| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Apr 2020 10:27:25 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Paul Moore <paul@...l-moore.com>, stephen.smalley.work@...il.com,
Eric Paris <eparis@...isplace.org>, selinux@...r.kernel.org
Cc: LKML <linux-kernel@...r.kernel.org>,
syzkaller <syzkaller@...glegroups.com>,
Willem de Bruijn <willemb@...gle.com>
Subject: selinux_netlink_send changes program behavior
Hi SELinux maintainers,
We've hit a case where a developer wasn't able to reproduce a kernel
bug, it turned out to be a difference in behavior between SELinux and
non-SELinux kernels.
Condensed version: a program does sendmmsg on netlink socket with 2
mmsghdr's, first is completely empty/zeros, second contains some
actual payload. Without SELinux the first mmsghdr is treated as no-op
and the kernel processes the second one (triggers bug). However the
SELinux hook does:
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
{
if (skb->len < NLMSG_HDRLEN) {
err = -EINVAL;
goto out;
}
and fails processing on the first empty mmsghdr (does not happen
without SELinux).
Is this difference in behavior intentional/acceptable/should be fixed?
Thanks
FTR, the C program is:
https://gist.githubusercontent.com/dvyukov/dda1c547ca9121817159d29afa72aea2/raw/41b021d722947df4d8c48e2fc783591b44671ceb/gistfile1.txt
kernel config:
https://gist.githubusercontent.com/dvyukov/08bf2c2fd873a84a2c4c771740716183/raw/78fb3b1063b7ae37625468f32868869edbd1bd19/gistfile1.txt
on upstream commit 50cc09c1 it triggers a KASAN bug without SELinux,
but does not with SELinux.
Powered by blists - more mailing lists