diff options
| author | Eric Dumazet <edumazet@google.com> | 2015-11-05 16:39:24 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-11-05 16:45:51 -0500 |
| commit | 212cd0895330b775f2db49451f046a5ca4e5704b (patch) | |
| tree | c4f9be4c046587df4fad72299a5888096153f4c9 /security/selinux/hooks.c | |
| parent | 432599d7a7062ad7e37e72601607dc35596afe40 (diff) | |
selinux: fix random read in selinux_ip_postroute_compat()
In commit e446f9dfe17b ("net: synack packets can be attached to request
sockets"), I missed one remaining case of invalid skb->sk->sk_security
access.
Dmitry Vyukov got a KASan report pointing to it.
Add selinux_skb_sk() helper that is responsible to get back to the
listener if skb is attached to a request socket, instead of
duplicating the logic.
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 26f4039d54b8..c9b2d5467477 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4931,11 +4931,23 @@ static unsigned int selinux_ipv4_output(void *priv, | |||
| 4931 | return selinux_ip_output(skb, PF_INET); | 4931 | return selinux_ip_output(skb, PF_INET); |
| 4932 | } | 4932 | } |
| 4933 | 4933 | ||
| 4934 | /* SYNACK messages might be attached to request sockets. | ||
| 4935 | * To get back to sk_security, we need to look at the listener. | ||
| 4936 | */ | ||
| 4937 | static struct sock *selinux_skb_sk(const struct sk_buff *skb) | ||
| 4938 | { | ||
| 4939 | struct sock *sk = skb->sk; | ||
| 4940 | |||
| 4941 | if (sk && sk->sk_state == TCP_NEW_SYN_RECV) | ||
| 4942 | sk = inet_reqsk(sk)->rsk_listener; | ||
| 4943 | return sk; | ||
| 4944 | } | ||
| 4945 | |||
| 4934 | static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, | 4946 | static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, |
| 4935 | int ifindex, | 4947 | int ifindex, |
| 4936 | u16 family) | 4948 | u16 family) |
| 4937 | { | 4949 | { |
| 4938 | struct sock *sk = skb->sk; | 4950 | struct sock *sk = selinux_skb_sk(skb); |
| 4939 | struct sk_security_struct *sksec; | 4951 | struct sk_security_struct *sksec; |
| 4940 | struct common_audit_data ad; | 4952 | struct common_audit_data ad; |
| 4941 | struct lsm_network_audit net = {0,}; | 4953 | struct lsm_network_audit net = {0,}; |
| @@ -4990,7 +5002,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, | |||
| 4990 | if (!secmark_active && !peerlbl_active) | 5002 | if (!secmark_active && !peerlbl_active) |
| 4991 | return NF_ACCEPT; | 5003 | return NF_ACCEPT; |
| 4992 | 5004 | ||
| 4993 | sk = skb->sk; | 5005 | sk = selinux_skb_sk(skb); |
| 4994 | 5006 | ||
| 4995 | #ifdef CONFIG_XFRM | 5007 | #ifdef CONFIG_XFRM |
| 4996 | /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec | 5008 | /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec |
| @@ -5035,8 +5047,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, | |||
| 5035 | u32 skb_sid; | 5047 | u32 skb_sid; |
| 5036 | struct sk_security_struct *sksec; | 5048 | struct sk_security_struct *sksec; |
| 5037 | 5049 | ||
| 5038 | if (sk->sk_state == TCP_NEW_SYN_RECV) | ||
| 5039 | sk = inet_reqsk(sk)->rsk_listener; | ||
| 5040 | sksec = sk->sk_security; | 5050 | sksec = sk->sk_security; |
| 5041 | if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) | 5051 | if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) |
| 5042 | return NF_DROP; | 5052 | return NF_DROP; |