| Message ID | 1e5accb3a4a5575ada1dbdfc6e5d9e4358131f83.1552061254.git.lucien.xin@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [net] selinux: add the missing walk_size + len check in selinux_sctp_bind_connect | expand |
On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote: > As does in __sctp_connect(), when checking addrs in a while loop, after > get the addr len according to sa_family, it's necessary to do the check > walk_size + af->sockaddr_len > addrs_size to make sure it won't access > an out-of-bounds addr. > > The same thing is needed in selinux_sctp_bind_connect(), otherwise an > out-of-bounds issue can be triggered: > > [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0 > [14548.927083] Call Trace: > [14548.938072] dump_stack+0x9a/0xe9 > [14548.953015] print_address_description+0x65/0x22e > [14548.996524] kasan_report.cold.6+0x92/0x1a6 > [14549.015335] selinux_sctp_bind_connect+0x1aa/0x1f0 > [14549.036947] security_sctp_bind_connect+0x58/0x90 > [14549.058142] __sctp_setsockopt_connectx+0x5a/0x150 [sctp] > [14549.081650] sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp] > > Fixes: d452930fd3b9 ("selinux: Add SCTP support") > Reported-by: Chunyu Hu <chuhu@redhat.com> > Signed-off-by: Xin Long <lucien.xin@gmail.com> Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Paul, how can we get this into -stable trees? SELinux process may be different from -net trees. > --- > security/selinux/hooks.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index f0e36c3..dac9bdb 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -5120,6 +5120,9 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname, > return -EINVAL; > } > > + if (walk_size + len > addrlen) > + return -EINVAL; > + > err = -EINVAL; > switch (optname) { > /* Bind checks */ > -- > 2.1.0 >
On Fri, Mar 8, 2019 at 12:08 PM Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> wrote: > On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote: > > As does in __sctp_connect(), when checking addrs in a while loop, after > > get the addr len according to sa_family, it's necessary to do the check > > walk_size + af->sockaddr_len > addrs_size to make sure it won't access > > an out-of-bounds addr. > > > > The same thing is needed in selinux_sctp_bind_connect(), otherwise an > > out-of-bounds issue can be triggered: > > > > [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0 > > [14548.927083] Call Trace: > > [14548.938072] dump_stack+0x9a/0xe9 > > [14548.953015] print_address_description+0x65/0x22e > > [14548.996524] kasan_report.cold.6+0x92/0x1a6 > > [14549.015335] selinux_sctp_bind_connect+0x1aa/0x1f0 > > [14549.036947] security_sctp_bind_connect+0x58/0x90 > > [14549.058142] __sctp_setsockopt_connectx+0x5a/0x150 [sctp] > > [14549.081650] sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp] > > > > Fixes: d452930fd3b9 ("selinux: Add SCTP support") > > Reported-by: Chunyu Hu <chuhu@redhat.com> > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > > Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Thanks, this patch looks good to me. > Paul, how can we get this into -stable trees? SELinux process may be > different from -net trees. For patches that warrant inclusion in -stable, I merge them into the current selinux/stable-X.Y and send it up to Linus once it passes some basic sanity tests. Since we're still only half-way through the merge window, and this is an obvious bug fix, I think this qualifies as -stable material. I'm traveling at the moment with not-so-great connectivity, but I'll get this merged and verified early next week.
On Fri, Mar 8, 2019 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote: > On Fri, Mar 8, 2019 at 12:08 PM Marcelo Ricardo Leitner > <marcelo.leitner@gmail.com> wrote: > > On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote: > > > As does in __sctp_connect(), when checking addrs in a while loop, after > > > get the addr len according to sa_family, it's necessary to do the check > > > walk_size + af->sockaddr_len > addrs_size to make sure it won't access > > > an out-of-bounds addr. > > > > > > The same thing is needed in selinux_sctp_bind_connect(), otherwise an > > > out-of-bounds issue can be triggered: > > > > > > [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0 > > > [14548.927083] Call Trace: > > > [14548.938072] dump_stack+0x9a/0xe9 > > > [14548.953015] print_address_description+0x65/0x22e > > > [14548.996524] kasan_report.cold.6+0x92/0x1a6 > > > [14549.015335] selinux_sctp_bind_connect+0x1aa/0x1f0 > > > [14549.036947] security_sctp_bind_connect+0x58/0x90 > > > [14549.058142] __sctp_setsockopt_connectx+0x5a/0x150 [sctp] > > > [14549.081650] sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp] > > > > > > Fixes: d452930fd3b9 ("selinux: Add SCTP support") > > > Reported-by: Chunyu Hu <chuhu@redhat.com> > > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > > > > Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> > > Thanks, this patch looks good to me. > > > Paul, how can we get this into -stable trees? SELinux process may be > > different from -net trees. > > For patches that warrant inclusion in -stable, I merge them into the > current selinux/stable-X.Y and send it up to Linus once it passes some > basic sanity tests. Since we're still only half-way through the merge > window, and this is an obvious bug fix, I think this qualifies as > -stable material. > > I'm traveling at the moment with not-so-great connectivity, but I'll > get this merged and verified early next week. FYI, I just merged this into selinux/stable-5.1. Assuming it tests okay (and I can't imagine it would cause a regression), I'll send it to Linus tomorrow.
