From patchwork Wed Jun 1 19:18:15 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 9148011 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0804F60467 for ; Wed, 1 Jun 2016 19:19:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EAC601FFBD for ; Wed, 1 Jun 2016 19:19:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DF4EA268AE; Wed, 1 Jun 2016 19:19:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,T_DKIM_INVALID autolearn=no version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C05FB1FFBD for ; Wed, 1 Jun 2016 19:19:07 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.26,402,1459814400"; d="scan'208";a="16573280" IronPort-PHdr: =?us-ascii?q?9a23=3AoaCLXhGP4VSCL6NmMP1u6p1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ75rs2wAkXT6L1XgUPTWs2DsrQf27uQ7v+rADdYqb+681k8M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?= =?us-ascii?q?K/jvHcaK1oLsh7H0psKYOl4QzBOGIppMbzyO5T3LsccXhYYwYo0Q8TDu5kVyRu?= =?us-ascii?q?JN2GlzLkiSlRuvru25/Zpk7jgC86l5r50IeezAcq85Vb1VCig9eyBwvZWz9Er+?= =?us-ascii?q?Vw/H2l8wGiVTy0IJUED560TCV4r1+g79sfBwkH2CNNDyZag9RDDn6qBsUhKugy?= =?us-ascii?q?ACYW0X6mbS3+FqjakTjA+krg5y38aAbZuUP7xyY6bUb94GbWVEV8dVESdGB9Xv?= =?us-ascii?q?PMM0E+MdMLMA/MHGrFwUoE77XFD0CQ=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HHAAAHNE9X/wHyM5BTChoBAQEBgnMsgVOvB4w+BVAhhy9?= =?us-ascii?q?MAQEBAQEBAgJiJ4IwCjkQVQIrQQEBAQMBAg8VEwYBDQ4SCwECAQIJAQEFBQ0HB?= =?us-ascii?q?B4ICAMBHw4DAQUBCxEGCAsFGAQBh3IBAxcBojmBMT4xjSWCWAWHeAoZJw1Sg00?= =?us-ascii?q?BCx0CBhCEC4IMhE2EEgYLAYV2AQSOWYlegVaOM4RPgnslhUSODTCBD2KCOIFVT?= =?us-ascii?q?okCgTUBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Jun 2016 19:19:05 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u51JIgOn000709; Wed, 1 Jun 2016 15:18:55 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u51JIKPP023385 for ; Wed, 1 Jun 2016 15:18:20 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u51JIKLA000680 for ; Wed, 1 Jun 2016 15:18:20 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1C1AABBNE9XbcPAVdFTChoBAQEBgnMsgVOvB4w+BVqGEQKBM0wBAQEBAQETCwsMCB+EdwEBAQMSEQQZARsdAQMMBgUUBAICJgICIxEBBQEcBhMih3IBAxcBojmBMT4xizuBaoJYBYd4ChknDVKDTQEBAQEBAQEDAQEBAQEBGQIGEHGDGoIMhE2EGIMpglkFjlmJXoFWjjOET4J7hWmODTCBD4JbP4FVToo3AQEB X-IPAS-Result: A1C1AABBNE9XbcPAVdFTChoBAQEBgnMsgVOvB4w+BVqGEQKBM0wBAQEBAQETCwsMCB+EdwEBAQMSEQQZARsdAQMMBgUUBAICJgICIxEBBQEcBhMih3IBAxcBojmBMT4xizuBaoJYBYd4ChknDVKDTQEBAQEBAQEDAQEBAQEBGQIGEHGDGoIMhE2EGIMpglkFjlmJXoFWjjOET4J7hWmODTCBD4JbP4FVToo3AQEB X-IronPort-AV: E=Sophos;i="5.26,402,1459828800"; d="scan'208";a="5482624" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 01 Jun 2016 15:18:19 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A9+kJ5hNDugwgTNzqEj0l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0KPv8rarrMEGX3/hxlliBBdydsKIVzbeJ+Pm7ASQp2tWojjMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JTmkb3tsMSIO01hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYP?