From: Jinmeng Zhou <jjjinmeng.zhou@gmail.com>
To: axboe@kernel.dk, Jakub Kicinski <kuba@kernel.org>,
davem@davemloft.net, jmorris@namei.org, serge@hallyn.com
Cc: shenwenbosmile@gmail.com, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Fwd: A missing check bug in __sys_accept4_file()
Date: Wed, 12 May 2021 15:43:03 +0800 [thread overview]
Message-ID: <CAA-qYXi-znXVt_8KuMwEpbqmeWVQJZX9ixnOLs22fPM7HKmmtA@mail.gmail.com> (raw)
Dear maintainers,
hi, our team has found and reported a missing check bug on Linux
kernel v5.10.7 using static analysis.
We are looking forward to having more experts' eyes on this. Thank you!
> On Fri, May 7, 2021 at 1:59 AM Jakub Kicinski <kuba@kernel.org> wrote:
> > On Thu, 6 May 2021 15:44:36 +0800 Jinmeng Zhou wrote:
> > hi, our team has found a missing check bug on Linux kernel v5.10.7 using static analysis. There is a path calls sock_alloc() after checking LSM function security_socket_create(), while another path calls it without checking.
> > We think there is a missing check bug in __sys_accept4_file() before calling sock_alloc().
>
> Perhaps the semantics for listening sockets is that only the parent
> sockets get the LSM check. Could you please circulate the report more
> widely? I'd be good to have LSM experts' eyes on this at least.
> CCing the mailing list should help get more opinions. Thank you!
>
> > Function sock_create_lite() uses security_socket_create() to check.
> > 1. // check security_socket_create() ///////////////////////
> > 2. int sock_create_lite(int family, int type, int protocol, struct socket **res)
> > 3. {
> > 4. int err;
> > 5. struct socket *sock = NULL;
> > 6. err = security_socket_create(family, type, protocol, 1);
> > 7. if (err)
> > 8. goto out;
> > 9. sock = sock_alloc();
> > 10. ...
> > 11. }
> >
> > However, __sys_accept4_file() directly calls sock_alloc() without the security check.
> > 1. // no check ////////////////////////////////////
> > 2. int __sys_accept4_file(struct file *file, unsigned file_flags,
> > 3. struct sockaddr __user *upeer_sockaddr,
> > 4. int __user *upeer_addrlen, int flags,
> > 5. unsigned long nofile)
> > 6. {
> > 7. struct socket *sock, *newsock;
> > 8. struct file *newfile;
> > 9. int err, len, newfd;
> > 10. struct sockaddr_storage address;
> > 11. if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
> > 12. return -EINVAL;
> > 13. if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
> > 14. flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
> > 15. sock = sock_from_file(file, &err);
> > 16. if (!sock)
> > 17. goto out;
> > 18. err = -ENFILE;
> > 19. newsock = sock_alloc();
> > 20. ...
> > 21. }
> >
> > This no-check function can be reached through syscall.
> > syscall => __sys_accept4 => __sys_accept4_file
> >
> > SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
> > int __user *, upeer_addrlen, int, flags)
> > {
> > return __sys_accept4(fd, upeer_sockaddr, upeer_addrlen, flags);
> > }
> >
> > Thanks!
> >
> >
> > Best regards,
> > Jinmeng Zhou
>
Best regards,
Jinmeng Zhou
next reply other threads:[~2021-05-12 7:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-12 7:43 Jinmeng Zhou [this message]
2021-05-12 16:23 ` A missing check bug in __sys_accept4_file() Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA-qYXi-znXVt_8KuMwEpbqmeWVQJZX9ixnOLs22fPM7HKmmtA@mail.gmail.com \
--to=jjjinmeng.zhou@gmail.com \
--cc=axboe@kernel.dk \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=kuba@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=shenwenbosmile@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).