On Mon, Mar 11, 2019 at 04:11:32PM -0400, Paul Moore wrote: > On Fri, Mar 8, 2019 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote: > > On Fri, Mar 8, 2019 at 12:08 PM Marcelo Ricardo Leitner > > <marcelo.leitner@gmail.com> wrote: > > > On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote: > > > > As does in __sctp_connect(), when checking addrs in a while loop, after > > > > get the addr len according to sa_family, it's necessary to do the check > > > > walk_size + af->sockaddr_len > addrs_size to make sure it won't access > > > > an out-of-bounds addr. > > > > > > > > The same thing is needed in selinux_sctp_bind_connect(), otherwise an > > > > out-of-bounds issue can be triggered: > > > > > > > > [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0 > > > > [14548.927083] Call Trace: > > > > [14548.938072] dump_stack+0x9a/0xe9 > > > > [14548.953015] print_address_description+0x65/0x22e > > > > [14548.996524] kasan_report.cold.6+0x92/0x1a6 > > > > [14549.015335] selinux_sctp_bind_connect+0x1aa/0x1f0 > > > > [14549.036947] security_sctp_bind_connect+0x58/0x90 > > > > [14549.058142] __sctp_setsockopt_connectx+0x5a/0x150 [sctp] > > > > [14549.081650] sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp] > > > > > > > > Fixes: d452930fd3b9 ("selinux: Add SCTP support") > > > > Reported-by: Chunyu Hu <chuhu@redhat.com> > > > > Signed-off-by: Xin Long <lucien.xin@gmail.com> > > > > > > Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> > > > > Thanks, this patch looks good to me. > > > > > Paul, how can we get this into -stable trees? SELinux process may be > > > different from -net trees. > > > > For patches that warrant inclusion in -stable, I merge them into the > > current selinux/stable-X.Y and send it up to Linus once it passes some > > basic sanity tests. Since we're still only half-way through the merge > > window, and this is an obvious bug fix, I think this qualifies as > > -stable material. > > > > I'm traveling at the moment with not-so-great connectivity, but I'll > > get this merged and verified early next week. > > FYI, I just merged this into selinux/stable-5.1. Assuming it tests > okay (and I can't imagine it would cause a regression), I'll send it > to Linus tomorrow. Thanks Paul. Marcelo
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f0e36c3..dac9bdb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5120,6 +5120,9 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname, return -EINVAL; } + if (walk_size + len > addrlen) + return -EINVAL; + err = -EINVAL; switch (optname) { /* Bind checks */
As does in __sctp_connect(), when checking addrs in a while loop, after get the addr len according to sa_family, it's necessary to do the check walk_size + af->sockaddr_len > addrs_size to make sure it won't access an out-of-bounds addr. The same thing is needed in selinux_sctp_bind_connect(), otherwise an out-of-bounds issue can be triggered: [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0 [14548.927083] Call Trace: [14548.938072] dump_stack+0x9a/0xe9 [14548.953015] print_address_description+0x65/0x22e [14548.996524] kasan_report.cold.6+0x92/0x1a6 [14549.015335] selinux_sctp_bind_connect+0x1aa/0x1f0 [14549.036947] security_sctp_bind_connect+0x58/0x90 [14549.058142] __sctp_setsockopt_connectx+0x5a/0x150 [sctp] [14549.081650] sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp] Fixes: d452930fd3b9 ("selinux: Add SCTP support") Reported-by: Chunyu Hu <chuhu@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> --- security/selinux/hooks.c | 3 +++ 1 file changed, 3 insertions(+)