= =?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv+YJa6jxfrw5QLpEF3xmdjltvIy4/SXE?= =?us-ascii?q?GDOG+39Ud2IRiBcAVxDM8RXSRp7stm7/se1n1W+ROsigHp4uXjH3wr1qQ1fElS?= =?us-ascii?q?IOJTMluDXakM17yq5GpRuzqgBXzIvdYYXTP/17KPCONegGTHZMC54CHxdKBZmx?= =?us-ascii?q?Os5WV7IM?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0G5AACPM09XbcPAVdFTChoBAQEBgnMsg?= =?us-ascii?q?VOvB4w+BVqGEQKBM0wBAQEBAQECAg8LCwwIHzGCMAo5EFUCK0EBAQEDEhEEGQE?= =?us-ascii?q?bHQEDDAYFFAQCAiYCAiMRAQUBHAYTIodyAQMXAaI4gTE+MYs7gWqCWAWHeAoZJ?= =?us-ascii?q?w1Sg00BAQEBAQEBAwEBAQEBARkCBhBxgxqCDIRNhBiDKYJZBY5ZiV6BVo4zhE+?= =?us-ascii?q?Ce4Vpjg0wgQ+CWz+BVU6KNwEBAQ?= X-IPAS-Result: =?us-ascii?q?A0G5AACPM09XbcPAVdFTChoBAQEBgnMsgVOvB4w+BVqGEQK?= =?us-ascii?q?BM0wBAQEBAQECAg8LCwwIHzGCMAo5EFUCK0EBAQEDEhEEGQEbHQEDDAYFFAQCA?= =?us-ascii?q?iYCAiMRAQUBHAYTIodyAQMXAaI4gTE+MYs7gWqCWAWHeAoZJw1Sg00BAQEBAQE?= =?us-ascii?q?BAwEBAQEBARkCBhBxgxqCDIRNhBiDKYJZBY5ZiV6BVo4zhE+Ce4Vpjg0wgQ+CW?= =?us-ascii?q?z+BVU6KNwEBAQ?= X-IronPort-AV: E=Sophos;i="5.26,402,1459814400"; d="scan'208";a="14235798" Received: from mail-pf0-f195.google.com ([209.85.192.195]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 01 Jun 2016 19:18:18 +0000 Received: by mail-pf0-f195.google.com with SMTP id c84so5004865pfc.1 for ; Wed, 01 Jun 2016 12:18:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=nYtn6dEMM/HFzwgJAxg88G/qmye6uRN51/j69VXLALI=; b=Y9uKiRoaefQJ7LW53Dq4ppLl5kGa1c/gCSMqhibHrLRq0+dxIYJhahWSbhK0OE4O5r iuqloSmQJnHoILsLiLueZiGgV+kWZ4/DOtYDW6rw39T4gCpWxjPAHrLDSIddEhZ7wfVW cOuPNVWBrQP3oXpQriTi/M8hGUKNtyC1HjutcISKEHktvRIQQSjvrEzXt2Hzr8pYdbgp K3fHGjyLxrx9YNtGbE59cq4beYhqtrOENcHqLy1sl9kOz3bhG1Y8IIKvVDJ3byiEwniZ TnkC84QAuFy4RQjrBO5Eyj+TjCL4NV7HWs5GOV8GXIzUU+yhMW1nTwFCfu2JYC6nwCKV t/5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=nYtn6dEMM/HFzwgJAxg88G/qmye6uRN51/j69VXLALI=; b=KbUXFemyka7IWH/LcbnJCujQq8IHYa5UmBtjsStrh1sISJippDSekxpeBEy7ZhvrZY 25jTHM+0qC4eN7/OdNQWvxAYLmf5wmCgzrB9uk8OKzPbvpkBAQbo3LmlRJ+NP6ysi7mo uxVOYcGBHyEftBlMPxybs5KgEMbP4t91P++3kirPBnONANcuSfp7YLsBKN8xYnmVAsaW Bs3vXx/u+40EzS1nWHr1QyqTd1C8UkV/w/DJcJWoQ36HCzzwGZ2pT7HN2RpirwlYEywz 0d9oJKsQUjz6/MK7XKWBV1Hy3DAx5IYlHL9C/nkR0wHskIhAiSDtLxnrwXYN5yY0w8S5 UAjw== X-Gm-Message-State: ALyK8tIgnRwOAgLD0GsYIAXL8WU/kfstU+3XnqIoUpS8nkRUD4sw2TROpHXpBLZGPoKCIg== X-Received: by 10.98.0.21 with SMTP id 21mr11513001pfa.81.1464808697375; Wed, 01 Jun 2016 12:18:17 -0700 (PDT) Received: from ?IPv6:2620:0:1000:1704:1110:8176:3d64:e6a8? ([2620:0:1000:1704:1110:8176:3d64:e6a8]) by smtp.googlemail.com with ESMTPSA id fn3sm64530686pab.20.2016.06.01.12.18.15 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 01 Jun 2016 12:18:16 -0700 (PDT) Message-ID: <1464808695.5939.167.camel@edumazet-glaptop3.roam.corp.google.com> Subject: Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing") From: Eric Dumazet To: Paul Moore Date: Wed, 01 Jun 2016 12:18:15 -0700 