From patchwork Tue Jan 15 17:06:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Nazarov X-Patchwork-Id: 10764845 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5F58B6C5 for ; Tue, 15 Jan 2019 17:14:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 39A532D64B for ; Tue, 15 Jan 2019 17:14:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2B5C72D684; Tue, 15 Jan 2019 17:14:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A3B802D64B for ; Tue, 15 Jan 2019 17:14:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728627AbfAORO1 (ORCPT ); Tue, 15 Jan 2019 12:14:27 -0500 Received: from forward103o.mail.yandex.net ([37.140.190.177]:39153 "EHLO forward103o.mail.yandex.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728566AbfAORO1 (ORCPT ); Tue, 15 Jan 2019 12:14:27 -0500 X-Greylist: delayed 480 seconds by postgrey-1.27 at vger.kernel.org; Tue, 15 Jan 2019 12:14:26 EST Received: from mxback15j.mail.yandex.net (mxback15j.mail.yandex.net [IPv6:2a02:6b8:0:1619::91]) by forward103o.mail.yandex.net (Yandex) with ESMTP id 09E075F83319 for ; Tue, 15 Jan 2019 20:06:25 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback15j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 6TRAB6xMWK-6OxaYo6x; Tue, 15 Jan 2019 20:06:24 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1547571984; bh=h4lpOmn8d+Y3GNhIhtma3XNkvjs/AfuKxZCGanEQ9Yk=; h=From:To:Subject:Date:Message-Id; b=u7bNY+4VijSZHIpx5xXx5DnBvNWHnKKGb8g6WNFru7V8X4LmhpmzNqP/oe3FpLWa1 zojt9/IlJ4Ndu3X0vpeay35OcJjkBYLRhg97TnT6iXz/JCrbscr7Db7CTYwBOS7dZ1 hfLllAx0fCO+JZB8CuG3rJe/i6/5F9dt3tDkYR1A= Authentication-Results: mxback15j.mail.yandex.net; dkim=pass header.i=@yandex.ru Received: by sas1-890ba5c2334a.qloud-c.yandex.net with HTTP; Tue, 15 Jan 2019 20:06:24 +0300 From: Nazarov Sergey To: linux-security-module@vger.kernel.org Subject: Kernel memory corruption in CIPSO labeled TCP packets processing. MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Tue, 15 Jan 2019 20:06:24 +0300 Message-Id: <16659801547571984@sas1-890ba5c2334a.qloud-c.yandex.net> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Hello! Security modules (selinux, smack) use icmp_send for discarded incorrectly labeled network packets. This could be on TCP level too (security_sock_rcv_skb -> cipso_v4_error for INET stream connection, for example). icmp_send calls ip_option_echo, which uses IPCB to take compiled IP options. After moving IP header data to the end of the struct tcp_skb_cb (since 3.18 kernel), this could lead to kernel memory corruption when IP options copying. This patch fix a bug, but I'm not sure, that this is a best solution. Perhaps someone more familiar with the linux TCP/IP stack will offer a better one. Thanks. --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -679,7 +679,8 @@ void icmp_send(struct sk_buff *skb_in, i iph->tos; mark = IP4_REPLY_MARK(net, skb_in->mark); - if (ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in)) + if (__ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in, + ip_hdr(skb_in)->protocol == IPPROTO_TCP ? &TCP_SKB_CB(skb_in)->header.h4.opt : &IPCB(skb_in)->opt)) goto out_unlock;