From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753541AbbDANHY (ORCPT <rfc822;w@1wt.eu>);
	Wed, 1 Apr 2015 09:07:24 -0400
Received: from mailout2.samsung.com ([203.254.224.25]:61383 "EHLO
	mailout2.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753277AbbDANHW (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 1 Apr 2015 09:07:22 -0400
X-AuditID: cbfee68d-f79296d000004278-dd-551bed8888a4
Date: Wed, 01 Apr 2015 13:07:20 +0000 (GMT)
From: Maninder Singh <maninder1.s@samsung.com>
Subject: Re: Re: [Fix kernel crash in cipso_v4_sock_delattr ]
To: Casey Schaufler <casey@schaufler-ca.com>,
        Maninder Singh <maninder1.s@samsung.com>,
        Paul Moore <paul@paul-moore.com>
Cc: "davem@davemloft.net" <davem@davemloft.net>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Vaneet Narang <v.narang@samsung.com>,
        AJEET YADAV <ajeet.y@samsung.com>
Reply-to: maninder1.s@samsung.com
MIME-version: 1.0
X-MTR: 20150401130129077@maninder1.s
Msgkey: 20150401130129077@maninder1.s
X-EPLocale: en_US.windows-1252
X-Priority: 3
X-EPWebmail-Msg-Type: personal
X-EPWebmail-Reply-Demand: 0
X-EPApproval-Locale: 
X-EPHeader: ML
X-MLAttribute: 
X-RootMTR: 20150401130129077@maninder1.s
X-ParentMTR: 
X-ArchiveUser: 
X-CPGSPASS: N
X-ConfirmMail: N,general
Content-type: text/plain; charset=windows-1252
MIME-version: 1.0
Message-id: <1233624800.241631427893638492.JavaMail.weblogic@epmlwas09b>
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsWyRsSkTrfjrXSowaH3ehaXd81hc2D0+LxJ
	LoAxissmJTUnsyy1SN8ugSvj2rIFTAXLNCp+TTBpYJyj3sXIySEkoCaxaO9jti5GDg4JAROJ
	Sa3SIGEJATGJC/fWA4W5gEqWMko0LNnEDpEwkehtfcUCkZjDKNHVtAsswSKgInFl0XEmEJtN
	QF/i7N51zCC2sICtxLnjs8AmiQg0MUo8eL2KGcRhFvjGKLF913Z2iDMUJdbfeMIIYvMKCEqc
	nPmEBWKdisSpp6uZIOKqEnMWNjNCxOUklky9zARh80rMaH/KAhOf9nUNM4QtLXF+1gZGmH8W
	f38MFeeXOHZ7B1SvgMTUMwcZId7XlPi52xQizCexZuFbFpjyXaeWM8Osur9lLlSrhMTWlies
	IDYz0PlTuh+yQ9gGEkcWzWFF9wqvgIfEsQ3T2UF+lxCYyCHx+XYP2wRGpVlI6mYhmTULySxk
	NQsYWVYxiqYWJBcUJ6UXGeoVJ+YWl+al6yXn525iBKaG0/+e9e5gvH3A+hCjAAejEg+vRoR0
	qBBrYllxZe4hRlNgRE1klhJNzgcmoLySeENjMyMLUxNTYyNzSzMlcV5FqZ/BQgLpiSWp2amp
	BalF8UWlOanFhxiZODilGhi9i07o6NZwftNldtn4xH5ftVxbsevnOVu2Jmx+o3Tr84ZFqss+
	+y/w23iduSqrS+mWY/VGxqXyh29mh84WUTghLiUxQ8n23KYV4T2J06VW8ratWcHhfyvQ+9GL
	tm2LDXrnWOtO3Wd8t5OXMU0y0uC/rcPUrfMiE1993VUxUyj81S5Tay9u/pdKLMUZiYZazEXF
	iQBXVAdWCAMAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrOKsWRmVeSWpSXmKPExsVy+t/tXt2Ot9KhBvtfq1lc3jWHzYHR4/Mm
	uQDGqDSbjNTElNQihdS85PyUzLx0WyXv4HjneFMzA0NdQ0sLcyWFvMTcVFslF58AXbfMHKCh
	SgpliTmlQKGAxOJiJX07m6L80pJUhYz84hJbpWhDcyM9IwM9UyM9Q9NYK0MDAyNToJqEtIxr
	yxYwFSzTqPg1waSBcY56FyMnh5CAmsSivY/ZQGwJAROJ3tZXLBC2mMSFe+uB4lxANXMYJbqa
	drGDJFgEVCSuLDrOBGKzCehLnN27jhnEFhawlTh3fBZYg4hAE6PEg9ermEEcZoFvjBLbd21n
	h1inKLH+xhNGEJtXQFDi5MwnUOtUJE49Xc0EEVeVmLOwmREiLiexZOplJgibV2JG+1MWmPi0
	r2uYIWxpifOzNjDCnL34+2OoOL/Esds7oHoFJKaeOQhUwwFka0r83G0KEeaTWLPwLQtM+a5T
	y5lhVt3fMheqVUJia8sTVhCbGej8Kd0P2SFsA4kji+awonuFV8BD4tiG6ewTGGVnIUnNQtI+
	C0k7spoFjCyrGEVTC5ILipPSK4z1ihNzi0vz0vWS83M3MYIT0bPFOxj/n7c+xCjAwajEw9sY
	JR0qxJpYVlyZe4hRgoNZSYSX/SlQiDclsbIqtSg/vqg0J7X4EKMpMNomMkuJJucDk2ReSbyh
	sYm5qbGphYGhubmZkjjv/3O5IUIC6YklqdmpqQWpRTB9TBycUg2Muh/3hB6bVr5wtYlWyf9J
	d8I5Q0qnHedbILG7Z2FRuSSTa+EcFosIwc5SoyttF202ed/gijv+Stv/ikm26w6Fn2fkWFbL
	Zv5ZcKcwxuL1W2/9LzZ3JdhOPpBeGbLKYFHTsYxzcybfv3Xi7IsVtYtb7Oc26aycwPFswoWz
	FVLGpfqiEzQWtc/IVGIpzkg01GIuKk4EAHCBqcBaAwAA
DLP-Filter: Pass
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by nfs id t31D7Tuc003069

