diff mbox

[Fix,kernel,crash,in,cipso_v4_sock_delattr]

Message ID 1603159082.92241427713739372.JavaMail.weblogic@epmlwas01c
State Not Applicable, archived
Delegated to: David Miller
Headers show

Commit Message

Maninder Singh March 30, 2015, 11:09 a.m. UTC 
Dear All,
we found One Kernel Crash issue in cipso_v4_sock_delattr :-
As Cipso supports only inet sockets so cipso_v4_sock_delattr will crash when try to access
any other socket type.  cipso_v4_sock_delattr access sk_inet->inet_opt which may
contain not NULL but invalid address. we found this issue with netlink socket.(reproducible by trinity using sendto system call .)

Crash Logs :
[0-182.2400] [<c04c7fa4>] (cipso_v4_sock_delattr+0x0/0x74) from [<c0517b64>] (netlbl_sock_delattr+0x18/0x1c)
[0-182.2497]  r4:00000000 r3:c07872f8
[0-182.2531] [<c0517b4c>] (netlbl_sock_delattr+0x0/0x1c) from [<c027b2fc>] (smack_netlabel+0x88/0x9c)
[0-182.2622] [<c027b274>] (smack_netlabel+0x0/0x9c) from [<c027b43c>] (smack_netlabel_send+0x12c/0x144)
[0-182.2714]  r7 9ce9500 r6 7b67ef4 r5:c076f408 r4 8903dc0
[0-182.2770] [<c027b310>] (smack_netlabel_send+0x0/0x144) from [<c027b4a8>] (smack_socket_sendmsg+0x54/0x60)
[0-182.2866] [<c027b454>] (smack_socket_sendmsg+0x0/0x60) from [<c02789ec>] (security_socket_sendmsg+0x28/0x2c)
[0-182.2966] [<c02789c4>] (security_socket_sendmsg+0x0/0x2c) from [<c04343b0>] (sock_sendmsg+0x68/0xc0)
[0-182.3058] [<c0434348>] (sock_sendmsg+0x0/0xc0) from [<c04369e8>] (SyS_sendto+0xd8/0x110)
Signed-off-by: Vaneet Narang <v.narang@samsung.com>

Signed-off-by: Maninder Singh <maninder1.s@samsung.com>

Reviewed-by : Ajeet Yadav <ajeet.y@samsung.com>
---
 net/netlabel/netlabel_kapi.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
-- 
1.7.9.5


Thanks and Regards,
Maninder Singh

Comments

Paul Moore March 30, 2015, 11:32 a.m. UTC | #1 
On Monday, March 30, 2015 11:09:00 AM Maninder Singh wrote:
> Dear All,
> we found One Kernel Crash issue in cipso_v4_sock_delattr :-
> As Cipso supports only inet sockets so cipso_v4_sock_delattr will crash when
> try to access any other socket type.  cipso_v4_sock_delattr access
> sk_inet->inet_opt which may contain not NULL but invalid address. we found
> this issue with netlink socket.(reproducible by trinity using sendto system
> call .) 

Hello,

First, please go read the Documentation/SubmittingPatches from the kernel 
sources; your patch needs to be resubmitted and the instructions in that file 
will show you how to do it correctly next time.

Second, this appears to only affect Smack based systems, yes?  SELinux based 
systems should have the proper checking in place to prevent this (the checks 
are handled in the LSM).  That said, it probably wouldn't hurt to add the 
extra checking to netlbl_sock_delattr().  If you properly resubmit your patch 
I'll ACK it.

-Paul
Casey Schaufler March 30, 2015, 5:25 p.m. UTC | #2 
On 3/30/2015 4:32 AM, Paul Moore wrote:
> On Monday, March 30, 2015 11:09:00 AM Maninder Singh wrote:
>> Dear All,
>> we found One Kernel Crash issue in cipso_v4_sock_delattr :-
>> As Cipso supports only inet sockets so cipso_v4_sock_delattr will crash when
>> try to access any other socket type.  cipso_v4_sock_delattr access
>> sk_inet->inet_opt which may contain not NULL but invalid address. we found
>> this issue with netlink socket.(reproducible by trinity using sendto system
>> call .) 
> Hello,
>
> First, please go read the Documentation/SubmittingPatches from the kernel 
> sources; your patch needs to be resubmitted and the instructions in that file 
> will show you how to do it correctly next time.
>
> Second, this appears to only affect Smack based systems, yes?  SELinux based 
> systems should have the proper checking in place to prevent this (the checks 
> are handled in the LSM).

This looks like a problem that was fixed some time ago.
The current Smack code clearly checks for this. What kernel
version are you testing against?

> That said, it probably wouldn't hurt to add the 
> extra checking to netlbl_sock_delattr().  If you properly resubmit your patch 
> I'll ACK it.
>
> -Paul
>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 7c94aed..7a2c6f5 100755
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -700,7 +700,13 @@  socket_setattr_return:
  */
 void netlbl_sock_delattr(struct sock *sk)
 {
- cipso_v4_sock_delattr(sk);
+ switch (sk->sk_family) {
+ case AF_INET:
+  cipso_v4_sock_delattr(sk);
+  break;
+ default:
+  break;
+ }
 }
 
 /**