Received: by 10.223.185.116 with SMTP id b49csp1118254wrg; Sat, 3 Mar 2018 16:06:44 -0800 (PST) X-Google-Smtp-Source: AG47ELsHW3t6tuMPKwl/NAMiJd6K86J8XRUGIpi5K7jno8YPVYYOwGWfjYuR0omeU7rhmb6r0D8U X-Received: by 2002:a17:902:7885:: with SMTP id q5-v6mr840991pll.207.1520122004479; Sat, 03 Mar 2018 16:06:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520122004; cv=none; d=google.com; s=arc-20160816; b=E+kT0jtFuPb16Gf55Tg9iI1W8CLc6zeY6ipUu1Gpl4vjPNrnvEEBPejp7/Wmn+28Le R+c+2WiUaitS/DjRKPtc4yOilWe0F4rLn3aXSs9nlG4OqhH6wZp9yF67cdKegw/wFe12 wAhYnimx0a23we8+nknuHs6E+M9uDqZOfVb04CE701CH+XO9TdNwoRSeb8YDOir6CYeL 3dleBzFjyu4JsHYSRpeeUP9+WD5QzVcyIjmlD2z8axcHGJ9jR+9LPfmxtsfuB0oO9ooQ R2DWGhPjoSifCliVD+EzMAuTs0BSWYnzLijwa5k3hSYoNY22kyflJ5GtyU8Nve+UnYfL kzYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=x3nvpjexdTw5mggex1h2upR4WWuj8PNksAO0bvT4B0k=; b=Tlw4+L/RjTtkf4DLIfOmgZts8o21AcDQbc4GjnczICc/fmDve5gxYinm8tKW+8REll +F/MeoSGqmSAD8r4o2YjM7Bw14F3fS7MqHku/YKb0ITOy/e1TL7Q+T/fWWbtxjPE5ZTd PNPcJejDfGFsBasRhNl33T8oZLDbHSHTGqSRKGZkrPjDl0YHsy2m9BnUGp6LDT/Q18ot rUT+nF4LGRNdrz18oh0AHz6qaBY6C3nTmHnm8pm1Gn98Bxpk4xaI4w8KfeecY1f3DL3n BqMZWDr3l6NplypIEbFmjsmcXSBPkwvsI9mkElzlxmMIgKrKwug9xDT89hinuniCtJM9 BIBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=Ilzls5M9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x13si6117195pgc.75.2018.03.03.16.06.29; Sat, 03 Mar 2018 16:06:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=Ilzls5M9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933760AbeCDAFd (ORCPT + 99 others); Sat, 3 Mar 2018 19:05:33 -0500 Received: from mail-sn1nam01on0122.outbound.protection.outlook.com ([104.47.32.122]:11440 "EHLO NAM01-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932415AbeCCWbQ (ORCPT ); Sat, 3 Mar 2018 17:31:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=x3nvpjexdTw5mggex1h2upR4WWuj8PNksAO0bvT4B0k=; b=Ilzls5M9UTiiMfeQuqiS1Bmskq5pj22z8xplmrdGJDDlTWFu/HBFs4nIO2TtVlsfKpoSLByhlukePQKnCmBdDF5U9Pwo/DGyRJipmIbvvSZxhoq2L6HJLwoeEb2dKXb/jpf7sml+8FxCRQFjfTsP8kBBb+iSO9o96h1kmCbf6fM= Received: from MW2PR2101MB1034.namprd21.prod.outlook.com (52.132.149.10) by MW2PR2101MB0970.namprd21.prod.outlook.com (52.132.146.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.3; Sat, 3 Mar 2018 22:31:11 +0000 Received: from MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0]) by MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0%3]) with mapi id 15.20.0567.006; Sat, 3 Mar 2018 22:31:11 +0000 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Alexander Potapenko , Paul Moore , Sasha Levin Subject: [PATCH AUTOSEL for 4.9 021/219] selinux: check for address length in selinux_socket_bind() Thread-Topic: [PATCH AUTOSEL for 4.9 021/219] selinux: check for address length in selinux_socket_bind() Thread-Index: AQHTsz7n1lJsnXjyJEW08rEXGAHxBA== Date: Sat, 3 Mar 2018 22:28:07 +0000 Message-ID: <20180303222716.26640-21-alexander.levin@microsoft.com> References: <20180303222716.26640-1-alexander.levin@microsoft.com> In-Reply-To: <20180303222716.26640-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MW2PR2101MB0970;7:t4JWyzOmEPfAYoQWBeUS12CLGQdylzy6ZexQ3DSaVMmVd9FiU3EwG4oAILi7m8ouVwlkg4SijdBQ3iFCO0/blsGNhgXtJY3wzNOfxtkaLoUPEwTQxunwDYBxp21P7BG1aQFXSt3B0/tjHjr9h6++AaAfVqms0VOuNNrPUNun70wRdPIhLz+RV+dbfD8BSZQlZPm5XUDHqH1x/1S8/SHjbNlK34nKwDDrpDUFDKtmmx7QgmPBkgNiFHRW94GoCrWg x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 90fc168f-11dc-46ba-7899-08d58156773c x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MW2PR2101MB0970; x-ms-traffictypediagnostic: MW2PR2101MB0970: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(20558992708506)(89211679590171)(192374486261705)(211936372134217)(153496737603132); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231220)(944501244)(52105095)(6055026)(61426038)(61427038)(6041288)(20161123562045)(20161123558120)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011);SRVR:MW2PR2101MB0970;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB0970; x-forefront-prvs: 