From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753277AbbCaRwt (ORCPT ); Tue, 31 Mar 2015 13:52:49 -0400 Received: from smtp101.biz.mail.bf1.yahoo.com ([98.139.221.60]:26808 "EHLO smtp101.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751725AbbCaRwq (ORCPT ); Tue, 31 Mar 2015 13:52:46 -0400 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: y.YnJDUVM1kIHW2znBlNh2SAJeAv9awRBfLUfvnu9k0wOVf H7b81Xd1HB7U8b9AN1OhJcm2AQEf7lQL9PGJnwOH8ffFEf5ZLCak_zH7S8ct _FAYl6Vbbhkame9jerVRC1wusz5i64QzSynzHXupS3XPvdyKjJhAC4Wv_0ca WpBzas.pJyoZHkIAsrjnnLroXm7eATBP_q9Q4JYz2EsnmVVmZKNoRgErlE7g VurqrpkYFG3a7F5eB3p73go19cYSl4z86keZ9A1rCOMnZ6M9RIbn.eCS6cf8 ehPpLTGMCYQjr2Qh37ZRkgBByjsDgilnSahzyOfxKRBEG_wvtu.Kz2tQir2i VhVC65Y_DtEOHDtMa9CNwwaSzIttJMFl9BlPosK59vuH7kDRlFTzj6Qk1AKT 9RhsiSsnwxuwRDstnlx0S.R5.HMoi_jv57nGyEJxC7f_jWhhVxSPvy6w7Nrf caVoUpUIF24DF8edy3Eu6Gbb.uFFtzRQ_VRCQP1inPIyetWvPF5xAUs4BKhI CBluepCLp0NqBWou3cqvc1p8IJ_ZKj_.WSO_4DrhRg6dcPFBB5qzCzm_JUNI S2.4ogIypnz7bz0leATz6NJy2adfEV9EG.tNhxUbj6tikExc- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Message-ID: <551ADEEB.1050206@schaufler-ca.com> Date: Tue, 31 Mar 2015 10:52:43 -0700 From: Casey Schaufler User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: maninder1.s@samsung.com, Paul Moore CC: "davem@davemloft.net" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Vaneet Narang , AJEET YADAV , Casey Schaufler Subject: Re: [Fix kernel crash in cipso_v4_sock_delattr ] References: <1834203638.139231427778581653.JavaMail.weblogic@epmlwas08d> In-Reply-To: <1834203638.139231427778581653.JavaMail.weblogic@epmlwas08d> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/30/2015 10:09 PM, Maninder Singh wrote: > We are currently using 3.10.58 kernel and we are facing this issue for samck enabled system. > and as we can check in other APIs like netlbl_sock_getattr and netlbl_conn_setattr have this preventive check so we added this check for netlbl_sock_delattr also. > > And regarding patch re-submission, actually we have run checkpatch.pl before submission(successfull) But when we submit the patch our editor changes tabs into space, we will resubmitt the patch ASAP. Further review shows that the Smack code in 3.10.72 (I don't believe it changed after 3.10.58) already checks for the address family being AF_INET. This would indicate that the netlink code is sending garbage to security_socket_sendmsg(). Can you provide a more specific test case? I would like to see if this problem is present in newer kernels. > > Maninder Singh > ------- Original Message ------- > Sender : Casey Schaufler > Date : Mar 31, 2015 02:25 (GMT+09:00) > Title : Re: [Fix kernel crash in cipso_v4_sock_delattr ] > > On 3/30/2015 4:32 AM, Paul Moore wrote: >> On Monday, March 30, 2015 11:09:00 AM Maninder Singh wrote: >>> Dear All, >>> we found One Kernel Crash issue in cipso_v4_sock_delattr :- >>> As Cipso supports only inet sockets so cipso_v4_sock_delattr will crash when >>> try to access any other socket type. cipso_v4_sock_delattr access >>> sk_inet->inet_opt which may contain not NULL but invalid address. we found >>> this issue with netlink socket.(reproducible by trinity using sendto system >>> call .) >> Hello, >> >> First, please go read the Documentation/SubmittingPatches from the kernel >> sources; your patch needs to be resubmitted and the instructions in that file >> will show you how to do it correctly next time. >> >> Second, this appears to only affect Smack based systems, yes? SELinux based >> systems should have the proper checking in place to prevent this (the checks >> are handled in the LSM). > This looks like a problem that was fixed some time ago. > The current Smack code clearly checks for this. What kernel > version are you testing against? > >> That said, it probably wouldn't hurt to add the >> extra checking to netlbl_sock_delattr(). If you properly resubmit your patch >> I'll ACK it. >> >> -Paul >> N‹§²æìr¸›yúèšØb²X¬¶Ç§vØ^–)Þº{.nÇ+‰·¥Š{±‘êçzX§¶›¡Ü¨}©ž²Æ zÚ&j:+v‰¨¾«‘êçzZ+€Ê+zf£¢·hšˆ§~†­†Ûiÿûàz¹®w¥¢¸?™¨è­Ú&¢)ߢf”ù^jÇ«y§m…á@A«a¶Úÿ 0¶ìh®å’i