Received: by 10.223.185.116 with SMTP id b49csp1093265wrg; Sat, 3 Mar 2018 15:21:24 -0800 (PST) X-Google-Smtp-Source: AG47ELsVgi7nt5ImM5G8JKCSCRVqOnKeOEKL9E9xF2tuAvyOClVm3BYrgrkXUwuMuW9ghY7/oy0+ X-Received: by 10.98.33.204 with SMTP id o73mr10454548pfj.54.1520119284320; Sat, 03 Mar 2018 15:21:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520119284; cv=none; d=google.com; s=arc-20160816; b=PbEWYComu3EQv5GPkelHoXK0bXh2WyoCn8K7rs6C8a8itttRYjFTx+1tPKxLW2vbfH RNQkd++WM8PE/5JHlrvyo1B1Tk6hiKNxhmXOAQbawf18tdGW8Wf8QCZ7g+ljDleW0Faq j4evyc57EpAKhFaRpe056AIuOMdQXO/5FO5sB9qmmL3LDkJrnXus/PETpWLdn4quaKK7 uPsnTOE3YPGOXoqxvzJcFf7a9nEBMNccqxdSWbsKyeLZXR+NQwRscTZRi69cDKysHwBF PhbNsL9/h5GT/kE2P5Lf4aXswXC8JcYmBKXlWObkmvddrfDvB0RjG+soJu7huNSGDbJl YtpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=D60qys89vWGaQOq1bdaYy+rhI24tKeD2zuaixNh7YPs=; b=v0ld3edOc2TnirArdK9vCmEg8k+8FY64uMM2Z6IFqbZgtphFfjnIsllDYZpLOMTqnU T5jl0L6JhGeErjazpmtzMLUwoiR2nAKQDWp8giClccs19AE8uNqo53MUbvupctWcVAbW LfY6Zsx0TOjlTtsK36u4+9Ntf/5nqLLxSXS9RFHhvxw/YrusvkZ6/YXOcXiaP1R/2Vai eOJbQgQc00+HDFj7PvHdgy+lTqz+eE8ImuYr9nFtBOyRjTDb89XGR3tbg4CKz3R0TEnL pVzpk3E7i7aWcFy+LZfN3M7lOLXE78w6WQbVS67iFVEuMszzbe3X5nl4OBvrQRD6hnBi yFPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=JPL7T+sQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e12-v6si6974530plo.798.2018.03.03.15.21.08; Sat, 03 Mar 2018 15:21:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=JPL7T+sQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933415AbeCCXUQ (ORCPT + 99 others); Sat, 3 Mar 2018 18:20:16 -0500 Received: from mail-by2nam01on0117.outbound.protection.outlook.com ([104.47.34.117]:21314 "EHLO NAM01-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934811AbeCCWiB (ORCPT ); Sat, 3 Mar 2018 17:38:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=D60qys89vWGaQOq1bdaYy+rhI24tKeD2zuaixNh7YPs=; b=JPL7T+sQVyhczZ5iGXMEr8aHRKxaC7zT1tuFdBnFnmPkxKnzEF4mgM4Pxjdk6mX1b/uMIAhIvk8jhtoiSnWZSIQs74y8kjUCiCuCnaZBEO2fVGrLdegOPRfBhQL59Qovk+AiEKX4q6SQhpMWkx8bc9Zyrelw5zfq52AWhXinXoI= Received: from MW2PR2101MB1034.namprd21.prod.outlook.com (52.132.149.10) by MW2PR2101MB0938.namprd21.prod.outlook.com (52.132.146.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.3; Sat, 3 Mar 2018 22:37:57 +0000 Received: from MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0]) by MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0%3]) with mapi id 15.20.0567.006; Sat, 3 Mar 2018 22:37:56 +0000 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Alexander Potapenko , Paul Moore , Sasha Levin Subject: [PATCH AUTOSEL for 4.4 010/115] selinux: check for address length in selinux_socket_bind() Thread-Topic: [PATCH AUTOSEL for 4.4 010/115] selinux: check for address length in selinux_socket_bind() Thread-Index: AQHTsz9JGBhR+MB5k0C36T5JjiFjBw== Date: Sat, 3 Mar 2018 22:30:53 +0000 Message-ID: <20180303223010.27106-10-alexander.levin@microsoft.com> References: <20180303223010.27106-1-alexander.levin@microsoft.com> In-Reply-To: <20180303223010.27106-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MW2PR2101MB0938;7:AKfB7uwWUEdpSB52COFDqVSV6/OezAf/OkFiLkOsDfYZGjQneVL8awCYf/BBpZRLj5NC+hek4c6p2jCgvmVQNSsNqrzFyfch2FH7cZ7E3PuBIGXRjG04TZ49IVzmhjCVsBOo43KAHJvpkO5adNzszn2NWWBAOyGKYHGf+VdPoMlDLDJXWCRFYa544CoB++5n6CeO/gfUd8IVI5JAz6IAee5i8+8MF6erlUXILNwmUJ04GNKX8i4gOv4o4QKekjTT x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 9edab6dc-9b2d-45d2-3991-08d58157692e x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MW2PR2101MB0938; x-ms-traffictypediagnostic: MW2PR2101MB0938: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(20558992708506)(89211679590171)(192374486261705)(211936372134217)(153496737603132); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231220)(944501244)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011);SRVR:MW2PR2101MB0938;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB0938; x-forefront-prvs: 