From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
"Dmitry Vyukov" <dvyukov@google.com>,
stable@vger.kernel.org, "Paul Moore" <paul@paul-moore.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>
Subject: [PATCH 3.16 15/61] selinux: properly handle multiple messages in selinux_netlink_send()
Date: Tue, 09 Jun 2020 19:04:06 +0100 [thread overview]
Message-ID: <lsq.1591725832.420858282@decadent.org.uk> (raw)
In-Reply-To: <lsq.1591725831.850867383@decadent.org.uk>
3.16.85-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream.
Fix the SELinux netlink_send hook to properly handle multiple netlink
messages in a single sk_buff; each message is parsed and subject to
SELinux access control. Prior to this patch, SELinux only inspected
the first message in the sk_buff.
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4669,39 +4669,59 @@ static int selinux_tun_dev_open(void *se
static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
{
- int err = 0;
- u32 perm;
+ int rc = 0;
+ unsigned int msg_len;
+ unsigned int data_len = skb->len;
+ unsigned char *data = skb->data;
struct nlmsghdr *nlh;
struct sk_security_struct *sksec = sk->sk_security;
+ u16 sclass = sksec->sclass;
+ u32 perm;
- if (skb->len < NLMSG_HDRLEN) {
- err = -EINVAL;
- goto out;
- }
- nlh = nlmsg_hdr(skb);
+ while (data_len >= nlmsg_total_size(0)) {
+ nlh = (struct nlmsghdr *)data;
- err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
- if (err) {
- if (err == -EINVAL) {
+ /* NOTE: the nlmsg_len field isn't reliably set by some netlink
+ * users which means we can't reject skb's with bogus
+ * length fields; our solution is to follow what
+ * netlink_rcv_skb() does and simply skip processing at
+ * messages with length fields that are clearly junk
+ */
+ if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
+ return 0;
+
+ rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
+ if (rc == 0) {
+ rc = sock_has_perm(current, sk, perm);
+ if (rc)
+ return rc;
+ } else if (rc == -EINVAL) {
+ /* -EINVAL is a missing msg/perm mapping */
pr_warn_ratelimited("SELinux: unrecognized netlink"
- " message: protocol=%hu nlmsg_type=%hu sclass=%s"
- " pig=%d comm=%s\n",
- sk->sk_protocol, nlh->nlmsg_type,
- secclass_map[sksec->sclass - 1].name,
- task_pid_nr(current), current->comm);
- if (!selinux_enforcing || security_get_allow_unknown())
- err = 0;
+ " message: protocol=%hu nlmsg_type=%hu sclass=%s"
+ " pid=%d comm=%s\n",
+ sk->sk_protocol, nlh->nlmsg_type,
+ secclass_map[sclass - 1].name,
+ task_pid_nr(current), current->comm);
+ if (selinux_enforcing && !security_get_allow_unknown())
+ return rc;
+ rc = 0;
+ } else if (rc == -ENOENT) {
+ /* -ENOENT is a missing socket/class mapping, ignore */
+ rc = 0;
+ } else {
+ return rc;
}
- /* Ignore */
- if (err == -ENOENT)
- err = 0;
- goto out;
+ /* move to the next message after applying netlink padding */
+ msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
+ if (msg_len >= data_len)
+ return 0;
+ data_len -= msg_len;
+ data += msg_len;
}
- err = sock_has_perm(current, sk, perm);
-out:
- return err;
+ return rc;
}
#ifdef CONFIG_NETFILTER
next prev parent reply other threads:[~2020-06-09 18:11 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 18:03 [PATCH 3.16 00/61] 3.16.85-rc1 review Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 01/61] slcan: Fix memory leak in error path Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 02/61] can: slcan: Fix use-after-free Read in slcan_open Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 03/61] slcan: not call free_netdev before rtnl_unlock " Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 04/61] slip: Fix memory leak in slip_open error path Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 05/61] slip: Fix use-after-free Read in slip_open Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 06/61] slip: not call free_netdev before rtnl_unlock " Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 07/61] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Ben Hutchings
2020-06-09 18:03 ` [PATCH 3.16 08/61] net-sysfs: fix netdev_queue_add_kobject() breakage Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 09/61] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 10/61] net-sysfs: Call dev_hold always in rx_queue_add_kobject Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 11/61] selinux: cleanup error reporting in selinux_nlmsg_perm() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 12/61] selinux: convert WARN_ONCE() to printk() " Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 13/61] selinux: Print 'sclass' as string when unrecognized netlink message occurs Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 14/61] selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() Ben Hutchings
2020-06-09 18:04 ` Ben Hutchings [this message]
