| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Jan 2024 17:34:15 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Eric Paris <eparis@...isplace.org>,
Paul Moore <paul@...l-moore.com>,
Stephen Smalley <stephen.smalley.work@...il.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
Günther Noack <gnoack@...gle.com>,
Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
Muhammad Usama Anjum <usama.anjum@...labora.com>,
linux-security-module@...r.kernel.org,
netdev@...r.kernel.org
Subject: [PATCH v3] selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket
The IPv6 network stack first checks the sockaddr length (-EINVAL error)
before checking the family (-EAFNOSUPPORT error).
This was discovered thanks to commit a549d055a22e ("selftests/landlock:
Add network tests").
Cc: Eric Paris <eparis@...isplace.org>
Cc: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
Cc: Paul Moore <paul@...l-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@...il.com>
Reported-by: Muhammad Usama Anjum <usama.anjum@...labora.com>
Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@collabora.com
Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()")
Signed-off-by: Mickaël Salaün <mic@...ikod.net>
---
Changes since v2:
https://lore.kernel.org/r/20231229171922.106190-1-mic@digikod.net
* Add !PF_INET6 check and comments (suggested by Paul).
* s/AF_INET/PF_INET/g (cosmetic change).
Changes since v1:
https://lore.kernel.org/r/20231228113917.62089-1-mic@digikod.net
* Use the "family" variable (suggested by Paul).
---
security/selinux/hooks.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index feda711c6b7b..8b1429eb2db5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4667,6 +4667,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
return -EINVAL;
addr4 = (struct sockaddr_in *)address;
if (family_sa == AF_UNSPEC) {
+ if (family == PF_INET6) {
+ /* Length check from inet6_bind_sk() */
+ if (addrlen < SIN6_LEN_RFC2133)
+ return -EINVAL;
+ /* Family check from __inet6_bind() */
+ goto err_af;
+ }
/* see __inet_bind(), we only want to allow
* AF_UNSPEC if the address is INADDR_ANY
*/
--
2.43.0
Powered by blists - more mailing lists