From patchwork Thu Nov  5 21:39:24 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 540705
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 6F7271413D7
	for <patchwork-incoming@ozlabs.org>;
	Fri,  6 Nov 2015 08:39:32 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=ewUdf2Bd;
	dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756299AbbKEVj1 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 5 Nov 2015 16:39:27 -0500
Received: from mail-pa0-f50.google.com ([209.85.220.50]:33714 "EHLO
	mail-pa0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751512AbbKEVj0 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 5 Nov 2015 16:39:26 -0500
Received: by pabfh17 with SMTP id fh17so98778278pab.0
	for <netdev@vger.kernel.org>; Thu, 05 Nov 2015 13:39:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=message-id:subject:from:to:cc:date:in-reply-to:references
	:content-type:mime-version:content-transfer-encoding;
	bh=Pi2kQvhDwfYCJCBZOusN1zB+9rpMZL4PwT9CSf9gUvk=;
	b=ewUdf2Bd0Je+hum3KCAC1Frm5O8UUC4n0VFOXvSfRCNZiASYs5MyjCH10rTdGtz4/c
	5pqs/ns5AyhpAS55d8PtvGcwObyRM5cdDoH73YXIzRk2zgH4wdPdT2+aywpnp8ZrBItU
	aGjWIsq9oq3jii8qyhb9WIIy5PRjpFzlhCVCq1MJpmjdPYAEfT0FgQjP3f9m1vNIgtEO
	m+dXP7Ttk6WpX7Og8Ncz2gH310YZlVbwrckTexrfzjCLln8MTTr/rB8ow41VAvsYKn/Y
	p+Q5WNXYd34JJcA9vGghnDhljDMvU6kokDBMX4t0MM65aLVtuUmNztW0NP24obm/SfRA
	ofDg==
X-Received: by 10.69.15.130 with SMTP id fo2mr12325368pbd.158.1446759566112;
	Thu, 05 Nov 2015 13:39:26 -0800 (PST)
Received: from [172.26.54.3] ([172.26.54.3])
	by smtp.gmail.com with ESMTPSA id
	bz1sm9672190pab.20.2015.11.05.13.39.24
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 05 Nov 2015 13:39:25 -0800 (PST)
Message-ID: <1446759564.4184.65.camel@edumazet-glaptop2.roam.corp.google.com>
Subject: [PATCH net] selinux: fix random read in
	selinux_ip_postroute_compat()
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Dmitry Vyukov <dvyukov@google.com>,
	David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>, Paul Moore <paul@paul-moore.com>
Date: Thu, 05 Nov 2015 13:39:24 -0800
In-Reply-To: <1446752806.4184.50.camel@edumazet-glaptop2.roam.corp.google.com>
References: 
 <CACT4Y+ZVnfoqeJZ5cOKu70d3N9LuPMeotarKGBx-EHwYrOe-Eg@mail.gmail.com>
	<1446752806.4184.50.camel@edumazet-glaptop2.roam.corp.google.com>
X-Mailer: Evolution 3.10.4-0ubuntu2 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

In commit e446f9dfe17b ("net: synack packets can be attached to request
sockets"), I missed one remaining case of invalid skb->sk->sk_security
access.

Dmitry Vyukov got a KASan report pointing to it.

Add selinux_skb_sk() helper that is responsible to get back to the
listener if skb is attached to a request socket, instead of
duplicating the logic.

Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paul Moore <paul@paul-moore.com>
---
 security/selinux/hooks.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 26f4039d54b8..c9b2d5467477 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4931,11 +4931,23 @@ static unsigned int selinux_ipv4_output(void *priv,
 	return selinux_ip_output(skb, PF_INET);
 }
 
+/* SYNACK messages might be attached to request sockets.
+ * To get back to sk_security, we need to look at the listener.
+ */
+static struct sock *selinux_skb_sk(const struct sk_buff *skb)
+{
+	struct sock *sk = skb->sk;
+
+	if (sk && sk->sk_state == TCP_NEW_SYN_RECV)
+		sk = inet_reqsk(sk)->rsk_listener;
+	return sk;
+}
+
 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
 						int ifindex,
 						u16 family)
 {
-	struct sock *sk = skb->sk;
+	struct sock *sk = selinux_skb_sk(skb);
 	struct sk_security_struct *sksec;
 	struct common_audit_data ad;
 	struct lsm_network_audit net = {0,};
@@ -4990,7 +5002,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
 	if (!secmark_active && !peerlbl_active)
 		return NF_ACCEPT;
 
-	sk = skb->sk;
+	sk = selinux_skb_sk(skb);
 
 #ifdef CONFIG_XFRM
 	/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
@@ -5035,8 +5047,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
 		u32 skb_sid;
 		struct sk_security_struct *sksec;
 
-		if (sk->sk_state == TCP_NEW_SYN_RECV)
-			sk = inet_reqsk(sk)->rsk_listener;
 		sksec = sk->sk_security;
 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
 			return NF_DROP;