From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Paul Moore <paul@paul-moore.com>
Subject: [PATCH 4.19 29/37] selinux: properly handle multiple messages in selinux_netlink_send()
Date: Mon, 4 May 2020 19:57:42 +0200 [thread overview]
Message-ID: <20200504165451.358601101@linuxfoundation.org> (raw)
In-Reply-To: <20200504165448.264746645@linuxfoundation.org>
From: Paul Moore <paul@paul-moore.com>
commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream.
Fix the SELinux netlink_send hook to properly handle multiple netlink
messages in a single sk_buff; each message is parsed and subject to
SELinux access control. Prior to this patch, SELinux only inspected
the first message in the sk_buff.
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 70 ++++++++++++++++++++++++++++++-----------------
1 file changed, 45 insertions(+), 25 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5595,40 +5595,60 @@ static int selinux_tun_dev_open(void *se
static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
{
- int err = 0;
- u32 perm;
+ int rc = 0;
+ unsigned int msg_len;
+ unsigned int data_len = skb->len;
+ unsigned char *data = skb->data;
struct nlmsghdr *nlh;
struct sk_security_struct *sksec = sk->sk_security;
+ u16 sclass = sksec->sclass;
+ u32 perm;
- if (skb->len < NLMSG_HDRLEN) {
- err = -EINVAL;
- goto out;
- }
- nlh = nlmsg_hdr(skb);
+ while (data_len >= nlmsg_total_size(0)) {
+ nlh = (struct nlmsghdr *)data;
- err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
- if (err) {
- if (err == -EINVAL) {
+ /* NOTE: the nlmsg_len field isn't reliably set by some netlink
+ * users which means we can't reject skb's with bogus
+ * length fields; our solution is to follow what
+ * netlink_rcv_skb() does and simply skip processing at
+ * messages with length fields that are clearly junk
+ */
+ if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
+ return 0;
+
+ rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
+ if (rc == 0) {
+ rc = sock_has_perm(sk, perm);
+ if (rc)
+ return rc;
+ } else if (rc == -EINVAL) {
+ /* -EINVAL is a missing msg/perm mapping */
pr_warn_ratelimited("SELinux: unrecognized netlink"
- " message: protocol=%hu nlmsg_type=%hu sclass=%s"
- " pig=%d comm=%s\n",
- sk->sk_protocol, nlh->nlmsg_type,
- secclass_map[sksec->sclass - 1].name,
- task_pid_nr(current), current->comm);
- if (!enforcing_enabled(&selinux_state) ||
- security_get_allow_unknown(&selinux_state))
- err = 0;
+ " message: protocol=%hu nlmsg_type=%hu sclass=%s"
+ " pid=%d comm=%s\n",
+ sk->sk_protocol, nlh->nlmsg_type,
+ secclass_map[sclass - 1].name,
+ task_pid_nr(current), current->comm);
+ if (enforcing_enabled(&selinux_state) &&
+ !security_get_allow_unknown(&selinux_state))
+ return rc;
+ rc = 0;
+ } else if (rc == -ENOENT) {
+ /* -ENOENT is a missing socket/class mapping, ignore */
+ rc = 0;
+ } else {
+ return rc;
}
- /* Ignore */
- if (err == -ENOENT)
- err = 0;
- goto out;
+ /* move to the next message after applying netlink padding */
+ msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
+ if (msg_len >= data_len)
+ return 0;
+ data_len -= msg_len;
+ data += msg_len;
}
- err = sock_has_perm(sk, perm);
-out:
- return err;
+ return rc;
}
#ifdef CONFIG_NETFILTER
next prev parent reply other threads:[~2020-05-04 18:02 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-04 17:57 [PATCH 4.19 00/37] 4.19.121-rc1 review Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 01/37] drm/edid: Fix off-by-one in DispID DTD pixel clock Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 02/37] drm/qxl: qxl_release leak in qxl_draw_dirty_fb() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 03/37] drm/qxl: qxl_release leak in qxl_hw_surface_alloc() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 04/37] drm/qxl: qxl_release use after free Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 05/37] btrfs: fix block group leak when removing fails Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 06/37] ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 07/37] ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 08/37] ALSA: hda/hdmi: fix without unlocked before return Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 09/37] ALSA: pcm: oss: Place the plugin buffer overflow checks correctly Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 10/37] PM: ACPI: Output correct message on target power state Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 11/37] PM: hibernate: Freeze kernel threads in software_resume() Greg Kroah-Hartman
2020-05-05 12:09 ` Pavel Machek
2020-05-05 16:57 ` Dexuan Cui
2020-05-04 17:57 ` [PATCH 4.19 12/37] dm verity fec: fix hash block number in verity_fec_decode Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 13/37] dm writecache: fix data corruption when reloading the target Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 14/37] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 15/37] scsi: qla2xxx: set UNLOADING before waiting for session deletion Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 16/37] scsi: qla2xxx: check UNLOADING before posting async work Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 17/37] RDMA/mlx5: Set GRH fields in query QP on RoCE Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 18/37] RDMA/mlx4: Initialize ib_spec on the stack Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 19/37] RDMA/core: Prevent mixed use of FDs between shared ufiles Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 20/37] RDMA/core: Fix race between destroy and release FD object Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 21/37] vfio: avoid possible overflow in vfio_iommu_type1_pin_pages Greg Kroah-Hartman
2020-05-05 12:17 ` Pavel Machek
2020-05-04 17:57 ` [PATCH 4.19 22/37] vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 23/37] iommu/qcom: Fix local_base status check Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 24/37] scsi: target/iblock: fix WRITE SAME zeroing Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 25/37] iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 26/37] ALSA: opti9xx: shut up gcc-10 range warning Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 27/37] nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 28/37] dmaengine: dmatest: Fix iteration non-stop logic Greg Kroah-Hartman
2020-05-05 12:31 ` Pavel Machek
2020-05-05 12:51 ` Andy Shevchenko
2020-05-05 12:58 ` Pavel Machek
2020-05-05 13:19 ` Andy Shevchenko
2020-05-05 13:37 ` Pavel Machek
2020-05-05 14:05 ` Andy Shevchenko
2020-05-05 14:53 ` Pavel Machek
2020-05-05 15:32 ` Sasha Levin
2020-05-05 15:57 ` Pavel Machek
2020-05-05 21:37 ` Andy Shevchenko
2020-05-04 17:57 ` Greg Kroah-Hartman [this message]
2020-05-04 17:57 ` [PATCH 4.19 30/37] btrfs: fix partial loss of prealloc extent past i_size after fsync Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 31/37] btrfs: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 32/37] mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 33/37] mmc: sdhci-xenon: fix annoying 1.8V regulator warning Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 34/37] mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 35/37] mmc: sdhci-msm: Enable host capabilities pertains to R1b response Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 36/37] mmc: meson-mx-sdio: Set MMC_CAP_WAIT_WHILE_BUSY Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 4.19 37/37] mmc: meson-mx-sdio: remove the broken ->card_busy() op Greg Kroah-Hartman
2020-05-05 7:42 ` [PATCH 4.19 00/37] 4.19.121-rc1 review Chris Paterson
2020-05-05 9:17 ` Greg Kroah-Hartman
[not found] ` <20200504165448.264746645-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-05-05 8:37 ` Jon Hunter
2020-05-05 8:37 ` Jon Hunter
2020-05-05 15:24 ` Naresh Kamboju
2020-05-05 15:50 ` shuah
2020-05-05 16:02 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200504165451.358601101@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dvyukov@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=stable@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.