linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Fwd: A missing check bug in __sys_accept4_file()
@ 2021-05-12  7:43 Jinmeng Zhou
  2021-05-12 16:23 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Jinmeng Zhou @ 2021-05-12  7:43 UTC (permalink / raw)
  To: axboe, Jakub Kicinski, davem, jmorris, serge
  Cc: shenwenbosmile, netdev, linux-security-module

Dear maintainers,

hi, our team has found and reported a missing check bug on Linux
kernel v5.10.7 using static analysis.
We are looking forward to having more experts' eyes on this. Thank you!

> On Fri, May 7, 2021 at 1:59 AM Jakub Kicinski <kuba@kernel.org> wrote:
> > On Thu, 6 May 2021 15:44:36 +0800 Jinmeng Zhou wrote:
> > hi, our team has found a missing check bug on Linux kernel v5.10.7 using static analysis. There is a path calls sock_alloc() after checking LSM function security_socket_create(), while another path calls it without checking.
> > We think there is a missing check bug in __sys_accept4_file() before calling sock_alloc().
>
> Perhaps the semantics for listening sockets is that only the parent
> sockets get the LSM check. Could you please circulate the report more
> widely? I'd be good to have LSM experts' eyes on this at least.
> CCing the mailing list should help get more opinions. Thank you!
>
> > Function sock_create_lite() uses security_socket_create() to check.
> > 1.    // check security_socket_create() ///////////////////////
> > 2.    int sock_create_lite(int family, int type, int protocol, struct socket **res)
> > 3.    {
> > 4.      int err;
> > 5.      struct socket *sock = NULL;
> > 6.      err = security_socket_create(family, type, protocol, 1);
> > 7.      if (err)
> > 8.        goto out;
> > 9.      sock = sock_alloc();
> > 10.   ...
> > 11.   }
> >
> > However, __sys_accept4_file() directly calls sock_alloc() without the security check.
> > 1.    // no check ////////////////////////////////////
> > 2.    int __sys_accept4_file(struct file *file, unsigned file_flags,
> > 3.          struct sockaddr __user *upeer_sockaddr,
> > 4.          int __user *upeer_addrlen, int flags,
> > 5.          unsigned long nofile)
> > 6.    {
> > 7.      struct socket *sock, *newsock;
> > 8.      struct file *newfile;
> > 9.      int err, len, newfd;
> > 10.     struct sockaddr_storage address;
> > 11.     if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
> > 12.       return -EINVAL;
> > 13.     if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
> > 14.       flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
> > 15.     sock = sock_from_file(file, &err);
> > 16.     if (!sock)
> > 17.       goto out;
> > 18.     err = -ENFILE;
> > 19.     newsock = sock_alloc();
> > 20.   ...
> > 21.   }
> >
> > This no-check function can be reached through syscall.
> > syscall => __sys_accept4 => __sys_accept4_file
> >
> > SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
> > int __user *, upeer_addrlen, int, flags)
> > {
> > return __sys_accept4(fd, upeer_sockaddr, upeer_addrlen, flags);
> > }
> >
> > Thanks!
> >
> >
> > Best regards,
> > Jinmeng Zhou
>


Best regards,
Jinmeng Zhou

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: A missing check bug in __sys_accept4_file()
  2021-05-12  7:43 Fwd: A missing check bug in __sys_accept4_file() Jinmeng Zhou
@ 2021-05-12 16:23 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2021-05-12 16:23 UTC (permalink / raw)
  To: Jinmeng Zhou
  Cc: axboe, Jakub Kicinski, davem, James Morris, Serge Hallyn,
	shenwenbosmile, netdev, linux-security-module

On Wed, May 12, 2021 at 3:43 AM Jinmeng Zhou <jjjinmeng.zhou@gmail.com> wrote:
> Dear maintainers,
>
> hi, our team has found and reported a missing check bug on Linux
> kernel v5.10.7 using static analysis.
> We are looking forward to having more experts' eyes on this. Thank you!

Creating a new socket, not associated with a connection (e.g. via
sock_create_lite()), is a different operation than creating a new
socket in response to an incoming connection as is done in
__sys_accept4_file().  This is why the sock_create_lite() uses the
security_socket_create() LSM hook and __sys_accept4_file() uses the
security_socket_accept() LSM hook.

> > On Fri, May 7, 2021 at 1:59 AM Jakub Kicinski <kuba@kernel.org> wrote:
> > > On Thu, 6 May 2021 15:44:36 +0800 Jinmeng Zhou wrote:
> > > hi, our team has found a missing check bug on Linux kernel v5.10.7 using static analysis. There is a path calls sock_alloc() after checking LSM function security_socket_create(), while another path calls it without checking.
> > > We think there is a missing check bug in __sys_accept4_file() before calling sock_alloc().
> >
> > Perhaps the semantics for listening sockets is that only the parent
> > sockets get the LSM check. Could you please circulate the report more
> > widely? I'd be good to have LSM experts' eyes on this at least.
> > CCing the mailing list should help get more opinions. Thank you!
> >
> > > Function sock_create_lite() uses security_socket_create() to check.
> > > 1.    // check security_socket_create() ///////////////////////
> > > 2.    int sock_create_lite(int family, int type, int protocol, struct socket **res)
> > > 3.    {
> > > 4.      int err;
> > > 5.      struct socket *sock = NULL;
> > > 6.      err = security_socket_create(family, type, protocol, 1);
> > > 7.      if (err)
> > > 8.        goto out;
> > > 9.      sock = sock_alloc();
> > > 10.   ...
> > > 11.   }
> > >
> > > However, __sys_accept4_file() directly calls sock_alloc() without the security check.
> > > 1.    // no check ////////////////////////////////////
> > > 2.    int __sys_accept4_file(struct file *file, unsigned file_flags,
> > > 3.          struct sockaddr __user *upeer_sockaddr,
> > > 4.          int __user *upeer_addrlen, int flags,
> > > 5.          unsigned long nofile)
> > > 6.    {
> > > 7.      struct socket *sock, *newsock;
> > > 8.      struct file *newfile;
> > > 9.      int err, len, newfd;
> > > 10.     struct sockaddr_storage address;
> > > 11.     if (flags & ~(SOCK_CLOEXEC | SOCK_NONBLOCK))
> > > 12.       return -EINVAL;
> > > 13.     if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
> > > 14.       flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
> > > 15.     sock = sock_from_file(file, &err);
> > > 16.     if (!sock)
> > > 17.       goto out;
> > > 18.     err = -ENFILE;
> > > 19.     newsock = sock_alloc();
> > > 20.   ...
> > > 21.   }
> > >
> > > This no-check function can be reached through syscall.
> > > syscall => __sys_accept4 => __sys_accept4_file
> > >
> > > SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
> > > int __user *, upeer_addrlen, int, flags)
> > > {
> > > return __sys_accept4(fd, upeer_sockaddr, upeer_addrlen, flags);
> > > }

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-12 17:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-12  7:43 Fwd: A missing check bug in __sys_accept4_file() Jinmeng Zhou
2021-05-12 16:23 ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).