[v2] selinux: check for address length in selinux_socket_bind()
diff mbox

Message ID 20170306184614.20056-1-glider@google.com
State Accepted
Headers show

Commit Message

Alexander Potapenko March 6, 2017, 6:46 p.m. UTC
KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
uninitialized memory in selinux_socket_bind():

Comments

Eric Dumazet March 6, 2017, 7:29 p.m. UTC | #1
On Mon, 2017-03-06 at 19:46 +0100, Alexander Potapenko wrote:
> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
> uninitialized memory in selinux_socket_bind():
> 
...
> Signed-off-by: Alexander Potapenko <glider@google.com>
> ---
> Changes since v1:
>  - fixed patch description
>  - fixed addrlen tests to match those in inet_bind() and inet6_bind()
>    (per comment from Eric Dumazet)
> ---
>  security/selinux/hooks.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0a4b4b040e0a..ddc4aca6c840 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4351,10 +4351,19 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
>  		u32 sid, node_perm;
>  
>  		if (family == PF_INET) {
> +			if (addrlen < sizeof(struct sockaddr_in)) {
> +				err = -EINVAL;
> +				goto out;
> +			}
>  			addr4 = (struct sockaddr_in *)address;
>  			snum = ntohs(addr4->sin_port);
>  			addrp = (char *)&addr4->sin_addr.s_addr;
> +
>  		} else {
> +			if (addrlen < SIN6_LEN_RFC2133) {
> +				err = -EINVAL;
> +				goto out;
> +			}
>  			addr6 = (struct sockaddr_in6 *)address;
>  			snum = ntohs(addr6->sin6_port);
>  			addrp = (char *)&addr6->sin6_addr.s6_addr;

Acked-by: Eric Dumazet <edumazet@google.com>
David Miller March 9, 2017, 7:12 a.m. UTC | #2
From: Alexander Potapenko <glider@google.com>
Date: Mon,  6 Mar 2017 19:46:14 +0100

> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
> uninitialized memory in selinux_socket_bind():
 ...
> (the line numbers are relative to 4.8-rc6, but the bug persists upstream)
> 
> , when I run the following program as root:
 ...
> (for different values of |size| other error reports are printed).
> 
> This happens because bind() unconditionally copies |size| bytes of
> |addr| to the kernel, leaving the rest uninitialized. Then
> security_socket_bind() reads the IP address bytes, including the
> uninitialized ones, to determine the port, or e.g. pass them further to
> sel_netnode_find(), which uses them to calculate a hash.
> 
> Signed-off-by: Alexander Potapenko <glider@google.com>

Are the SELINUX folks going to pick this up or should I?
Paul Moore March 10, 2017, 12:01 p.m. UTC | #3
On Thu, Mar 9, 2017 at 2:12 AM, David Miller <davem@davemloft.net> wrote:
> From: Alexander Potapenko <glider@google.com>
> Date: Mon,  6 Mar 2017 19:46:14 +0100
>
>> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
>> uninitialized memory in selinux_socket_bind():
>  ...
>> (the line numbers are relative to 4.8-rc6, but the bug persists upstream)
>>
>> , when I run the following program as root:
>  ...
>> (for different values of |size| other error reports are printed).
>>
>> This happens because bind() unconditionally copies |size| bytes of
>> |addr| to the kernel, leaving the rest uninitialized. Then
>> security_socket_bind() reads the IP address bytes, including the
>> uninitialized ones, to determine the port, or e.g. pass them further to
>> sel_netnode_find(), which uses them to calculate a hash.
>>
>> Signed-off-by: Alexander Potapenko <glider@google.com>
>
> Are the SELINUX folks going to pick this up or should I?

