Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3700187ybv;
        Mon, 10 Feb 2020 04:58:21 -0800 (PST)
X-Google-Smtp-Source: APXvYqySJQlbKmw9VEz1uU4AzO4jllOz0DiLdLLpJX62qIYiB3h/yWbAyZQX4hRD5+vI1N7McDj2
X-Received: by 2002:a9d:7999:: with SMTP id h25mr941050otm.347.1581339501358;
        Mon, 10 Feb 2020 04:58:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581339501; cv=none;
        d=google.com; s=arc-20160816;
        b=YLv5O+Dad86Yh2kxpS4OIdKgZ8ISLL5VhPU1LpCh+Jp7ntkA/eum4oxZMgw/fc8SGg
         6qk6LOW5Mo9L/Rt0P+3Wug7d3DgT9VvJY1lLYSHqoM1BmY4lXj+DlrLTnRFc6NmgoFub
         t6hn+zvY1glLpjoV5VO85o2k6xoVpqY3p7iolDHHF1cx9AkB2qOkDm5qGRbwajm6NdQT
         yQuAtidUlcm42ChT2siRFPKtL5KA1CkAhaveeB6HYDXzgQQlsiwBVdYpAj/MFi73Q77c
         xj/KWVrSumigJvF+tkik4RnjJrhp55cuzcq8KyMfR5pSNaSZ1O8hc5agQI3KsJppTmvA
         NHZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=LB3mQsZSMOn7eNWqQiKate/JPB5o65E1ynbmSDEXibM=;
        b=j6JMic1eIwn9ePrO0vwm3Wq8xF1bCvtaap4CQIfPibFFVx9/z7gaeKrVXLbQHyZASO
         oQqzZULQyMKyzrZObzrxYevP3n7cI/gEZjhAonJkYmO2tCMmIebD6CNgMVPgymjRfSiW
         DqUjfwM921/Ho/hDucCToYEGx23cDAHEy8G+dzs+I3rCPhERGxr3VYwhNWfcezKo34mF
         KwwfazTNsvb+DB8MoPESk5NDdoRsLv01oy9O/ggsiUBf7y72CeTEaNiqCGAwRBs8AVpK
         LWNgIWsBCsVFsivleGU2DuDUZvmLN6GpRdmy2x7SXRSpGzl+qdcSuUb422tTxb1FDI04
         F+hw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=MIQJqyu2;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f4si143151oto.169.2020.02.10.04.58.09;
        Mon, 10 Feb 2020 04:58:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=MIQJqyu2;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727422AbgBJM5K (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Mon, 10 Feb 2020 07:57:10 -0500
Received: from mail.kernel.org ([198.145.29.99]:43994 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730009AbgBJMlc (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Feb 2020 07:41:32 -0500
Received: from localhost (unknown [209.37.97.194])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id DD48E20733;
        Mon, 10 Feb 2020 12:41:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1581338492;
        bh=MwVZA0bWr2W2YVauC7MtLgdZAa1xZxjPpV7KNM14dlA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=MIQJqyu2iLek3hhlrDYfM1HG0UujkW612ojfAyiF9ieQUSTTux9O8+G+l1//m0cEv
         lLYZdfgxf368BkopRdmsDEb/kjNPN1PvScaPt4grYLCou2ym13o3C1RRTzNGiK8jCd
         toqSS/cxzNgu353t08GduO7l9DXAvXdW8T9ZoTGI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, David Ahern <dsahern@gmail.com>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        Casey Schaufler <casey@schaufler-ca.com>
Subject: [PATCH 5.5 277/367] broken ping to ipv6 linklocal addresses on debian buster
Date:   Mon, 10 Feb 2020 04:33:10 -0800
Message-Id: <20200210122449.705929325@linuxfoundation.org>
X-Mailer: git-send-email 2.25.0
In-Reply-To: <20200210122423.695146547@linuxfoundation.org>
References: <20200210122423.695146547@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Casey Schaufler <casey@schaufler-ca.com>

commit 87fbfffcc89b92a4281b0aa53bd06af714087889 upstream.

I am seeing ping failures to IPv6 linklocal addresses with Debian
buster. Easiest example to reproduce is:

$ ping -c1 -w1 ff02::1%eth1
connect: Invalid argument

$ ping -c1 -w1 ff02::1%eth1
PING ff02::01%eth1(ff02::1%eth1) 56 data bytes
64 bytes from fe80::e0:f9ff:fe0c:37%eth1: icmp_seq=1 ttl=64 time=0.059 ms

git bisect traced the failure to
commit b9ef5513c99b ("smack: Check address length before reading address family")

Arguably ping is being stupid since the buster version is not setting
the address family properly (ping on stretch for example does):

$ strace -e connect ping6 -c1 -w1 ff02::1%eth1
connect(5, {sa_family=AF_UNSPEC,
sa_data="\4\1\0\0\0\0\377\2\0\0\0\0\0\0\0\0\0\0\0\0\0\1\3\0\0\0"}, 28)
= -1 EINVAL (Invalid argument)

but the command works fine on kernels prior to this commit, so this is
breakage which goes against the Linux paradigm of "don't break userspace"

Cc: stable@vger.kernel.org
Reported-by: David Ahern <dsahern@gmail.com>
Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 security/smack/smack_lsm.c | 41 +++++++++++++++++++----------------------
 security/smack/smack_lsm.c |   41 +++++++++++++++++++----------------------
 1 file changed, 19 insertions(+), 22 deletions(-)

--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2831,42 +2831,39 @@ static int smack_socket_connect(struct s
 				int addrlen)
 {
 	int rc = 0;
-#if IS_ENABLED(CONFIG_IPV6)
-	struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
-#endif
-#ifdef SMACK_IPV6_SECMARK_LABELING
-	struct smack_known *rsp;
-	struct socket_smack *ssp;
-#endif
 
 	if (sock->sk == NULL)
 		return 0;
-
+	if (sock->sk->sk_family != PF_INET &&
+	    (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6))
+		return 0;
+	if (addrlen < offsetofend(struct sockaddr, sa_family))
+		return 0;
+	if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) {
+		struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
 #ifdef SMACK_IPV6_SECMARK_LABELING
-	ssp = sock->sk->sk_security;
+		struct smack_known *rsp;
 #endif
 
-	switch (sock->sk->sk_family) {
-	case PF_INET:
-		if (addrlen < sizeof(struct sockaddr_in) ||
-		    sap->sa_family != AF_INET)
-			return -EINVAL;
-		rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
-		break;
-	case PF_INET6:
-		if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6)
-			return -EINVAL;
+		if (addrlen < SIN6_LEN_RFC2133)
+			return 0;
 #ifdef SMACK_IPV6_SECMARK_LABELING
 		rsp = smack_ipv6host_label(sip);
-		if (rsp != NULL)
+		if (rsp != NULL) {
+			struct socket_smack *ssp = sock->sk->sk_security;
+
 			rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
-						SMK_CONNECTING);
+					    SMK_CONNECTING);
+		}
 #endif
 #ifdef SMACK_IPV6_PORT_LABELING
 		rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);
 #endif
-		break;
+		return rc;
 	}
+	if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in))
+		return 0;
+	rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
 	return rc;
 }