diff mbox series

[net] selinux: add the missing walk_size + len check in selinux_sctp_bind_connect

Message ID 1e5accb3a4a5575ada1dbdfc6e5d9e4358131f83.1552061254.git.lucien.xin@gmail.com (mailing list archive)
State Accepted
Headers show
Series [net] selinux: add the missing walk_size + len check in selinux_sctp_bind_connect | expand

Commit Message

Xin Long March 8, 2019, 4:07 p.m. UTC
As does in __sctp_connect(), when checking addrs in a while loop, after
get the addr len according to sa_family, it's necessary to do the check
walk_size + af->sockaddr_len > addrs_size to make sure it won't access
an out-of-bounds addr.

The same thing is needed in selinux_sctp_bind_connect(), otherwise an
out-of-bounds issue can be triggered:

  [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0
  [14548.927083] Call Trace:
  [14548.938072]  dump_stack+0x9a/0xe9
  [14548.953015]  print_address_description+0x65/0x22e
  [14548.996524]  kasan_report.cold.6+0x92/0x1a6
  [14549.015335]  selinux_sctp_bind_connect+0x1aa/0x1f0
  [14549.036947]  security_sctp_bind_connect+0x58/0x90
  [14549.058142]  __sctp_setsockopt_connectx+0x5a/0x150 [sctp]
  [14549.081650]  sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp]

Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Reported-by: Chunyu Hu <chuhu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 security/selinux/hooks.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Marcelo Ricardo Leitner March 8, 2019, 5:08 p.m. UTC | #1
On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote:
> As does in __sctp_connect(), when checking addrs in a while loop, after
> get the addr len according to sa_family, it's necessary to do the check
> walk_size + af->sockaddr_len > addrs_size to make sure it won't access
> an out-of-bounds addr.
> 
> The same thing is needed in selinux_sctp_bind_connect(), otherwise an
> out-of-bounds issue can be triggered:
> 
>   [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0
>   [14548.927083] Call Trace:
>   [14548.938072]  dump_stack+0x9a/0xe9
>   [14548.953015]  print_address_description+0x65/0x22e
>   [14548.996524]  kasan_report.cold.6+0x92/0x1a6
>   [14549.015335]  selinux_sctp_bind_connect+0x1aa/0x1f0
>   [14549.036947]  security_sctp_bind_connect+0x58/0x90
>   [14549.058142]  __sctp_setsockopt_connectx+0x5a/0x150 [sctp]
>   [14549.081650]  sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp]
> 
> Fixes: d452930fd3b9 ("selinux: Add SCTP support")
> Reported-by: Chunyu Hu <chuhu@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Paul, how can we get this into -stable trees? SELinux process may be
different from -net trees.

> ---
>  security/selinux/hooks.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f0e36c3..dac9bdb 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5120,6 +5120,9 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname,
>  			return -EINVAL;
>  		}
>  
> +		if (walk_size + len > addrlen)
> +			return -EINVAL;
> +
>  		err = -EINVAL;
>  		switch (optname) {
>  		/* Bind checks */
> -- 
> 2.1.0
>
Paul Moore March 9, 2019, 2:47 a.m. UTC | #2
On Fri, Mar 8, 2019 at 12:08 PM Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
> On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote:
> > As does in __sctp_connect(), when checking addrs in a while loop, after
> > get the addr len according to sa_family, it's necessary to do the check
> > walk_size + af->sockaddr_len > addrs_size to make sure it won't access
> > an out-of-bounds addr.
> >
> > The same thing is needed in selinux_sctp_bind_connect(), otherwise an
> > out-of-bounds issue can be triggered:
> >
> >   [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0
> >   [14548.927083] Call Trace:
> >   [14548.938072]  dump_stack+0x9a/0xe9
> >   [14548.953015]  print_address_description+0x65/0x22e
> >   [14548.996524]  kasan_report.cold.6+0x92/0x1a6
> >   [14549.015335]  selinux_sctp_bind_connect+0x1aa/0x1f0
> >   [14549.036947]  security_sctp_bind_connect+0x58/0x90
> >   [14549.058142]  __sctp_setsockopt_connectx+0x5a/0x150 [sctp]
> >   [14549.081650]  sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp]
> >
> > Fixes: d452930fd3b9 ("selinux: Add SCTP support")
> > Reported-by: Chunyu Hu <chuhu@redhat.com>
> > Signed-off-by: Xin Long <lucien.xin@gmail.com>
>
> Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Thanks, this patch looks good to me.

> Paul, how can we get this into -stable trees? SELinux process may be
> different from -net trees.

For patches that warrant inclusion in -stable, I merge them into the
current selinux/stable-X.Y and send it up to Linus once it passes some
basic sanity tests.  Since we're still only half-way through the merge
window, and this is an obvious bug fix, I think this qualifies as
-stable material.

