lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABP0=5f1gtnS_kR2nJC1zkF4dvpPrj02KR3-C+hR2pFZyt1qDg@mail.gmail.com>
Date:	Fri, 9 Jan 2015 15:05:45 +0530
From:	Vishal Goel <goel.cool@...il.com>
To:	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	Casey Schaufler <casey@...aufler-ca.com>
Cc:	"vishal.goel@...sung.com" <vishal.goel@...sung.com>
Subject: Fix for same server binary but with different labels issue in smack
 ipv6 implementation (kernel ver-3.19)

[PATCH]  This patch fixes the bug which comes up when one tcp server
 is already running on some ip and port with "test" as SMACK64IPIN label. And
 we try to run the same server again with same port, same protocol, and same
 ip but with different SMACK64IPIN label "server". Then this new server
 process will exit with an error "Address already in use". Now when we try to
 run tcp client with SMACK64IPOUT label as "test", then connection denied
 error comes.It should not happen since both tcp server and client labels are
 same. This happens because new server process updates the existing port entry
  in the list before exiting with an error. This happens because checking for
 same binding address is done after smack hook call
 "security_smack_socket_bind()". Due to which previous port entry gets updated
  in the smack hook before new server process returns with an error.

Now new check has been added before updating the existing port entry in
smk_ipv6_port_label() function.
It checks whether the socket for corresponding port entry is closed or
not. If it is closed then it means no binding error
will come later. So in this case we can update the existing port entry
otherwise return.
For checking whether socket is closed or not, one more field
"smk_can_reuse" has been
added in the "smk_port_label" structure. This field will be marked 1 in
"smack_sk_free_security()" function. This function gets called
to free the socket security blob when the socket gets closed. In this
function,
port entry is searched in the list for the closing socket. If it is
found then "smk_can_reuse" field is set to 1.
"smk_can_reuse" field is set to 0 in smk_ipv6_port_label() function
after creating a new entry in the list.
'0' indicates that socket is being used by someone.

Signed-off-by: Vishal Goel <vishal.goel@...sung.com>
                Himanshu Shukla <himanshu.sh@...sung.com>
---
 security/smack/smack.h     |  1 +
 security/smack/smack_lsm.c | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/security/smack/smack.h b/security/smack/smack.h
index e8c6477..d2530fd 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -136,6 +136,7 @@ struct smk_port_label {
        struct smack_known      *smk_in;        /* inbound label */
        struct smack_known      *smk_out;       /* outgoing label */
        short                   sock_type;      /*Socket type*/
+       short                   smk_can_reuse;
 };

 /*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 3d6af90..5b22a4c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2086,6 +2086,18 @@ static int smack_sk_alloc_security(struct sock
*sk, int family, gfp_t gfp_flags)
  */
 static void smack_sk_free_security(struct sock *sk)
 {
+       struct smk_port_label *spp;
+
+       if (sk->sk_family == PF_INET6) {
+               rcu_read_lock();
+               list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
+                       if (spp->smk_sock != sk)
+                               continue;
+                       spp->smk_can_reuse = 1;
+                       break;
+               }
+               rcu_read_unlock();
+       }
        kfree(sk->sk_security);
 }

@@ -2267,10 +2279,13 @@ static void smk_ipv6_port_label(struct socket
*sock, struct sockaddr *address)
        list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
                if (spp->smk_port != port || spp->sock_type != sock->type)
                        continue;
+               if (spp->smk_can_reuse != 1)
+                       return;
                spp->smk_port = port;
                spp->smk_sock = sk;
                spp->smk_in = ssp->smk_in;
                spp->smk_out = ssp->smk_out;
+               spp->smk_can_reuse = 0;
                rcu_read_unlock();
                return;
        }
@@ -2287,6 +2302,7 @@ static void smk_ipv6_port_label(struct socket
*sock, struct sockaddr *address)
        spp->smk_in = ssp->smk_in;
        spp->smk_out = ssp->smk_out;
        spp->sock_type = sock->type;
+       spp->smk_can_reuse = 0;

        mutex_lock(&smack_ipv6_lock);
        list_add_rcu(&spp->list, &smk_ipv6_port_list);
-- 
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