We have run trinity tool on smack enable system. like below:-

#./trinity -c sendto --dangerous
After some time we are able to crash the kernel:-

[<c04c8084>] (cipso_v4_sock_delattr+0x0/0x74) from [<c0517c44>] (netlbl_sock_delattr+0x18/0x1c)
 r4:00000000 r3:c07872f8
[<c0517c2c>] (netlbl_sock_delattr+0x0/0x1c) from [<c027b3e0>] (smack_netlabel+0x88/0x9c)
[<c027b358>] (smack_netlabel+0x0/0x9c) from [<c027b520>] (smack_netlabel_send+0x12c/0x144)
 r7:d9cee3c0 r6:d7b01ef4 r5:c076f408 r4:d88c84c0
[<c027b3f4>] (smack_netlabel_send+0x0/0x144) from [<c027b58c>] (smack_socket_sendmsg+0x54/0x60)
[<c027b538>] (smack_socket_sendmsg+0x0/0x60) from [<c0278ad0>] (security_socket_sendmsg+0x28/0x2c)
[<c0278aa8>] (security_socket_sendmsg+0x0/0x2c) from [<c0434490>] (sock_sendmsg+0x68/0xc0)
[<c0434428>] (sock_sendmsg+0x0/0xc0) from [<c0436ac8>] (SyS_sendto+0xd8/0x110)
 r7:01400118 r6:0000007f r5:da308a00 r4:c076f408
[<c04369f0>] (SyS_sendto+0x0/0x110) from [<c0012280>] (ret_fast_syscall+0x0/0x48)
Code: e5903200 e1a04000 e3530000 089da818 (e5d33016)
[SELP] while loop ... please attach T32...

