| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220506010822.GA18891@embeddedor>
Date: Thu, 5 May 2022 20:08:22 -0500
From: "Gustavo A. R. Silva" <gustavoars@...nel.org>
To: Paul Moore <paul@...l-moore.com>
Cc: Kees Cook <keescook@...omium.org>,
Steffen Klassert <steffen.klassert@...unet.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Paris <eparis@...isplace.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Xiu Jianfeng <xiujianfeng@...wei.com>,
Christian Göttsche <cgzones@...glemail.com>,
netdev@...r.kernel.org, selinux@...r.kernel.org,
Alexei Starovoitov <ast@...nel.org>,
alsa-devel@...a-project.org, Al Viro <viro@...iv.linux.org.uk>,
Andrew Gabbasov <andrew_gabbasov@...tor.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Andy Gross <agross@...nel.org>,
Andy Lavr <andy.lavr@...il.com>,
Arend van Spriel <aspriel@...il.com>,
Baowen Zheng <baowen.zheng@...igine.com>,
Bjorn Andersson <bjorn.andersson@...aro.org>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Bradley Grove <linuxdrivers@...otech.com>,
brcm80211-dev-list.pdl@...adcom.com,
Christian Brauner <brauner@...nel.org>,
Christian Lamparter <chunkeey@...glemail.com>,
Chris Zankel <chris@...kel.net>,
Cong Wang <cong.wang@...edance.com>,
Daniel Axtens <dja@...ens.net>,
Daniel Vetter <daniel.vetter@...ll.ch>,
Dan Williams <dan.j.williams@...el.com>,
David Gow <davidgow@...gle.com>,
David Howells <dhowells@...hat.com>,
Dennis Dalessandro <dennis.dalessandro@...nelisnetworks.com>,
devicetree@...r.kernel.org, Dexuan Cui <decui@...rosoft.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
Eli Cohen <elic@...dia.com>,
Eric Dumazet <edumazet@...gle.com>,
Eugeniu Rosca <erosca@...adit-jv.com>,
Felipe Balbi <balbi@...nel.org>,
Francis Laniel <laniel_francis@...vacyrequired.com>,
Frank Rowand <frowand.list@...il.com>,
Franky Lin <franky.lin@...adcom.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Gregory Greenman <gregory.greenman@...el.com>,
Guenter Roeck <linux@...ck-us.net>,
Haiyang Zhang <haiyangz@...rosoft.com>,
Hante Meuleman <hante.meuleman@...adcom.com>,
Hulk Robot <hulkci@...wei.com>,
Jakub Kicinski <kuba@...nel.org>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
James Morris <jmorris@...ei.org>,
Jarkko Sakkinen <jarkko@...nel.org>,
Jaroslav Kysela <perex@...ex.cz>,
Jason Gunthorpe <jgg@...pe.ca>, Jens Axboe <axboe@...nel.dk>,
Johan Hedberg <johan.hedberg@...il.com>,
Johannes Berg <johannes.berg@...el.com>,
Johannes Berg <johannes@...solutions.net>,
John Keeping <john@...anate.com>,
Juergen Gross <jgross@...e.com>, Kalle Valo <kvalo@...nel.org>,
Keith Packard <keithp@...thp.com>, keyrings@...r.kernel.org,
kunit-dev@...glegroups.com,
Kuniyuki Iwashima <kuniyu@...zon.co.jp>,
"K. Y. Srinivasan" <kys@...rosoft.com>,
Lars-Peter Clausen <lars@...afoo.de>,
Lee Jones <lee.jones@...aro.org>,
Leon Romanovsky <leon@...nel.org>,
Liam Girdwood <lgirdwood@...il.com>,
linux1394-devel@...ts.sourceforge.net,
linux-afs@...ts.infradead.org,
linux-arm-kernel@...ts.infradead.org,
linux-arm-msm@...r.kernel.org, linux-bluetooth@...r.kernel.org,
linux-hardening@...r.kernel.org, linux-hyperv@...r.kernel.org,
linux-integrity@...r.kernel.org, linux-rdma@...r.kernel.org,
linux-scsi@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-usb@...r.kernel.org, linux-wireless@...r.kernel.org,
linux-xtensa@...ux-xtensa.org, llvm@...ts.linux.dev,
Loic Poulain <loic.poulain@...aro.org>,
Louis Peens <louis.peens@...igine.com>,
Luca Coelho <luciano.coelho@...el.com>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>,
Marc Dionne <marc.dionne@...istor.com>,
Marcel Holtmann <marcel@...tmann.org>,
Mark Brown <broonie@...nel.org>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Max Filippov <jcmvbkbc@...il.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Muchun Song <songmuchun@...edance.com>,
Nathan Chancellor <nathan@...nel.org>,
Nuno Sá <nuno.sa@...log.com>,
Paolo Abeni <pabeni@...hat.com>,
Rich Felker <dalias@...ifal.cx>,
Rob Herring <robh+dt@...nel.org>,
Russell King <linux@...linux.org.uk>,
"Serge E. Hallyn" <serge@...lyn.com>,
SHA-cyfmac-dev-list@...ineon.com,
Simon Horman <simon.horman@...igine.com>,
Stefano Stabellini <sstabellini@...nel.org>,
Stefan Richter <stefanr@...6.in-berlin.de>,
Stephen Hemminger <sthemmin@...rosoft.com>,
Tadeusz Struk <tadeusz.struk@...aro.org>,
Takashi Iwai <tiwai@...e.com>, Tom Rix <trix@...hat.com>,
Udipto Goswami <quic_ugoswami@...cinc.com>,
Vincenzo Frascino <vincenzo.frascino@....com>,
wcn36xx@...ts.infradead.org, Wei Liu <wei.liu@...nel.org>,
xen-devel@...ts.xenproject.org,
Yang Yingliang <yangyingliang@...wei.com>
Subject: Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab
On Thu, May 05, 2022 at 07:16:18PM -0400, Paul Moore wrote:
> On Thu, May 5, 2022 at 2:39 PM Kees Cook <keescook@...omium.org> wrote:
> > On Wed, May 04, 2022 at 11:14:42PM -0400, Paul Moore wrote:
> > > On Wed, May 4, 2022 at 7:34 PM Gustavo A. R. Silva
> > > <gustavoars@...nel.org> wrote:
> > > >
> > > > Hi Paul,
> > > >
> > > > On Wed, May 04, 2022 at 06:57:28PM -0400, Paul Moore wrote:
> > > > > On Tue, May 3, 2022 at 9:57 PM Kees Cook <keescook@...omium.org> wrote:
> > > >
> > > > [..]
