Received: by 10.213.65.68 with SMTP id h4csp1719163imn; Mon, 19 Mar 2018 11:21:35 -0700 (PDT) X-Google-Smtp-Source: AG47ELsQaEJKlefnPDDXouZ1PKtPeDqak5/bu9RLc2PIm+XTMA67tJKAPAKZ6SdpZs4rtToj4wCs X-Received: by 10.101.83.199 with SMTP id z7mr10008996pgr.105.1521483695674; Mon, 19 Mar 2018 11:21:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521483695; cv=none; d=google.com; s=arc-20160816; b=kvjRzd7I/03HVrzAZpvaAM/cP2lna+47t6WJim40nsPoOMB1qZfnfCLNb8MT8BqXUn mXYIxYphqJTPjFZbSQ7P6Z802NYe/UgSxmQogAdxMsZR3U3RO9AcTYgF8WwgA1ez8+Gd aWSpt+xMjmYHnn/bRORpusEJso8I/BiEAYiDT/dNB2XUIxujbZTSeGHqGbmxQpwiTthQ BBpNbzhyyeIsqwxd9vJXSStTrSP8kD7AC0+BDPdHJClU4KLyC+wymQoFnVHJ7BFFAc4p Gw1CPTB97oyT0nK5YTjOuv9P7UwgAjE1tcaBGHbYYzoNMok4p0t4cw+3tGbTrTvLE2v4 bm7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=4lsTRZQRBVWIMYI6ShUAVr0j3tI48ahAhwUcsPmmuW8=; b=a5coUIeYQmaPKl0KcWaIUPfgejVw6r8/7tpDFaFevHWhdlK9jldzKWmF8DHcjgdvA0 m8f/V4jMELb/hNKef4hQIcUAU+q+nj7DI+5XYkrbjCyP+7jxT0odIYvi98qoYPt63HFl fzsyntKeVYXOgUn0MCIT/QuCda35RJWSUsJjP63AYbmyReh4DfCZCKpLKWxOuILkpjeo OTIgLsHZts+T2IQSaXipdO7SoiHR2zaSHoeT05jo3IBcui113VatJoxSEuu/IuIw8KUk gXZ2KnZe30596Fiss9LCHp2RdXB1D0j40BMYZGjS6+V82XQ7Qv6eMYP7Ni7n16BZbYbh D5Dw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c2-v6si384547plo.116.2018.03.19.11.21.21; Mon, 19 Mar 2018 11:21:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1030860AbeCSSSn (ORCPT + 99 others); Mon, 19 Mar 2018 14:18:43 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:46612 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030756AbeCSSSj (ORCPT ); Mon, 19 Mar 2018 14:18:39 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 54F611070; Mon, 19 Mar 2018 18:18:38 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexander Potapenko , Eric Dumazet , Paul Moore , Sasha Levin Subject: [PATCH 4.9 019/241] selinux: check for address length in selinux_socket_bind() Date: Mon, 19 Mar 2018 19:04:44 +0100 Message-Id: <20180319180751.966983534@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180319180751.172155436@linuxfoundation.org> References: <20180319180751.172155436@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexander Potapenko [ Upstream commit e2f586bd83177d22072b275edd4b8b872daba924 ] KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of uninitialized memory in selinux_socket_bind(): ================================================================== BUG: KMSAN: use of unitialized memory inter: 0 CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48 ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x238/0x290 lib/dump_stack.c:51 [] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008 [] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424 [] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288 [] security_socket_bind+0x1ec/0x240 security/security.c:1240 [] SYSC_bind+0x358/0x5f0 net/socket.c:1366 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:? chained origin: 00000000ba6009bb [] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67 [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322 [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337 [] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530 [] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380 [] SYSC_bind+0x129/0x5f0 net/socket.c:1356 [] SyS_bind+0x82/0xa0 net/socket.c:1356 [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:? origin description: ----address@SYSC_bind (origin=00000000b8c00900) ================================================================== (the line numbers are relative to 4.8-rc6, but the bug persists upstream) , when I run the following program as root: ======================================================= #include #include #include int main(int argc, char *argv[]) { struct sockaddr addr; int size = 0; if (argc > 1) { size = atoi(argv[1]); } memset(&addr, 0, sizeof(addr)); int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); bind(fd, &addr, size); return 0; } ======================================================= (for different values of |size| other error reports are printed). This happens because bind() unconditionally copies |size| bytes of |addr| to the kernel, leaving the rest uninitialized. Then security_socket_bind() reads the IP address bytes, including the uninitialized ones, to determine the port, or e.g. pass them further to sel_netnode_find(), which uses them to calculate a hash. Signed-off-by: Alexander Potapenko Acked-by: Eric Dumazet [PM: fixed some whitespace damage] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- security/selinux/hooks.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4328,10 +4328,18 @@ static int selinux_socket_bind(struct so u32 sid, node_perm; if (family == PF_INET) { + if (addrlen < sizeof(struct sockaddr_in)) { + err = -EINVAL; + goto out; + } addr4 = (struct sockaddr_in *)address; snum = ntohs(addr4->sin_port); addrp = (char *)&addr4->sin_addr.s_addr; } else { + if (addrlen < SIN6_LEN_RFC2133) { + err = -EINVAL; + goto out; + } addr6 = (struct sockaddr_in6 *)address; snum = ntohs(addr6->sin6_port); addrp = (char *)&addr6->sin6_addr.s6_addr;