)(39380400002)(189003)(199004)(59450400001)(8676002)(5660300001)(5250100002)(2501003)(6506007)(7736002)(36756003)(25786009)(3846002)(6116002)(97736004)(305945005)(2900100001)(76176011)(6436002)(10090500001)(26005)(8936002)(186003)(81166006)(102836004)(81156014)(106356001)(86362001)(10290500003)(3660700001)(2906002)(99286004)(14454004)(86612001)(105586002)(478600001)(4326008)(6486002)(53936002)(107886003)(68736007)(316002)(54906003)(110136005)(6512007)(72206003)(3280700002)(22452003)(2950100002)(1076002)(6666003)(66066001)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHSPR01MB344;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: 9BKwVpCHKlaSm0VXRbkFsuqO1pwd+PvhDFDMQmCy91eSUV4vbdClFR41jeKmqmft9jD4DoEuuFDl8U/JprAmcDgGWNhxZWzD4hpTCFS69h6nKCe1qz/dtu4I6B2Sja/uNjqBjyYBQBCtexCapUa0hS1C7byishQP4pkpEFKSGcY= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 804aa832-1973-4d96-e525-08d58157d462 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2018 22:33:12.2941 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHSPR01MB344 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexander Potapenko [ Upstream commit e2f586bd83177d22072b275edd4b8b872daba924 ] KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of uninitialized memory in selinux_socket_bind(): =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KMSAN: use of unitialized memory inter: 0 CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/201= 1 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48 ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x238/0x290 lib/dump_stack.c:51 [] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008 [] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424 [] selinux_socket_bind+0xf41/0x1080 security/selinux/hoo= ks.c:4288 [] security_socket_bind+0x1ec/0x240 security/security.c:= 1240 [] SYSC_bind+0x358/0x5f0 net/socket.c:1366 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/en= try_64.o:? chained origin: 00000000ba6009bb [] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace= .c:67 [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322 [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337 [] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsa= n.c:530 [] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_i= nstr.c:380 [] SYSC_bind+0x129/0x5f0 net/socket.c:1356 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_= 64.o:? origin description: ----address@SYSC_bind (origin=3D00000000b8c00900) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D (the line numbers are relative to 4.8-rc6, but the bug persists upstream) , when I run the following program as root: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D #include #include #include int main(int argc, char *argv[]) { struct sockaddr addr; int size =3D 0; if (argc > 1) { size =3D atoi(argv[1]); } memset(&addr, 0, sizeof(addr)); int fd =3D socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); bind(fd, &addr, size); return 0; } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D (for different values of |size| other error reports are printed). This happens because bind() unconditionally copies |size| bytes of |addr| to the kernel, leaving the rest uninitialized. Then security_socket_bind() reads the IP address bytes, including the uninitialized ones, to determine the port, or e.g. pass them further to sel_netnode_find(), which uses them to calculate a hash. Signed-off-by: Alexander Potapenko Acked-by: Eric Dumazet [PM: fixed some whitespace damage] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- security/selinux/hooks.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8223fe463fa3..98370d019e6c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4061,10 +4061,18 @@ static int selinux_socket_bind(struct socket *sock,= struct sockaddr *address, in u32 sid, node_perm; =20 if (family =3D=3D PF_INET) { + if (addrlen < sizeof(struct sockaddr_in)) { + err =3D -EINVAL; + goto out; + } addr4 =3D (struct sockaddr_in *)address; snum =3D ntohs(addr4->sin_port); addrp =3D (char *)&addr4->sin_addr.s_addr; } else { + if (addrlen < SIN6_LEN_RFC2133) { + err =3D -EINVAL; + goto out; + } addr6 =3D (struct sockaddr_in6 *)address; snum =3D ntohs(addr6->sin6_port); addrp =3D (char *)&addr6->sin6_addr.s6_addr; --=20 2.14.1