I'm traveling at the moment with not-so-great connectivity, but I'll
get this merged and verified early next week.
Paul Moore March 11, 2019, 8:11 p.m. UTC | #3
On Fri, Mar 8, 2019 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Mar 8, 2019 at 12:08 PM Marcelo Ricardo Leitner
> <marcelo.leitner@gmail.com> wrote:
> > On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote:
> > > As does in __sctp_connect(), when checking addrs in a while loop, after
> > > get the addr len according to sa_family, it's necessary to do the check
> > > walk_size + af->sockaddr_len > addrs_size to make sure it won't access
> > > an out-of-bounds addr.
> > >
> > > The same thing is needed in selinux_sctp_bind_connect(), otherwise an
> > > out-of-bounds issue can be triggered:
> > >
> > >   [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0
> > >   [14548.927083] Call Trace:
> > >   [14548.938072]  dump_stack+0x9a/0xe9
> > >   [14548.953015]  print_address_description+0x65/0x22e
> > >   [14548.996524]  kasan_report.cold.6+0x92/0x1a6
> > >   [14549.015335]  selinux_sctp_bind_connect+0x1aa/0x1f0
> > >   [14549.036947]  security_sctp_bind_connect+0x58/0x90
> > >   [14549.058142]  __sctp_setsockopt_connectx+0x5a/0x150 [sctp]
> > >   [14549.081650]  sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp]
> > >
> > > Fixes: d452930fd3b9 ("selinux: Add SCTP support")
> > > Reported-by: Chunyu Hu <chuhu@redhat.com>
> > > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> >
> > Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
>
> Thanks, this patch looks good to me.
>
> > Paul, how can we get this into -stable trees? SELinux process may be
> > different from -net trees.
>
> For patches that warrant inclusion in -stable, I merge them into the
> current selinux/stable-X.Y and send it up to Linus once it passes some
> basic sanity tests.  Since we're still only half-way through the merge
> window, and this is an obvious bug fix, I think this qualifies as
> -stable material.
>
> I'm traveling at the moment with not-so-great connectivity, but I'll
> get this merged and verified early next week.

FYI, I just merged this into selinux/stable-5.1.  Assuming it tests
okay (and I can't imagine it would cause a regression), I'll send it
to Linus tomorrow.
Marcelo Ricardo Leitner March 11, 2019, 11:49 p.m. UTC | #4
On Mon, Mar 11, 2019 at 04:11:32PM -0400, Paul Moore wrote:
> On Fri, Mar 8, 2019 at 9:47 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Mar 8, 2019 at 12:08 PM Marcelo Ricardo Leitner
> > <marcelo.leitner@gmail.com> wrote:
> > > On Sat, Mar 09, 2019 at 12:07:34AM +0800, Xin Long wrote:
> > > > As does in __sctp_connect(), when checking addrs in a while loop, after
> > > > get the addr len according to sa_family, it's necessary to do the check
> > > > walk_size + af->sockaddr_len > addrs_size to make sure it won't access
> > > > an out-of-bounds addr.
> > > >
> > > > The same thing is needed in selinux_sctp_bind_connect(), otherwise an
> > > > out-of-bounds issue can be triggered:
> > > >
> > > >   [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0
> > > >   [14548.927083] Call Trace:
> > > >   [14548.938072]  dump_stack+0x9a/0xe9
> > > >   [14548.953015]  print_address_description+0x65/0x22e
> > > >   [14548.996524]  kasan_report.cold.6+0x92/0x1a6
> > > >   [14549.015335]  selinux_sctp_bind_connect+0x1aa/0x1f0
> > > >   [14549.036947]  security_sctp_bind_connect+0x58/0x90
> > > >   [14549.058142]  __sctp_setsockopt_connectx+0x5a/0x150 [sctp]
> > > >   [14549.081650]  sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp]
> > > >
> > > > Fixes: d452930fd3b9 ("selinux: Add SCTP support")
> > > > Reported-by: Chunyu Hu <chuhu@redhat.com>
> > > > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > >
> > > Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> >
> > Thanks, this patch looks good to me.
> >
> > > Paul, how can we get this into -stable trees? SELinux process may be
> > > different from -net trees.
> >
> > For patches that warrant inclusion in -stable, I merge them into the
> > current selinux/stable-X.Y and send it up to Linus once it passes some
> > basic sanity tests.  Since we're still only half-way through the merge
> > window, and this is an obvious bug fix, I think this qualifies as
> > -stable material.
> >
> > I'm traveling at the moment with not-so-great connectivity, but I'll
> > get this merged and verified early next week.
> 
> FYI, I just merged this into selinux/stable-5.1.  Assuming it tests
> okay (and I can't imagine it would cause a regression), I'll send it
> to Linus tomorrow.

Thanks Paul.

  Marcelo
diff mbox series

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f0e36c3..dac9bdb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5120,6 +5120,9 @@  static int selinux_sctp_bind_connect(struct sock *sk, int optname,
 			return -EINVAL;
 		}
 
+		if (walk_size + len > addrlen)
+			return -EINVAL;
+
 		err = -EINVAL;
 		switch (optname) {
 		/* Bind checks */