> > > >
> > > > > > +++ b/include/uapi/linux/xfrm.h
> > > > > > @@ -31,9 +31,9 @@ struct xfrm_id {
> > > > > > struct xfrm_sec_ctx {
> > > > > > __u8 ctx_doi;
> > > > > > __u8 ctx_alg;
> > > > > > - __u16 ctx_len;
> > > > > > + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, ctx_len);
> > > > > > __u32 ctx_sid;
> > > > > > - char ctx_str[0];
> > > > > > + __DECLARE_FLEX_ARRAY_ELEMENTS(char, ctx_str);
> > > > > > };
> > > > >
> > > > > While I like the idea of this in principle, I'd like to hear about the
> > > > > testing you've done on these patches. A previous flex array
> > > > > conversion in the audit uapi headers ended up causing a problem with
> > > >
> > > > I'm curious about which commit caused those problems...?
> > >
> > > Commit ed98ea2128b6 ("audit: replace zero-length array with
> > > flexible-array member"), however, as I said earlier, the problem was
> > > actually with SWIG, it just happened to be triggered by the kernel
> > > commit. There was a brief fedora-devel mail thread about the problem,
> > > see the link below:
> > >
> > > * https://www.spinics.net/lists/fedora-devel/msg297991.html
> >
> > Wow, that's pretty weird -- it looks like SWIG was scraping the headers
> > to build its conversions? I assume SWIG has been fixed now?
>
> I honestly don't know, the audit userspace was hacking around it with
> some header file duplication/munging last I heard, but I try to avoid
> having to touch Steve's audit userspace code.
>
> > > To reiterate, I'm supportive of changes like this, but I would like to
> > > hear how it was tested to ensure there are no unexpected problems with
> > > userspace. If there are userspace problems it doesn't mean we can't
> > > make changes like this, it just means we need to ensure that the
> > > userspace issues are resolved first.
> >
> > Well, as this is the first and only report of any problems with [0] -> []
> > conversions (in UAPI or anywhere) that I remember seeing, and they've
> > been underway since at least v5.9, I hadn't been doing any new testing.
>
> ... and for whatever it is worth, I wasn't expecting it to be a
> problem either. Surprise :)
>
> > So, for this case, I guess I should ask what tests you think would be
> > meaningful here? Anything using #include should be fine:
> > https://codesearch.debian.net/search?q=linux%2Fxfrm.h&literal=1&perpkg=1
> > Which leaves just this, which may be doing something weird:
> >
> > libabigail_2.0-1/tests/data/test-diff-filter/test-PR27569-v0.abi
> > </data-member>
> > <data-member access="public" layout-offset-in-bits="128">
> > <var-decl name="seq_hi" type-id="3f1a6b60" visibility="default" filepath="include/uapi/linux/xfrm.h" line="97" column="1"/>
> > </data-member>
> > <data-member access="public" layout-offset-in-bits="160">
> >
> > But I see that SWIG doesn't show up in a search for linux/audit.h:
> > https://codesearch.debian.net/search?q=linux%2Faudit.h&literal=1&perpkg=1
> >
> > So this may not be a sufficient analysis...
>
> I think from a practical perspective ensuring that the major IPsec/IKE
> tools, e.g. the various *SWANs, that know about labeled IPSec still
> build and can set/get the SA/SPD labels correctly would be sufficient.
> I seriously doubt there would be any problems, but who knows.
There are certainly some cases in which the transformation of
zero-length arrays into flexible-array members can bring some issues
to the surface[1][2]. This is the first time that we know of one of
them in user-space. However, we haven't transformed the arrays in
UAPI yet (with the exception of a couple of cases[3][4]). But that
is something that we are planning to try soon[5].
--
Gustavo
[1] https://github.com/KSPP/linux/issues?q=invalid+use+of+flexible+array
[2] https://github.com/KSPP/linux/issues?q=invalid+application+of+%E2%80%98sizeof%E2%80%99+to+incomplete+type
[3] https://git.kernel.org/linus/db243b796439c0caba47865564d8acd18a301d18
[4] https://git.kernel.org/linus/d6cdad870358128c1e753e6258e295ab8a5a2429
[5] https://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux.git/commit/?h=for-next/kspp-fam0-uapi
Powered by blists - more mailing lists