Yes, it's on my list of things to merge, I was just a bit distracted
this week with yet another audit problem.  I'm going to start making
my way through the patch backlog today.
Paul Moore March 10, 2017, 8:28 p.m. UTC | #4
On Fri, Mar 10, 2017 at 7:01 AM, Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Mar 9, 2017 at 2:12 AM, David Miller <davem@davemloft.net> wrote:
>> From: Alexander Potapenko <glider@google.com>
>> Date: Mon,  6 Mar 2017 19:46:14 +0100
>>
>>> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
>>> uninitialized memory in selinux_socket_bind():
>>  ...
>>> (the line numbers are relative to 4.8-rc6, but the bug persists upstream)
>>>
>>> , when I run the following program as root:
>>  ...
>>> (for different values of |size| other error reports are printed).
>>>
>>> This happens because bind() unconditionally copies |size| bytes of
>>> |addr| to the kernel, leaving the rest uninitialized. Then
>>> security_socket_bind() reads the IP address bytes, including the
>>> uninitialized ones, to determine the port, or e.g. pass them further to
>>> sel_netnode_find(), which uses them to calculate a hash.
>>>
>>> Signed-off-by: Alexander Potapenko <glider@google.com>
>>
>> Are the SELINUX folks going to pick this up or should I?
>
> Yes, it's on my list of things to merge, I was just a bit distracted
> this week with yet another audit problem.  I'm going to start making
> my way through the patch backlog today.

Just merged into selinux/next, thanks.  My apologies for the delay.

Patch
diff mbox

==================================================================
BUG: KMSAN: use of unitialized memory
inter: 0
CPU: 3 PID: 1074 Comm: packet2 Tainted: G    B           4.8.0-rc6+ #1916
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48
 ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550
 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff825759c8>] dump_stack+0x238/0x290 lib/dump_stack.c:51
 [<ffffffff818bdee6>] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008
 [<ffffffff818bf0fb>] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424
 [<ffffffff822dae71>] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288
 [<ffffffff8229357c>] security_socket_bind+0x1ec/0x240 security/security.c:1240
 [<ffffffff84265d98>] SYSC_bind+0x358/0x5f0 net/socket.c:1366
 [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
 [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292
 [<ffffffff8518217c>] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:?
chained origin: 00000000ba6009bb
 [<ffffffff810bb7a7>] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67
 [<     inline     >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322
 [<     inline     >] kmsan_save_stack mm/kmsan/kmsan.c:337
 [<ffffffff818bd2b8>] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530
 [<ffffffff818bf033>] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380
 [<ffffffff84265b69>] SYSC_bind+0x129/0x5f0 net/socket.c:1356
 [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
 [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292
 [<ffffffff8518217c>] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:?
origin description: ----address@SYSC_bind (origin=00000000b8c00900)
==================================================================

(the line numbers are relative to 4.8-rc6, but the bug persists upstream)

, when I run the following program as root:

=======================================================
  #include <string.h>
  #include <sys/socket.h>
  #include <netinet/in.h>

  int main(int argc, char *argv[]) {
    struct sockaddr addr;
    int size = 0;
    if (argc > 1) {
      size = atoi(argv[1]);
    }
    memset(&addr, 0, sizeof(addr));
    int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
    bind(fd, &addr, size);
    return 0;
  }
=======================================================

(for different values of |size| other error reports are printed).

This happens because bind() unconditionally copies |size| bytes of
|addr| to the kernel, leaving the rest uninitialized. Then
security_socket_bind() reads the IP address bytes, including the
uninitialized ones, to determine the port, or e.g. pass them further to
sel_netnode_find(), which uses them to calculate a hash.

Signed-off-by: Alexander Potapenko <glider@google.com>
---
Changes since v1:
 - fixed patch description
 - fixed addrlen tests to match those in inet_bind() and inet6_bind()
   (per comment from Eric Dumazet)
---
 security/selinux/hooks.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0a4b4b040e0a..ddc4aca6c840 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4351,10 +4351,19 @@  static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 		u32 sid, node_perm;
 
 		if (family == PF_INET) {
+			if (addrlen < sizeof(struct sockaddr_in)) {
+				err = -EINVAL;
+				goto out;
+			}
 			addr4 = (struct sockaddr_in *)address;
 			snum = ntohs(addr4->sin_port);
 			addrp = (char *)&addr4->sin_addr.s_addr;
+
 		} else {
+			if (addrlen < SIN6_LEN_RFC2133) {
+				err = -EINVAL;
+				goto out;
+			}
 			addr6 = (struct sockaddr_in6 *)address;
 			snum = ntohs(addr6->sin6_port);
 			addrp = (char *)&addr6->sin6_addr.s6_addr;