From: gregkh@linuxfoundation.org (Greg Kroah-Hartman)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 3.18 34/36] selinux: general protection fault in sock_has_perm
Date: Mon, 5 Feb 2018 10:24:02 -0800 [thread overview]
Message-ID: <20180205182353.178669604@linuxfoundation.org> (raw)
In-Reply-To: <20180205182351.774761393@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Salyzyn <salyzyn@android.com>
In the absence of commit a4298e4522d6 ("net: add SOCK_RCU_FREE socket
flag") and all the associated infrastructure changes to take advantage
of a RCU grace period before freeing, there is a heightened
possibility that a security check is performed while an ill-timed
setsockopt call races in from user space. It then is prudent to null
check sk_security, and if the case, reject the permissions.
Because of the nature of this problem, hard to duplicate, no clear
path, this patch is a simplified band-aid for stable trees lacking the
infrastructure for the series of commits leading up to providing a
suitable RCU grace period. This adjustment is orthogonal to
infrastructure improvements that may nullify the needed check, but
could be added as good code hygiene in all trees.
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 14233 Comm: syz-executor2 Not tainted 4.4.112-g5f6325b #28
task: ffff8801d1095f00 task.stack: ffff8800b5950000
RIP: 0010:[<ffffffff81b69b7e>] [<ffffffff81b69b7e>] sock_has_perm+0x1fe/0x3e0 security/selinux/hooks.c:4069
RSP: 0018:ffff8800b5957ce0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff10016b2af9f RCX: ffffffff81b69b51
RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000010
RBP: ffff8800b5957de0 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff10016b2af68 R12: ffff8800b5957db8
R13: 0000000000000000 R14: ffff8800b7259f40 R15: 00000000000000d7
FS: 00007f72f5ae2700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000a2fa38 CR3: 00000001d7980000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff81b69a1f ffff8800b5957d58 00008000b5957d30 0000000041b58ab3
ffffffff83fc82f2 ffffffff81b69980 0000000000000246 ffff8801d1096770
ffff8801d3165668 ffffffff8157844b ffff8801d1095f00
ffff880000000001
Call Trace:
[<ffffffff81b6a19d>] selinux_socket_setsockopt+0x4d/0x80 security/selinux/hooks.c:4338
[<ffffffff81b4873d>] security_socket_setsockopt+0x7d/0xb0 security/security.c:1257
[<ffffffff82df1ac8>] SYSC_setsockopt net/socket.c:1757 [inline]
[<ffffffff82df1ac8>] SyS_setsockopt+0xe8/0x250 net/socket.c:1746
[<ffffffff83776499>] entry_SYSCALL_64_fastpath+0x16/0x92
Code: c2 42 9b b6 81 be 01 00 00 00 48 c7 c7 a0 cb 2b 84 e8
f7 2f 6d ff 49 8d 7d 10 48 b8 00 00 00 00 00 fc ff df 48 89
fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 83 01 00
00 41 8b 75 10 31
RIP [<ffffffff81b69b7e>] sock_has_perm+0x1fe/0x3e0 security/selinux/hooks.c:4069
RSP <ffff8800b5957ce0>
---[ end trace 7b5aaf788fef6174 ]---
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux at tycho.nsa.gov
Cc: linux-security-module at vger.kernel.org
Cc: Eric Paris <eparis@parisplace.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: linux-kernel at vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3969,6 +3969,8 @@ static int sock_has_perm(struct task_str
struct lsm_network_audit net = {0,};
u32 tsid = task_sid(task);
+ if (!sksec)
+ return -EFAULT;
if (sksec->sid == SECINITSID_KERNEL)
return 0;
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mark Salyzyn <salyzyn@android.com>,
Paul Moore <paul@paul-moore.com>,
Eric Dumazet <edumazet@google.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
Eric Paris <eparis@parisplace.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH 3.18 34/36] selinux: general protection fault in sock_has_perm
Date: Mon, 5 Feb 2018 10:24:02 -0800 [thread overview]
Message-ID: <20180205182353.178669604@linuxfoundation.org> (raw)
In-Reply-To: <20180205182351.774761393@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Salyzyn <salyzyn@android.com>
In the absence of commit a4298e4522d6 ("net: add SOCK_RCU_FREE socket
flag") and all the associated infrastructure changes to take advantage
of a RCU grace period before freeing, there is a heightened
possibility that a security check is performed while an ill-timed
setsockopt call races in from user space. It then is prudent to null
check sk_security, and if the case, reject the permissions.
Because of the nature of this problem, hard to duplicate, no clear
path, this patch is a simplified band-aid for stable trees lacking the
infrastructure for the series of commits leading up to providing a
suitable RCU grace period. This adjustment is orthogonal to
infrastructure improvements that may nullify the needed check, but
could be added as good code hygiene in all trees.
