From: Steffen Klassert <steffen.klassert@secunet.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Paul Moore <paul@paul-moore.com>, Florian Westphal <fw@strlen.de>,
<netdev@vger.kernel.org>
Subject: Re: [regression, 4.14] xfrm: Fix stack-out-of-bounds read in xfrm_state_find breaks selinux-testsuite
Date: Wed, 15 Nov 2017 06:40:10 +0100 [thread overview]
Message-ID: <20171115054010.GS11292@secunet.com> (raw)
In-Reply-To: <1510692390.19398.20.camel@tycho.nsa.gov>
On Tue, Nov 14, 2017 at 03:46:30PM -0500, Stephen Smalley wrote:
> Hi,
>
> 4.14 is failing the selinux-testsuite labeled IPSEC tests despite
> having just been fixed in commit cf37966751747727 ("xfrm: do
> unconditional template resolution before pcpu cache check"). The
> breaking commit is the very next one, commit c9f3f813d462c72d ("xfrm:
> Fix stack-out-of-bounds read in xfrm_state_find."). Unlike the earlier
> breakage, which caused use of the wrong SA, this one leads to a failure
> on connect(). Running ip xfrm monitor during one of the failing tests
> shows the following:
> acquire proto ah
> sel src 127.0.0.1/32 dst 127.0.0.1/32 proto tcp sport 0 dport 65535
> dev lo
> policy src 127.0.0.1/32 dst 127.0.0.1/32 proto tcp
> security context
> unconfined_u:unconfined_r:test_inet_client_t:s0-s0:c0.c1023
> dir out priority 0 ptype main
> tmpl src 0.0.0.0 dst 0.0.0.0
> proto ah reqid 0 mode transport
Yes, I see. This is because there are wildcard src and dst
addresses on the template. I'll revert this one for now.
I slowly start to think that the concept of having a socket
policy on a IPv6 socket that maps to IPv4 is fundamentally
broken. The bug I tried to fix here is not the first one
that were reported from syzkaller for this szenario and I
fear it is not the last one.
Thanks for reporting this!
prev parent reply other threads:[~2017-11-15 5:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-02 15:46 [PATCH ipsec] xfrm: do unconditional template resolution before pcpu cache check Florian Westphal
2017-11-02 22:57 ` Paul Moore
2017-11-03 9:27 ` Steffen Klassert
2017-11-14 20:46 ` [regression, 4.14] xfrm: Fix stack-out-of-bounds read in xfrm_state_find breaks selinux-testsuite Stephen Smalley
2017-11-15 5:40 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171115054010.GS11292@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.