lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHC9VhQ33or9su_jw6XT=n=0NfO_6o++xGo7KyQ9XNBBn1jitw@mail.gmail.com>
Date:   Fri, 2 Mar 2018 16:25:00 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     Richard Haines <richard_c_haines@...nternet.com>
Cc:     selinux@...ho.nsa.gov, netdev@...r.kernel.org,
        linux-sctp@...r.kernel.org, linux-security-module@...r.kernel.org,
        Vlad Yasevich <vyasevich@...il.com>, nhorman@...driver.com,
        Stephen Smalley <sds@...ho.nsa.gov>,
        Eric Paris <eparis@...isplace.org>, marcelo.leitner@...il.com,
        casey@...aufler-ca.com, James Morris <jmorris@...ei.org>,
        anders.roxell@...aro.org
Subject: Re: [PATCH] selinux: Fix ltp test connect-syscall failure

On Fri, Mar 2, 2018 at 2:54 PM, Richard Haines
<richard_c_haines@...nternet.com> wrote:
> Fix the following error when running regression tests using LTP as follows:
> cd /opt/ltp/
> cat runtest/syscalls |grep connect01>runtest/connect-syscall
> ./runltp -pq -f connect-syscall
>
> Running tests.......
> connect01    1  TPASS  :  bad file descriptor successful
> connect01    2  TPASS  :  invalid socket buffer successful
> connect01    3  TPASS  :  invalid salen successful
> connect01    4  TPASS  :  invalid socket successful
> connect01    5  TPASS  :  already connected successful
> connect01    6  TPASS  :  connection refused successful
> connect01    7  TFAIL  :  connect01.c:146: invalid address family ;
> returned -1 (expected -1), errno 22 (expected 97)
> INFO: ltp-pan reported some tests FAIL
> LTP Version: 20180118
>
> Reported-by: Anders Roxell <anders.roxell@...aro.org>
> Signed-off-by: Richard Haines <richard_c_haines@...nternet.com>
> ---
>  security/selinux/hooks.c | 42 ++++++++++++++++++++++++++++++------------
>  1 file changed, 30 insertions(+), 12 deletions(-)

Merged, thanks guys.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 28a5c4e..d614df1 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4470,22 +4470,29 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
>                  * need to check address->sa_family as it is possible to have
>                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
>                  */
> -               if (address->sa_family == AF_INET) {
> -                       if (addrlen < sizeof(struct sockaddr_in)) {
> -                               err = -EINVAL;
> -                               goto out;
> -                       }
> +               switch (address->sa_family) {
> +               case AF_INET:
> +                       if (addrlen < sizeof(struct sockaddr_in))
> +                               return -EINVAL;
>                         addr4 = (struct sockaddr_in *)address;
>                         snum = ntohs(addr4->sin_port);
>                         addrp = (char *)&addr4->sin_addr.s_addr;
> -               } else {
> -                       if (addrlen < SIN6_LEN_RFC2133) {
> -                               err = -EINVAL;
> -                               goto out;
> -                       }
> +                       break;
> +               case AF_INET6:
> +                       if (addrlen < SIN6_LEN_RFC2133)
> +                               return -EINVAL;
>                         addr6 = (struct sockaddr_in6 *)address;
>                         snum = ntohs(addr6->sin6_port);
>                         addrp = (char *)&addr6->sin6_addr.s6_addr;
> +                       break;
> +               default:
> +                       /* Note that SCTP services expect -EINVAL, whereas
> +                        * others expect -EAFNOSUPPORT.
> +                        */
> +                       if (sksec->sclass == SECCLASS_SCTP_SOCKET)
> +                               return -EINVAL;
> +                       else
> +                               return -EAFNOSUPPORT;
>                 }
>
>                 if (snum) {
> @@ -4589,16 +4596,27 @@ static int selinux_socket_connect_helper(struct socket *sock,
>                  * need to check address->sa_family as it is possible to have
>                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
>                  */
> -               if (address->sa_family == AF_INET) {
> +               switch (address->sa_family) {
> +               case AF_INET:
>                         addr4 = (struct sockaddr_in *)address;
>                         if (addrlen < sizeof(struct sockaddr_in))
>                                 return -EINVAL;
>                         snum = ntohs(addr4->sin_port);
> -               } else {
> +                       break;
> +               case AF_INET6:
>                         addr6 = (struct sockaddr_in6 *)address;
>                         if (addrlen < SIN6_LEN_RFC2133)
>                                 return -EINVAL;
>                         snum = ntohs(addr6->sin6_port);
> +                       break;
> +               default:
> +                       /* Note that SCTP services expect -EINVAL, whereas
> +                        * others expect -EAFNOSUPPORT.
> +                        */
> +                       if (sksec->sclass == SECCLASS_SCTP_SOCKET)
> +                               return -EINVAL;
> +                       else
> +                               return -EAFNOSUPPORT;
>                 }
>
>                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
> --
> 2.14.3
>



-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