And after further debugging we find this crash always come with Netlink socket.
And except thi API "netlbl_sock_delattr"  all other related Netlabel APIs have check to validate socket family.
Thats why we added socket family check for this API "netlbl_sock_delattr" and resolves our issue.

Thanks 
Maninder Singh

On 3/30/2015 10:09 PM, Maninder Singh wrote:
> We are currently using 3.10.58 kernel and  we are facing this issue for samck enabled system.
> and as we can check in other APIs like netlbl_sock_getattr and netlbl_conn_setattr have this preventive check so we added this check for netlbl_sock_delattr also.
>
> And regarding patch re-submission, actually we have run checkpatch.pl before submission(successfull)  But when we submit the patch our editor changes tabs into space, we will resubmitt the patch ASAP.

Further review shows that the Smack code in 3.10.72 (I don't believe it changed
after 3.10.58) already checks for the address family being AF_INET. This would indicate
that the netlink code is sending garbage to security_socket_sendmsg().

Can you provide a more specific test case? I would like to see if this problem is
present in newer kernels.

>
> Maninder Singh
> ------- Original Message -------
> Sender : Casey Schaufler
> Date : Mar 31, 2015 02:25 (GMT+09:00)
> Title : Re: [Fix kernel crash in cipso_v4_sock_delattr ]
>
> On 3/30/2015 4:32 AM, Paul Moore wrote:
>> On Monday, March 30, 2015 11:09:00 AM Maninder Singh wrote:
>>> Dear All,
>>> we found One Kernel Crash issue in cipso_v4_sock_delattr :-
>>> As Cipso supports only inet sockets so cipso_v4_sock_delattr will crash when
>>> try to access any other socket type.  cipso_v4_sock_delattr access
>>> sk_inet->inet_opt which may contain not NULL but invalid address. we found
>>> this issue with netlink socket.(reproducible by trinity using sendto system
>>> call .) 
>> Hello,
>>
>> First, please go read the Documentation/SubmittingPatches from the kernel 
>> sources; your patch needs to be resubmitted and the instructions in that file 
>> will show you how to do it correctly next time.
>>
>> Second, this appears to only affect Smack based systems, yes?  SELinux based 
>> systems should have the proper checking in place to prevent this (the checks 
>> are handled in the LSM).
> This looks like a problem that was fixed some time ago.
> The current Smack code clearly checks for this. What kernel
> version are you testing against?
>
>> That said, it probably wouldn't hurt to add the 
>> extra checking to netlbl_sock_delattr().  If you properly resubmit your patch 
>> I'll ACK it.
>>
>> -Paul
���{.n�+�������+%�����ݶ��w��{.n�+����{��G�����{ay�ʇڙ�,j��f���h��������z_�(�階�ݢj"���m������G������?����&���~��iO��z��v�^�m����������?�I�

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Maninder Singh <maninder1.s@samsung.com>
Subject: Re: Re: [Fix kernel crash in cipso_v4_sock_delattr ]
Date: Wed, 01 Apr 2015 13:07:20 +0000 (GMT)
Message-ID: <1233624800.241631427893638492.JavaMail.weblogic@epmlwas09b>
Reply-To: maninder1.s@samsung.com
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: base64
Cc: "davem@davemloft.net" <davem@davemloft.net>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Vaneet Narang <v.narang@samsung.com>,
	AJEET YADAV <ajeet.y@samsung.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
	Maninder Singh <maninder1.s@samsung.com>,
	Paul Moore <paul@paul-moore.com>
Return-path: <linux-kernel-owner@vger.kernel.org>
MIME-version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