0600F93FE1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(376002)(39380400002)(366004)(396003)(39860400002)(346002)(199004)(189003)(86362001)(110136005)(4326008)(6506007)(14454004)(99286004)(8936002)(1076002)(36756003)(2906002)(102836004)(76176011)(25786009)(6486002)(316002)(478600001)(3280700002)(107886003)(186003)(54906003)(26005)(81166006)(7736002)(8676002)(6512007)(81156014)(305945005)(72206003)(59450400001)(6436002)(53936002)(6116002)(6666003)(86612001)(68736007)(3846002)(2950100002)(3660700001)(10290500003)(22452003)(10090500001)(2900100001)(106356001)(2501003)(66066001)(97736004)(5660300001)(5250100002)(105586002)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB0970;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: mo6jQJNR5DPD1XfeHZuLp69WoDQnPcHsQVbht/gO+DZQWQJEpman2jV2XgRysWF/7Adg2Jy1qgymwrZBH+NHrfgLIa2SrPqq5NTAXrCAE98N/ODYSIO9VapM9lX/tFDfVtMx3pUR053/Ys1Dg3JalebuQp6MzuhZxQRBhXzd4D4= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 90fc168f-11dc-46ba-7899-08d58156773c X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2018 22:28:07.5881 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB0970 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexander Potapenko [ Upstream commit e2f586bd83177d22072b275edd4b8b872daba924 ] KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of uninitialized memory in selinux_socket_bind(): =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KMSAN: use of unitialized memory inter: 0 CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/201= 1 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48 ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x238/0x290 lib/dump_stack.c:51 [] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008 [] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424 [] selinux_socket_bind+0xf41/0x1080 security/selinux/hoo= ks.c:4288 [] security_socket_bind+0x1ec/0x240 security/security.c:= 1240 [] SYSC_bind+0x358/0x5f0 net/socket.c:1366 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/en= try_64.o:? chained origin: 00000000ba6009bb [] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace= .c:67 [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322 [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337 [] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsa= n.c:530 [] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_i= nstr.c:380 [] SYSC_bind+0x129/0x5f0 net/socket.c:1356 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_= 64.o:? origin description: ----address@SYSC_bind (origin=3D00000000b8c00900) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D (the line numbers are relative to 4.8-rc6, but the bug persists upstream) , when I run the following program as root: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D #include #include #include int main(int argc, char *argv[]) { struct sockaddr addr; int size =3D 0; if (argc > 1) { size =3D atoi(argv[1]); } memset(&addr, 0, sizeof(addr)); int fd =3D socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); bind(fd, &addr, size); return 0; } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D (for different values of |size| other error reports are printed). This happens because bind() unconditionally copies |size| bytes of |addr| to the kernel, leaving the rest uninitialized. Then security_socket_bind() reads the IP address bytes, including the uninitialized ones, to determine the port, or e.g. pass them further to sel_netnode_find(), which uses them to calculate a hash. Signed-off-by: Alexander Potapenko Acked-by: Eric Dumazet [PM: fixed some whitespace damage] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin --- security/selinux/hooks.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c2da45ae5b2a..b8278f3af9da 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4328,10 +4328,18 @@ static int selinux_socket_bind(struct socket *sock,= struct sockaddr *address, in u32 sid, node_perm; =20 if (family =3D=3D PF_INET) { + if (addrlen < sizeof(struct sockaddr_in)) { + err =3D -EINVAL; + goto out; + } addr4 =3D (struct sockaddr_in *)address; snum =3D ntohs(addr4->sin_port); addrp =3D (char *)&addr4->sin_addr.s_addr; } else { + if (addrlen < SIN6_LEN_RFC2133) { + err =3D -EINVAL; + goto out; + } addr6 =3D (struct sockaddr_in6 *)address; snum =3D ntohs(addr6->sin6_port); addrp =3D (char *)&addr6->sin6_addr.s6_addr; --=20 2.14.1