0600F93FE1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39380400002)(39860400002)(366004)(396003)(346002)(376002)(199004)(189003)(54906003)(4326008)(72206003)(22452003)(478600001)(25786009)(66066001)(6436002)(6512007)(14454004)(53936002)(2906002)(6486002)(105586002)(99286004)(10290500003)(3846002)(106356001)(6116002)(305945005)(5660300001)(110136005)(1076002)(36756003)(316002)(2900100001)(2501003)(5250100002)(10090500001)(59450400001)(102836004)(68736007)(2950100002)(26005)(97736004)(186003)(6506007)(8676002)(107886003)(3660700001)(6666003)(7736002)(86362001)(81166006)(86612001)(81156014)(76176011)(8936002)(3280700002)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB0938;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: mHvXLIWsIsz3nrP3i92KvO34PXkdsZgaxzUYpZTv/zkH3wrN0+QwMuryjzB3Rd0qC7zKhIjEzMixZQB3XsTcmbMDk2MBHsJEx8Zl6sxREme0nl/dtsQS065iBLSxhBt2OIEejirs4kOfX17xwJtWnxItbTy62DWmj4rtbH+51wA= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9edab6dc-9b2d-45d2-3991-08d58157692e X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2018 22:30:53.0415 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB0938 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexander Potapenko [ Upstream commit e2f586bd83177d22072b275edd4b8b872daba924 ] KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of uninitialized memory in selinux_socket_bind(): =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KMSAN: use of unitialized memory inter: 0 CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/201= 1 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48 ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x238/0x290 lib/dump_stack.c:51 [] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008 [] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424 [] selinux_socket_bind+0xf41/0x1080 security/selinux/hoo= ks.c:4288 [] security_socket_bind+0x1ec/0x240 security/security.c:= 1240 [] SYSC_bind+0x358/0x5f0 net/socket.c:1366 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/en= try_64.o:? chained origin: 00000000ba6009bb [] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace= .c:67 [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322 [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337 [] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsa= n.c:530 [] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_i= nstr.c:380 [] SYSC_bind+0x129/0x5f0 net/socket.c:1356 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_= 64.o:? origin description: ----address@SYSC_bind (origin=3D00000000b8c00900) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D (the line numbers are relative to 4.8-rc6, but the bug persists upstream) , when I run the following program as root: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D #include #include #include int main(int argc, char *argv[]) { struct sockaddr addr; int size =3D 0; if (argc > 1) { size =3D atoi(argv[1]); } memset(&addr, 0, sizeof(addr)); int fd =3D socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); bind(fd, &addr, size); return 0; } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D (for different values of |size| other error reports are printed). This happens because bind() unconditionally copies |size| bytes of |addr| to the kernel, leaving the rest uninitialized. Then security_socket_bind() reads the IP address bytes, including the uninitialized ones, to determine the port, or e.g. pass them further to sel_netnode_find(), which uses them to calculate a hash. Signed-off-by: Alexander Potapenko Acked-by: Eric Dumazet [PM: fixed some whitespace damage] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- security/selinux/hooks.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3f370eb494d1..4c7db967b7bb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4124,10 +4124,18 @@ static int selinux_socket_bind(struct socket *sock,= struct sockaddr *address, in u32 sid, node_perm; =20 if (family =3D=3D PF_INET) { + if (addrlen < sizeof(struct sockaddr_in)) { + err =3D -EINVAL; + goto out; + } addr4 =3D (struct sockaddr_in *)address; snum =3D ntohs(addr4->sin_port); addrp =3D (char *)&addr4->sin_addr.s_addr; } else { + if (addrlen < SIN6_LEN_RFC2133) { + err =3D -EINVAL; + goto out; + } addr6 =3D (struct sockaddr_in6 *)address; snum =3D ntohs(addr6->sin6_port); addrp =3D (char *)&addr6->sin6_addr.s6_addr; --=20 2.14.1