2020-06-09 18:04 ` [PATCH 3.16 16/61] drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 17/61] drivers: usb: core: Minimize irq disabling in usb_sg_cancel() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 18/61] USB: core: Fix free-while-in-use bug in the USB S-Glibrary Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 19/61] scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 20/61] scsi: mptfusion: Fix double fetch bug in ioctl Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 21/61] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 22/61] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 23/61] sg: O_EXCL and other lock handling Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 24/61] sg: prevent integer overflow when converting from sectors to bytes Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 25/61] scsi: sg: Change next_cmd_len handling to mirror upstream Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 26/61] scsi: sg: protect accesses to 'reserved' page array Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 27/61] scsi: sg: reset 'res_in_use' after unlinking reserved array Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 28/61] scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 29/61] scsi: sg: recheck MMAP_IO request length with lock held Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 30/61] scsi: sg: remove 'save_scat_len' Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 31/61] scsi: sg: use standard lists for sg_requests Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 32/61] scsi: sg: off by one in sg_ioctl() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 33/61] scsi: sg: factor out sg_fill_request_table() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 34/61] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 35/61] scsi: sg: Re-fix off by one in sg_fill_request_table() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 36/61] scsi: sg: disable SET_FORCE_LOW_DMA Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 37/61] scsi: sg: check for valid direction before starting the request Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 38/61] scsi: sg: close race condition in sg_remove_sfp_usercontext() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 39/61] scsi: sg: fix SG_DXFER_FROM_DEV transfers Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 40/61] scsi: sg: fix static checker warning in sg_is_valid_dxfer Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 41/61] scsi: sg: only check for dxfer_len greater than 256M Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 42/61] scsi: sg: don't return bogus Sg_requests Ben Hutchings
2020-06-09 18:28 ` Tony Battersby
2020-06-09 19:03 ` Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 43/61] scsi: sg: fix minor memory leak in error path Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 44/61] scsi: sg: add sg_remove_request in sg_common_write Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 45/61] scsi: sg: add sg_remove_request in sg_write Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 46/61] signal: Extend exec_id to 64bits Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 47/61] USB: gadget: fix illegal array access in binding with UDC Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 48/61] ext4: Make checks for metadata_csum feature safer Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 49/61] ext4: protect journal inode's blocks using block_validity Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 50/61] ext4: unsigned int compared against zero Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 51/61] ext4: fix block validity checks for journal inodes using indirect blocks Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 52/61] ext4: don't perform block validity checks on the journal inode Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 53/61] ext4: add cond_resched() to ext4_protect_reserved_inode Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 54/61] x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 55/61] x86/cpu: Add a steppings field to struct x86_cpu_id Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 56/61] x86/cpu: Add 'table' argument to cpu_matches() Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 57/61] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 58/61] x86/speculation: Add SRBDS vulnerability and mitigation documentation Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 59/61] x86/speculation: Add Ivy Bridge to affected list Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 60/61] random: always use batched entropy for get_random_u{32,64} Ben Hutchings
2020-06-09 18:04 ` [PATCH 3.16 61/61] fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() Ben Hutchings
2020-06-10 19:08 ` [PATCH 3.16 00/61] 3.16.85-rc1 review Guenter Roeck
2020-06-10 21:25 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1591725832.420858282@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=kda@linux-powerpc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=stable@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).