V2UgaGF2ZSBydW4gdHJpbml0eSB0b29sIG9uIHNtYWNrIGVuYWJsZSBzeXN0ZW0uIGxpa2UgYmVs
b3c6LQ0KDQojLi90cmluaXR5IC1jIHNlbmR0byAtLWRhbmdlcm91cw0KQWZ0ZXIgc29tZSB0aW1l
IHdlIGFyZSBhYmxlIHRvIGNyYXNoIHRoZSBrZXJuZWw6LQ0KDQpbPGMwNGM4MDg0Pl0gKGNpcHNv
X3Y0X3NvY2tfZGVsYXR0cisweDAvMHg3NCkgZnJvbSBbPGMwNTE3YzQ0Pl0gKG5ldGxibF9zb2Nr
X2RlbGF0dHIrMHgxOC8weDFjKQ0KIHI0OjAwMDAwMDAwIHIzOmMwNzg3MmY4DQpbPGMwNTE3YzJj
Pl0gKG5ldGxibF9zb2NrX2RlbGF0dHIrMHgwLzB4MWMpIGZyb20gWzxjMDI3YjNlMD5dIChzbWFj
a19uZXRsYWJlbCsweDg4LzB4OWMpDQpbPGMwMjdiMzU4Pl0gKHNtYWNrX25ldGxhYmVsKzB4MC8w
eDljKSBmcm9tIFs8YzAyN2I1MjA+XSAoc21hY2tfbmV0bGFiZWxfc2VuZCsweDEyYy8weDE0NCkN
CiByNzpkOWNlZTNjMCByNjpkN2IwMWVmNCByNTpjMDc2ZjQwOCByNDpkODhjODRjMA0KWzxjMDI3
YjNmND5dIChzbWFja19uZXRsYWJlbF9zZW5kKzB4MC8weDE0NCkgZnJvbSBbPGMwMjdiNThjPl0g
KHNtYWNrX3NvY2tldF9zZW5kbXNnKzB4NTQvMHg2MCkNCls8YzAyN2I1Mzg+XSAoc21hY2tfc29j
a2V0X3NlbmRtc2crMHgwLzB4NjApIGZyb20gWzxjMDI3OGFkMD5dIChzZWN1cml0eV9zb2NrZXRf
c2VuZG1zZysweDI4LzB4MmMpDQpbPGMwMjc4YWE4Pl0gKHNlY3VyaXR5X3NvY2tldF9zZW5kbXNn
KzB4MC8weDJjKSBmcm9tIFs8YzA0MzQ0OTA+XSAoc29ja19zZW5kbXNnKzB4NjgvMHhjMCkNCls8
YzA0MzQ0Mjg+XSAoc29ja19zZW5kbXNnKzB4MC8weGMwKSBmcm9tIFs8YzA0MzZhYzg+XSAoU3lT
X3NlbmR0bysweGQ4LzB4MTEwKQ0KIHI3OjAxNDAwMTE4IHI2OjAwMDAwMDdmIHI1OmRhMzA4YTAw
IHI0OmMwNzZmNDA4DQpbPGMwNDM2OWYwPl0gKFN5U19zZW5kdG8rMHgwLzB4MTEwKSBmcm9tIFs8
YzAwMTIyODA+XSAocmV0X2Zhc3Rfc3lzY2FsbCsweDAvMHg0OCkNCkNvZGU6IGU1OTAzMjAwIGUx
YTA0MDAwIGUzNTMwMDAwIDA4OWRhODE4IChlNWQzMzAxNikNCltTRUxQXSB3aGlsZSBsb29wIC4u
LiBwbGVhc2UgYXR0YWNoIFQzMi4uLg0KDQpBbmQgYWZ0ZXIgZnVydGhlciBkZWJ1Z2dpbmcgd2Ug
ZmluZCB0aGlzIGNyYXNoIGFsd2F5cyBjb21lIHdpdGggTmV0bGluayBzb2NrZXQuDQpBbmQgZXhj
ZXB0IHRoaSBBUEkgIm5ldGxibF9zb2NrX2RlbGF0dHIiICBhbGwgb3RoZXIgcmVsYXRlZCBOZXRs