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 14233 Comm: syz-executor2 Not tainted 4.4.112-g5f6325b #28
task: ffff8801d1095f00 task.stack: ffff8800b5950000
RIP: 0010:[<ffffffff81b69b7e>] [<ffffffff81b69b7e>] sock_has_perm+0x1fe/0x3e0 security/selinux/hooks.c:4069
RSP: 0018:ffff8800b5957ce0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff10016b2af9f RCX: ffffffff81b69b51
RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000010
RBP: ffff8800b5957de0 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff10016b2af68 R12: ffff8800b5957db8
R13: 0000000000000000 R14: ffff8800b7259f40 R15: 00000000000000d7
FS: 00007f72f5ae2700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000a2fa38 CR3: 00000001d7980000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffffffff81b69a1f ffff8800b5957d58 00008000b5957d30 0000000041b58ab3
ffffffff83fc82f2 ffffffff81b69980 0000000000000246 ffff8801d1096770
ffff8801d3165668 ffffffff8157844b ffff8801d1095f00
ffff880000000001
Call Trace:
[<ffffffff81b6a19d>] selinux_socket_setsockopt+0x4d/0x80 security/selinux/hooks.c:4338
[<ffffffff81b4873d>] security_socket_setsockopt+0x7d/0xb0 security/security.c:1257
[<ffffffff82df1ac8>] SYSC_setsockopt net/socket.c:1757 [inline]
[<ffffffff82df1ac8>] SyS_setsockopt+0xe8/0x250 net/socket.c:1746
[<ffffffff83776499>] entry_SYSCALL_64_fastpath+0x16/0x92
Code: c2 42 9b b6 81 be 01 00 00 00 48 c7 c7 a0 cb 2b 84 e8
f7 2f 6d ff 49 8d 7d 10 48 b8 00 00 00 00 00 fc ff df 48 89
fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 83 01 00
00 41 8b 75 10 31
RIP [<ffffffff81b69b7e>] sock_has_perm+0x1fe/0x3e0 security/selinux/hooks.c:4069
RSP <ffff8800b5957ce0>
---[ end trace 7b5aaf788fef6174 ]---
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Cc: linux-security-module@vger.kernel.org
Cc: Eric Paris <eparis@parisplace.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3969,6 +3969,8 @@ static int sock_has_perm(struct task_str
struct lsm_network_audit net = {0,};
u32 tsid = task_sid(task);
+ if (!sksec)
+ return -EFAULT;
if (sksec->sid == SECINITSID_KERNEL)
return 0;
next prev parent reply other threads:[~2018-02-05 18:24 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-05 18:23 [PATCH 3.18 00/36] 3.18.94-stable review Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 01/36] Input: do not emit unneeded EV_SYN when suspending Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 02/36] um: link vmlinux with -no-pie Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 03/36] um: Stop abusing __KERNEL__ Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 04/36] um: Remove copy&paste code from init.h Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 05/36] loop: fix concurrent lo_open/lo_release Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 06/36] ALSA: seq: Make ioctls race-free Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 07/36] gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 08/36] igb: Free IRQs when device is hotplugged Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 09/36] KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 10/36] KVM: x86: Dont re-execute instruction when not passing CR2 value Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 11/36] KVM: X86: Fix operand/address-size during instruction decoding Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 12/36] bcache: check return value of register_shrinker Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 13/36] mac80211: fix the update of path metric for RANN frame Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 14/36] KVM: VMX: Fix rflags cache during vCPU reset Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 15/36] xen-netfront: remove warning when unloading module Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 16/36] nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 17/36] nfsd: check for use of the closed special stateid Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 18/36] hwmon: (pmbus) Use 64bit math for DIRECT format values Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 19/36] net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 20/36] quota: Check for register_shrinker() failure Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 21/36] scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 22/36] media: usbtv: add a new usbid Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 23/36] usb: gadget: dont dereference g until after it has been null checked Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 24/36] staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 25/36] USB: serial: pl2303: new device id for Chilitag Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 26/36] USB: cdc-acm: Do not log urb submission errors on disconnect Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 27/36] CDC-ACM: apply quirk for card reader Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 28/36] USB: serial: io_edgeport: fix possible sleep-in-atomic Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 29/36] usbip: prevent bind loops on devices attached to vhci_hcd Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 30/36] usbip: list: dont list " Greg Kroah-Hartman
2018-02-05 18:23 ` [PATCH 3.18 31/36] USB: serial: simple: add Motorola Tetra driver Greg Kroah-Hartman
2018-02-05 18:24 ` [PATCH 3.18 32/36] usb: f_fs: Prevent gadget unbind if it is already unbound Greg Kroah-Hartman
2018-02-05 18:24 ` [PATCH 3.18 33/36] usb: uas: unconditionally bring back host after reset Greg Kroah-Hartman
2018-02-05 18:24 ` Greg Kroah-Hartman [this message]
2018-02-05 18:24 ` [PATCH 3.18 34/36] selinux: general protection fault in sock_has_perm Greg Kroah-Hartman
2018-02-05 18:24 ` [PATCH 3.18 35/36] spi: imx: do not access registers while clocks disabled Greg Kroah-Hartman
2018-02-05 18:24 ` [PATCH 3.18 36/36] ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Greg Kroah-Hartman
2018-02-05 21:35 ` [PATCH 3.18 00/36] 3.18.94-stable review Guenter Roeck
2018-02-06 10:27 ` Greg Kroah-Hartman
2018-02-05 22:15 ` Shuah Khan
2018-02-05 22:16 ` kernelci.org bot
2018-02-06 6:48 ` Harsh Shandilya
2018-02-06 10:34 ` Greg Kroah-Hartman
2018-02-06 11:42 ` Harsh Shandilya
2018-02-06 13:14 ` Greg Kroah-Hartman
2018-02-06 14:48 ` Guenter Roeck
2018-02-07 14:37 ` Greg Kroah-Hartman
2018-02-07 16:55 ` Guenter Roeck
2018-02-06 14:29 ` Guenter Roeck
2018-02-06 17:00 ` Greg Kroah-Hartman
2018-02-07 15:19 ` Harsh Shandilya
2018-02-07 23:17 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180205182353.178669604@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.