lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQ9qJGBo3CmgBRvqLMfctHUOZrT3R8iiL9ZH7mM735YPA@mail.gmail.com>
Date: Tue, 26 Nov 2024 10:54:07 -0500
From: Paul Moore <paul@...l-moore.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, eric.dumazet@...il.com, 
	syzbot+2d9f5f948c31dcb7745e@...kaller.appspotmail.com, 
	Stephen Smalley <stephen.smalley.work@...il.com>, Ondrej Mosnacek <omosnace@...hat.com>, 
	selinux@...r.kernel.org, Kuniyuki Iwashima <kuniyu@...zon.com>, 
	Brian Vazquez <brianvv@...gle.com>
Subject: Re: [PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

On Tue, Nov 26, 2024 at 9:59 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> In blamed commit, TCP started to attach timewait sockets to
> some skbs.
>
> syzbot reported that selinux_ip_output() was not expecting them yet.
>
> Note that using sk_to_full_sk() is still allowing the
> following sk_listener() check to work as before.
>
> BUG: KASAN: slab-out-of-bounds in selinux_sock security/selinux/include/objsec.h:207 [inline]
> BUG: KASAN: slab-out-of-bounds in selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761
> Read of size 8 at addr ffff88804e86e758 by task syz-executor347/5894
>
> CPU: 0 UID: 0 PID: 5894 Comm: syz-executor347 Not tainted 6.12.0-syzkaller-05480-gfcc79e1714e8 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
> Call Trace:

...

> Fixes: 79636038d37e ("ipv4: tcp: give socket pointer to control skbs")
> Reported-by: syzbot+2d9f5f948c31dcb7745e@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/lkml/6745e1a2.050a0220.1286eb.001c.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> ---
> Cc: Paul Moore <paul@...l-moore.com>
> Cc: Stephen Smalley <stephen.smalley.work@...il.com>
> Cc: Ondrej Mosnacek <omosnace@...hat.com>
> Cc: selinux@...r.kernel.org
> Cc: Kuniyuki Iwashima <kuniyu@...zon.com>
> Cc: Brian Vazquez <brianvv@...gle.com>
> ---
>  security/selinux/hooks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

This looks okay to me and based on the "net" marking in the subject
I'm guessing you're planning to send this up to Linus via the netdev
tree?  If not, let me know and I'll send this up via the selinux tree.
As long as we fix it I'm happy.

Acked-by: Paul Moore <paul@...l-moore.com>

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f5a08f94e09402b6b0b1538fae1a7a3f5af19fe6..366c87a40bd15707f6da4f25e8de4ddce3d281fc 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5738,7 +5738,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
>         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
>          * because we want to make sure we apply the necessary labeling
>          * before IPsec is applied so we can leverage AH protection */
> -       sk = skb->sk;
> +       sk = sk_to_full_sk(skb->sk);
>         if (sk) {
>                 struct sk_security_struct *sksec;
>
> --
> 2.47.0.338.g60cca15819-goog

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