YWJlbCBBUElzIGhhdmUgY2hlY2sgdG8gdmFsaWRhdGUgc29ja2V0IGZhbWlseS4NClRoYXRzIHdo
eSB3ZSBhZGRlZCBzb2NrZXQgZmFtaWx5IGNoZWNrIGZvciB0aGlzIEFQSSAibmV0bGJsX3NvY2tf
ZGVsYXR0ciIgYW5kIHJlc29sdmVzIG91ciBpc3N1ZS4NCg0KVGhhbmtzIA0KTWFuaW5kZXIgU2lu
Z2gNCg0KT24gMy8zMC8yMDE1IDEwOjA5IFBNLCBNYW5pbmRlciBTaW5naCB3cm90ZToNCj4gV2Ug
YXJlIGN1cnJlbnRseSB1c2luZyAzLjEwLjU4IGtlcm5lbCBhbmQgIHdlIGFyZSBmYWNpbmcgdGhp
cyBpc3N1ZSBmb3Igc2FtY2sgZW5hYmxlZCBzeXN0ZW0uDQo+IGFuZCBhcyB3ZSBjYW4gY2hlY2sg
aW4gb3RoZXIgQVBJcyBsaWtlIG5ldGxibF9zb2NrX2dldGF0dHIgYW5kIG5ldGxibF9jb25uX3Nl
dGF0dHIgaGF2ZSB0aGlzIHByZXZlbnRpdmUgY2hlY2sgc28gd2UgYWRkZWQgdGhpcyBjaGVjayBm
b3IgbmV0bGJsX3NvY2tfZGVsYXR0ciBhbHNvLg0KPg0KPiBBbmQgcmVnYXJkaW5nIHBhdGNoIHJl
LXN1Ym1pc3Npb24sIGFjdHVhbGx5IHdlIGhhdmUgcnVuIGNoZWNrcGF0Y2gucGwgYmVmb3JlIHN1
Ym1pc3Npb24oc3VjY2Vzc2Z1bGwpICBCdXQgd2hlbiB3ZSBzdWJtaXQgdGhlIHBhdGNoIG91ciBl
ZGl0b3IgY2hhbmdlcyB0YWJzIGludG8gc3BhY2UsIHdlIHdpbGwgcmVzdWJtaXR0IHRoZSBwYXRj
aCBBU0FQLg0KDQpGdXJ0aGVyIHJldmlldyBzaG93cyB0aGF0IHRoZSBTbWFjayBjb2RlIGluIDMu
MTAuNzIgKEkgZG9uJ3QgYmVsaWV2ZSBpdCBjaGFuZ2VkDQphZnRlciAzLjEwLjU4KSBhbHJlYWR5
IGNoZWNrcyBmb3IgdGhlIGFkZHJlc3MgZmFtaWx5IGJlaW5nIEFGX0lORVQuIFRoaXMgd291bGQg
aW5kaWNhdGUNCnRoYXQgdGhlIG5ldGxpbmsgY29kZSBpcyBzZW5kaW5nIGdhcmJhZ2UgdG8gc2Vj
dXJpdHlfc29ja2V0X3NlbmRtc2coKS4NCg0KQ2FuIHlvdSBwcm92aWRlIGEgbW9yZSBzcGVjaWZp
YyB0ZXN0IGNhc2U/IEkgd291bGQgbGlrZSB0byBzZWUgaWYgdGhpcyBwcm9ibGVtIGlzDQpwcmVz
ZW50IGluIG5ld2VyIGtlcm5lbHMuDQoNCj4NCj4gTWFuaW5kZXIgU2luZ2gNCj4gLS0tLS0tLSBP
cmlnaW5hbCBNZXNzYWdlIC0tLS0tLS0NCj4gU2VuZGVyIDogQ2FzZXkgU2NoYXVmbGVyDQo+IERh
dGUgOiBNYXIgMzEsIDIwMTUgMDI6MjUgKEdNVCswOTowMCkNCj4gVGl0bGUgOiBSZTogW0ZpeCBr
ZXJuZWwgY3Jhc2ggaW4gY2lwc29fdjRfc29ja19kZWxhdHRyIF0NCj4NCj4gT24gMy8zMC8yMDE1
