lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Nov 2017 16:22:41 -0800 From: Casey Schaufler <casey@...aufler-ca.com> To: James Morris <james.l.morris@...cle.com>, Paul Moore <paul@...l-moore.com>, Eric Dumazet <edumazet@...gle.com> Cc: netdev@...r.kernel.org, Stephen Smalley <sds@...ho.nsa.gov>, selinux@...ho.nsa.gov, LSM <linux-security-module@...r.kernel.org> Subject: Re: [BUG] kernel stack corruption during/after Netlabel error On 11/29/2017 2:26 AM, James Morris wrote: > I'm seeing a kernel stack corruption bug (detected via gcc) when running > the SELinux testsuite on a 4.15-rc1 kernel, in the 2nd inet_socket test: > > https://github.com/SELinuxProject/selinux-testsuite/blob/master/tests/inet_socket/test > > # Verify that unauthorized client cannot communicate with the server. > $result = system > "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; > > This correctlly causes an access control error in the Netlabel code, and > the bug seems to be triggered during the ICMP send: > > ...<SNIP>... > > This is mostly reliable, and I'm only seeing it on bare metal (not in a > virtualbox vm). > > The SELinux skb parse error at the start only sometimes appears, and > looking at the code, I suspect some kind of memory corruption being the > cause at that point (basic packet header checks). > > I bisected the bug down to the following change: > > commit bffa72cf7f9df842f0016ba03586039296b4caaf > Author: Eric Dumazet <edumazet@...gle.com> > Date: Tue Sep 19 05:14:24 2017 -0700 > > net: sk_buff rbnode reorg > ... > > > Anyone else able to reproduce this, or have any ideas on what's happening? I have also bisected a problem to this change. I do not have a trace because the problem manifests as a hard system hang without a trace being presented. The issue arises when Smack attempts to relabel a TCP socket using netlbl_sock_setattr(). I see that there is a proposed fix later in the thread, but I don't see the patch. Could you send it to me, so I can try it on my problem? Thank you. > > > > - James
Powered by blists - more mailing lists