Message ID | 20170306184614.20056-1-glider@google.com |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
On Mon, 2017-03-06 at 19:46 +0100, Alexander Potapenko wrote: > KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of > uninitialized memory in selinux_socket_bind(): > ... > Signed-off-by: Alexander Potapenko <glider@google.com> > --- > Changes since v1: > - fixed patch description > - fixed addrlen tests to match those in inet_bind() and inet6_bind() > (per comment from Eric Dumazet) > --- > security/selinux/hooks.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0a4b4b040e0a..ddc4aca6c840 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4351,10 +4351,19 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in > u32 sid, node_perm; > > if (family == PF_INET) { > + if (addrlen < sizeof(struct sockaddr_in)) { > + err = -EINVAL; > + goto out; > + } > addr4 = (struct sockaddr_in *)address; > snum = ntohs(addr4->sin_port); > addrp = (char *)&addr4->sin_addr.s_addr; > + > } else { > + if (addrlen < SIN6_LEN_RFC2133) { > + err = -EINVAL; > + goto out; > + } > addr6 = (struct sockaddr_in6 *)address; > snum = ntohs(addr6->sin6_port); > addrp = (char *)&addr6->sin6_addr.s6_addr; Acked-by: Eric Dumazet <edumazet@google.com>
From: Alexander Potapenko <glider@google.com> Date: Mon, 6 Mar 2017 19:46:14 +0100 > KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of > uninitialized memory in selinux_socket_bind(): ... > (the line numbers are relative to 4.8-rc6, but the bug persists upstream) > > , when I run the following program as root: ... > (for different values of |size| other error reports are printed). > > This happens because bind() unconditionally copies |size| bytes of > |addr| to the kernel, leaving the rest uninitialized. Then > security_socket_bind() reads the IP address bytes, including the > uninitialized ones, to determine the port, or e.g. pass them further to > sel_netnode_find(), which uses them to calculate a hash. > > Signed-off-by: Alexander Potapenko <glider@google.com> Are the SELINUX folks going to pick this up or should I?
On Thu, Mar 9, 2017 at 2:12 AM, David Miller <davem@davemloft.net> wrote: > From: Alexander Potapenko <glider@google.com> > Date: Mon, 6 Mar 2017 19:46:14 +0100 > >> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of >> uninitialized memory in selinux_socket_bind(): > ... >> (the line numbers are relative to 4.8-rc6, but the bug persists upstream) >> >> , when I run the following program as root: > ... >> (for different values of |size| other error reports are printed). >> >> This happens because bind() unconditionally copies |size| bytes of >> |addr| to the kernel, leaving the rest uninitialized. Then >> security_socket_bind() reads the IP address bytes, including the >> uninitialized ones, to determine the port, or e.g. pass them further to >> sel_netnode_find(), which uses them to calculate a hash. >> >> Signed-off-by: Alexander Potapenko <glider@google.com> > > Are the SELINUX folks going to pick this up or should I? Yes, it's on my list of things to merge, I was just a bit distracted this week with yet another audit problem. I'm going to start making my way through the patch backlog today.
On Fri, Mar 10, 2017 at 7:01 AM, Paul Moore <paul@paul-moore.com> wrote: > On Thu, Mar 9, 2017 at 2:12 AM, David Miller <davem@davemloft.net> wrote: >> From: Alexander Potapenko <glider@google.com> >> Date: Mon, 6 Mar 2017 19:46:14 +0100 >> >>> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of >>> uninitialized memory in selinux_socket_bind(): >> ... >>> (the line numbers are relative to 4.8-rc6, but the bug persists upstream) >>> >>> , when I run the following program as root: >> ... >>> (for different values of |size| other error reports are printed). >>> >>> This happens because bind() unconditionally copies |size| bytes of >>> |addr| to the kernel, leaving the rest uninitialized. Then >>> security_socket_bind() reads the IP address bytes, including the >>> uninitialized ones, to determine the port, or e.g. pass them further to >>> sel_netnode_find(), which uses them to calculate a hash. >>> >>> Signed-off-by: Alexander Potapenko <glider@google.com> >> >> Are the SELINUX folks going to pick this up or should I? > > Yes, it's on my list of things to merge, I was just a bit distracted > this week with yet another audit problem. I'm going to start making > my way through the patch backlog today. Just merged into selinux/next, thanks. My apologies for the delay.
================================================================== BUG: KMSAN: use of unitialized memory inter: 0 CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48 ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff825759c8>] dump_stack+0x238/0x290 lib/dump_stack.c:51 [<ffffffff818bdee6>] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008 [<ffffffff818bf0fb>] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424 [<ffffffff822dae71>] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288 [<ffffffff8229357c>] security_socket_bind+0x1ec/0x240 security/security.c:1240 [<ffffffff84265d98>] SYSC_bind+0x358/0x5f0 net/socket.c:1366 [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356 [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [<ffffffff8518217c>] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:? chained origin: 00000000ba6009bb [<ffffffff810bb7a7>] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67 [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322 [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337 [<ffffffff818bd2b8>] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530 [<ffffffff818bf033>] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380 [<ffffffff84265b69>] SYSC_bind+0x129/0x5f0 net/socket.c:1356 [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356 [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 [<ffffffff8518217c>] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:? origin description: ----address@SYSC_bind (origin=00000000b8c00900) ================================================================== (the line numbers are relative to 4.8-rc6, but the bug persists upstream) , when I run the following program as root: ======================================================= #include <string.h> #include <sys/socket.h> #include <netinet/in.h> int main(int argc, char *argv[]) { struct sockaddr addr; int size = 0; if (argc > 1) { size = atoi(argv[1]); } memset(&addr, 0, sizeof(addr)); int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); bind(fd, &addr, size); return 0; } ======================================================= (for different values of |size| other error reports are printed). This happens because bind() unconditionally copies |size| bytes of |addr| to the kernel, leaving the rest uninitialized. Then security_socket_bind() reads the IP address bytes, including the uninitialized ones, to determine the port, or e.g. pass them further to sel_netnode_find(), which uses them to calculate a hash. Signed-off-by: Alexander Potapenko <glider@google.com> --- Changes since v1: - fixed patch description - fixed addrlen tests to match those in inet_bind() and inet6_bind() (per comment from Eric Dumazet) --- security/selinux/hooks.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0a4b4b040e0a..ddc4aca6c840 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4351,10 +4351,19 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in u32 sid, node_perm; if (family == PF_INET) { + if (addrlen < sizeof(struct sockaddr_in)) { + err = -EINVAL; + goto out; + } addr4 = (struct sockaddr_in *)address; snum = ntohs(addr4->sin_port); addrp = (char *)&addr4->sin_addr.s_addr; + } else { + if (addrlen < SIN6_LEN_RFC2133) { + err = -EINVAL; + goto out; + } addr6 = (struct sockaddr_in6 *)address; snum = ntohs(addr6->sin6_port); addrp = (char *)&addr6->sin6_addr.s6_addr;