IDQ6MzIgQU0sIFBhdWwgTW9vcmUgd3JvdGU6DQo+PiBPbiBNb25kYXksIE1hcmNoIDMwLCAyMDE1
IDExOjA5OjAwIEFNIE1hbmluZGVyIFNpbmdoIHdyb3RlOg0KPj4+IERlYXIgQWxsLA0KPj4+IHdl
IGZvdW5kIE9uZSBLZXJuZWwgQ3Jhc2ggaXNzdWUgaW4gY2lwc29fdjRfc29ja19kZWxhdHRyIDot
DQo+Pj4gQXMgQ2lwc28gc3VwcG9ydHMgb25seSBpbmV0IHNvY2tldHMgc28gY2lwc29fdjRfc29j
a19kZWxhdHRyIHdpbGwgY3Jhc2ggd2hlbg0KPj4+IHRyeSB0byBhY2Nlc3MgYW55IG90aGVyIHNv
Y2tldCB0eXBlLiAgY2lwc29fdjRfc29ja19kZWxhdHRyIGFjY2Vzcw0KPj4+IHNrX2luZXQtPmlu
ZXRfb3B0IHdoaWNoIG1heSBjb250YWluIG5vdCBOVUxMIGJ1dCBpbnZhbGlkIGFkZHJlc3MuIHdl
IGZvdW5kDQo+Pj4gdGhpcyBpc3N1ZSB3aXRoIG5ldGxpbmsgc29ja2V0LihyZXByb2R1Y2libGUg
YnkgdHJpbml0eSB1c2luZyBzZW5kdG8gc3lzdGVtDQo+Pj4gY2FsbCAuKSANCj4+IEhlbGxvLA0K
Pj4NCj4+IEZpcnN0LCBwbGVhc2UgZ28gcmVhZCB0aGUgRG9jdW1lbnRhdGlvbi9TdWJtaXR0aW5n
UGF0Y2hlcyBmcm9tIHRoZSBrZXJuZWwgDQo+PiBzb3VyY2VzOyB5b3VyIHBhdGNoIG5lZWRzIHRv
IGJlIHJlc3VibWl0dGVkIGFuZCB0aGUgaW5zdHJ1Y3Rpb25zIGluIHRoYXQgZmlsZSANCj4+IHdp
bGwgc2hvdyB5b3UgaG93IHRvIGRvIGl0IGNvcnJlY3RseSBuZXh0IHRpbWUuDQo+Pg0KPj4gU2Vj
b25kLCB0aGlzIGFwcGVhcnMgdG8gb25seSBhZmZlY3QgU21hY2sgYmFzZWQgc3lzdGVtcywgeWVz
PyAgU0VMaW51eCBiYXNlZCANCj4+IHN5c3RlbXMgc2hvdWxkIGhhdmUgdGhlIHByb3BlciBjaGVj
a2luZyBpbiBwbGFjZSB0byBwcmV2ZW50IHRoaXMgKHRoZSBjaGVja3MgDQo+PiBhcmUgaGFuZGxl
ZCBpbiB0aGUgTFNNKS4NCj4gVGhpcyBsb29rcyBsaWtlIGEgcHJvYmxlbSB0aGF0IHdhcyBmaXhl
ZCBzb21lIHRpbWUgYWdvLg0KPiBUaGUgY3VycmVudCBTbWFjayBjb2RlIGNsZWFybHkgY2hlY2tz
IGZvciB0aGlzLiBXaGF0IGtlcm5lbA0KPiB2ZXJzaW9uIGFyZSB5b3UgdGVzdGluZyBhZ2FpbnN0
Pw0KPg0KPj4gVGhhdCBzYWlkLCBpdCBwcm9iYWJseSB3b3VsZG4ndCBodXJ0IHRvIGFkZCB0aGUg
DQo+PiBleHRyYSBjaGVja2luZyB0byBuZXRsYmxfc29ja19kZWxhdHRyKCkuICBJZiB5b3UgcHJv
cGVybHkgcmVzdWJtaXQgeW91ciBwYXRjaCANCj4+IEknbGwgQUNLIGl0Lg0KPj4NCj4+IC1QYXVs
DQo=