* Bug Report: bug if selinux_msg_queue_msgsnd & and selinux_msg_queue_msgrcv
@ 2019-01-16 10:14 John Johansen
2019-01-16 14:45 ` Paul Moore
2019-01-16 14:47 ` Stephen Smalley
0 siblings, 2 replies; 5+ messages in thread
From: John Johansen @ 2019-01-16 10:14 UTC (permalink / raw)
To: selinux
kernel: 5.0-rc2
d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
specifically the portion of the patch that does
- isec = msq->q_perm.security;
+ isec = msq->security;
which leaves the code
isec = msq->security;
msec = msg->security;
however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct. Which are defined as
struct msg_security_struct {
u32 sid; /* SID of message */
};
struct ipc_security_struct {
u16 sclass; /* security class of this object */
u32 sid; /* SID of IPC resource */
};
where the msg->security field is allocated as an ipc_security_struct. Access the msec->sid would thus appear to overlay the isec->sclass.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug Report: bug if selinux_msg_queue_msgsnd & and selinux_msg_queue_msgrcv
2019-01-16 10:14 Bug Report: bug if selinux_msg_queue_msgsnd & and selinux_msg_queue_msgrcv John Johansen
@ 2019-01-16 14:45 ` Paul Moore
2019-01-16 18:13 ` John Johansen
2019-01-16 14:47 ` Stephen Smalley
1 sibling, 1 reply; 5+ messages in thread
From: Paul Moore @ 2019-01-16 14:45 UTC (permalink / raw)
To: John Johansen; +Cc: selinux
On Wed, Jan 16, 2019 at 5:14 AM John Johansen
<john.johansen@canonical.com> wrote:
>
> kernel: 5.0-rc2
>
> d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
>
> appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
>
> specifically the portion of the patch that does
>
> - isec = msq->q_perm.security;
> + isec = msq->security;
>
> which leaves the code
> isec = msq->security;
> msec = msg->security;
>
> however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct ...
I suspect there may be some mistaken identity regarding "msq" (with a
lower-case "Q") and "msg" (with a lower-case "G").
Looking quickly at selinux_msg_queue_msgsnd() and
selinux_msg_queue_msgrcv() it would appear that in both cases the
kern_ipc_perm->security pointer is assigned to an ipc_security_struct
pointer and the msg_msg->security struct is assigned a
msg_security_struct pointer. This appears to be correct, or is there
something I'm missing in your report?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug Report: bug if selinux_msg_queue_msgsnd & and selinux_msg_queue_msgrcv
2019-01-16 10:14 Bug Report: bug if selinux_msg_queue_msgsnd & and selinux_msg_queue_msgrcv John Johansen
2019-01-16 14:45 ` Paul Moore
@ 2019-01-16 14:47 ` Stephen Smalley
2019-01-16 18:28 ` John Johansen
1 sibling, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2019-01-16 14:47 UTC (permalink / raw)
To: John Johansen, selinux, Paul Moore
On 1/16/19 5:14 AM, John Johansen wrote:
> kernel: 5.0-rc2
>
> d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
>
> appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
>
>
> specifically the portion of the patch that does
>
> - isec = msq->q_perm.security;
> + isec = msq->security;
>
> which leaves the code
> isec = msq->security;
> msec = msg->security;
>
> however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct. Which are defined as
>
> struct msg_security_struct {
> u32 sid; /* SID of message */
> };
>
> struct ipc_security_struct {
> u16 sclass; /* security class of this object */
> u32 sid; /* SID of IPC resource */
> };
>
> where the msg->security field is allocated as an ipc_security_struct. Access the msec->sid would thus appear to overlay the isec->sclass.
The only thing that changed in that commit was directly passing
&msgq->q_perm to the hook instead of passing msgq to the hook and then
dereferencing msq->q_perm to reach the ipc security blob.
msg is a different object from msq with its own security blob (msg is an
individual message; msq is the message queue). isec and msec point to
two different security blobs with different structures.
I don't see a problem offhand.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug Report: bug if selinux_msg_queue_msgsnd & and selinux_msg_queue_msgrcv
2019-01-16 14:45 ` Paul Moore
@ 2019-01-16 18:13 ` John Johansen
0 siblings, 0 replies; 5+ messages in thread
From: John Johansen @ 2019-01-16 18:13 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On 1/16/19 6:45 AM, Paul Moore wrote:
> On Wed, Jan 16, 2019 at 5:14 AM John Johansen
> <john.johansen@canonical.com> wrote:
>>
>> kernel: 5.0-rc2
>>
>> d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
>>
>> appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
>>
>> specifically the portion of the patch that does
>>
>> - isec = msq->q_perm.security;
>> + isec = msq->security;
>>
>> which leaves the code
>> isec = msq->security;
>> msec = msg->security;
>>
>> however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct ...
>
> I suspect there may be some mistaken identity regarding "msq" (with a
> lower-case "Q") and "msg" (with a lower-case "G").
>
> Looking quickly at selinux_msg_queue_msgsnd() and
> selinux_msg_queue_msgrcv() it would appear that in both cases the
> kern_ipc_perm->security pointer is assigned to an ipc_security_struct
> pointer and the msg_msg->security struct is assigned a
> msg_security_struct pointer. This appears to be correct, or is there
> something I'm missing in your report?
>
ha, that is indeed it. I looked at this multiple times and didn't pickup
the q vs g. Thanks sorry for the bad report, guess I should have gone to
bed sarlier :)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Bug Report: bug if selinux_msg_queue_msgsnd & and selinux_msg_queue_msgrcv
2019-01-16 14:47 ` Stephen Smalley
@ 2019-01-16 18:28 ` John Johansen
0 siblings, 0 replies; 5+ messages in thread
From: John Johansen @ 2019-01-16 18:28 UTC (permalink / raw)
To: Stephen Smalley, selinux, Paul Moore
On 1/16/19 6:47 AM, Stephen Smalley wrote:
> On 1/16/19 5:14 AM, John Johansen wrote:
>> kernel: 5.0-rc2
>>
>> d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
>>
>> appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
>>
>>
>> specifically the portion of the patch that does
>>
>> - isec = msq->q_perm.security;
>> + isec = msq->security;
>>
>> which leaves the code
>> isec = msq->security;
>> msec = msg->security;
>>
>> however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct. Which are defined as
>>
>> struct msg_security_struct {
>> u32 sid; /* SID of message */
>> };
>>
>> struct ipc_security_struct {
>> u16 sclass; /* security class of this object */
>> u32 sid; /* SID of IPC resource */
>> };
>>
>> where the msg->security field is allocated as an ipc_security_struct. Access the msec->sid would thus appear to overlay the isec->sclass.
>
> The only thing that changed in that commit was directly passing &msgq->q_perm to the hook instead of passing msgq to the hook and then dereferencing msq->q_perm to reach the ipc security blob.
>
> msg is a different object from msq with its own security blob (msg is an individual message; msq is the message queue). isec and msec point to two different security blobs with different structures.
>
> I don't see a problem offhand.
yep, sorry combination of bad fonts, and being 3am. sorry for the bad report
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-01-16 18:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-16 10:14 Bug Report: bug if selinux_msg_queue_msgsnd & and selinux_msg_queue_msgrcv John Johansen
2019-01-16 14:45 ` Paul Moore
2019-01-16 18:13 ` John Johansen
2019-01-16 14:47 ` Stephen Smalley
2019-01-16 18:28 ` John Johansen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.