[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQ9qJGBo3CmgBRvqLMfctHUOZrT3R8iiL9ZH7mM735YPA@mail.gmail.com>
Date: Tue, 26 Nov 2024 10:54:07 -0500
From: Paul Moore <paul@...l-moore.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, eric.dumazet@...il.com,
syzbot+2d9f5f948c31dcb7745e@...kaller.appspotmail.com,
Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>,
selinux@...r.kernel.org, Kuniyuki Iwashima <kuniyu@...zon.com>,
Brian Vazquez <brianvv@...gle.com>
Subject: Re: [PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()
On Tue, Nov 26, 2024 at 9:59 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> In blamed commit, TCP started to attach timewait sockets to
> some skbs.
>
> syzbot reported that selinux_ip_output() was not expecting them yet.
>
> Note that using sk_to_full_sk() is still allowing the
> following sk_listener() check to work as before.
>
> BUG: KASAN: slab-out-of-bounds in selinux_sock security/selinux/include/objsec.h:207 [inline]
> BUG: KASAN: slab-out-of-bounds in selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761
> Read of size 8 at addr ffff88804e86e758 by task syz-executor347/5894
>
> CPU: 0 UID: 0 PID: 5894 Comm: syz-executor347 Not tainted 6.12.0-syzkaller-05480-gfcc79e1714e8 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
> Call Trace:
...
> Fixes: 79636038d37e ("ipv4: tcp: give socket pointer to control skbs")
> Reported-by: syzbot+2d9f5f948c31dcb7745e@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/lkml/6745e1a2.050a0220.1286eb.001c.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> ---
> Cc: Paul Moore <paul@...l-moore.com>
> Cc: Stephen Smalley <stephen.smalley.work@...il.com>
> Cc: Ondrej Mosnacek <omosnace@...hat.com>
> Cc: selinux@...r.kernel.org
> Cc: Kuniyuki Iwashima <kuniyu@...zon.com>
> Cc: Brian Vazquez <brianvv@...gle.com>
> ---
> security/selinux/hooks.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
This looks okay to me and based on the "net" marking in the subject
I'm guessing you're planning to send this up to Linus via the netdev
tree? If not, let me know and I'll send this up via the selinux tree.
As long as we fix it I'm happy.
Acked-by: Paul Moore <paul@...l-moore.com>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f5a08f94e09402b6b0b1538fae1a7a3f5af19fe6..366c87a40bd15707f6da4f25e8de4ddce3d281fc 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5738,7 +5738,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
> /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
> * because we want to make sure we apply the necessary labeling
> * before IPsec is applied so we can leverage AH protection */
> - sk = skb->sk;
> + sk = sk_to_full_sk(skb->sk);
> if (sk) {
> struct sk_security_struct *sksec;
>
> --
> 2.47.0.338.g60cca15819-goog
--
paul-moore.com
Powered by blists - more mailing lists