In-Reply-To: References: X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 X-Mailman-Approved-At: Wed, 01 Jun 2016 15:18:40 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: samanthakumar@google.com, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, netdev@vger.kernel.org Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP On Wed, 2016-06-01 at 15:01 -0400, Paul Moore wrote: > Hello, > > I'm currently trying to debug a problem with 4.7-rc1 and labeled > networking over UDP. I'm having some difficulty with the latest > 4.7-rc1 builds on my test system at the moment so I haven't been able > to concisely identify the problem, but looking through the commits in > 4.7-rc1 I think there may be a problem with the following: > > commit e6afc8ace6dd5cef5e812f26c72579da8806f5ac > Author: samanthakumar > Date: Tue Apr 5 12:41:15 2016 -0400 > > udp: remove headers from UDP packets before queueing > > Remove UDP transport headers before queueing packets for reception. > This change simplifies a follow-up patch to add MSG_PEEK support. > > Signed-off-by: Sam Kumar > Signed-off-by: Willem de Bruijn > Signed-off-by: David S. Miller > > ... it appears that this commit changes things so that sk_filter() is > only called when sk->sk_filter is not NULL. While this is fine for > the traditional socket filter case, it causes problems with LSMs that > make use of security_sock_rcv_skb() to enforce per-packet access > controls. > > Hopefully I'll get 4.7-rc1 booting soon and I can do a proper > bisection test around this patch, but I wanted to mention this now in > case others are seeing the same problem. > Thanks for the report. Please try following fix. sk_filter() got additional features like the skb_pfmemalloc() things and security_sock_rcv_skb() Tested-by: Stephen Smalley Tested-by: Paul Moore diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index d56c0559b477..0ff31d97d485 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1618,12 +1618,12 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) } } - if (rcu_access_pointer(sk->sk_filter)) { - if (udp_lib_checksum_complete(skb)) + if (rcu_access_pointer(sk->sk_filter) && + udp_lib_checksum_complete(skb)) goto csum_error; - if (sk_filter(sk, skb)) - goto drop; - } + + if (sk_filter(sk, skb)) + goto drop; udp_csum_pull_header(skb); if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 2da1896af934..f421c9f23c5b 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -653,12 +653,12 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) } } - if (rcu_access_pointer(sk->sk_filter)) { - if (udp_lib_checksum_complete(skb)) - goto csum_error; - if (sk_filter(sk, skb)) - goto drop; - } + if (rcu_access_pointer(sk->sk_filter) && + udp_lib_checksum_complete(skb)) + goto csum_error; + + if (sk_filter(sk, skb)) + goto drop; udp_csum_pull_header(skb); if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {