From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Kuniyuki Iwashima <kuniyu@amazon.com>,
Paul Moore <paul@paul-moore.com>, Paolo Abeni <pabeni@redhat.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 40/45] dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
Date: Wed, 15 Nov 2023 14:33:17 -0500 [thread overview]
Message-ID: <20231115191421.932938604@linuxfoundation.org> (raw)
In-Reply-To: <20231115191419.641552204@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ]
Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
sockets") introduced security_inet_conn_request() in some functions
where reqsk is allocated. The hook is added just after the allocation,
so reqsk's IPv6 remote address was not initialised then.
However, SELinux/Smack started to read it in netlbl_req_setattr()
after commit e1adea927080 ("calipso: Allow request sockets to be
relabelled by the lsm.").
Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
not supported at that time. Finally, the same issue was introduced again
in IPv6.
Let's apply the same fix on DCCPv6 and TCPv6.
Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dccp/ipv6.c | 6 +++---
net/ipv6/syncookies.c | 7 ++++---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 9b8c6cf0e5eee..72ceefbf23120 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -349,15 +349,15 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
if (dccp_parse_options(sk, dreq, skb))
goto drop_and_free;
- if (security_inet_conn_request(sk, skb, req))
- goto drop_and_free;
-
ireq = inet_rsk(req);
ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
ireq->ireq_family = AF_INET6;
ireq->ir_mark = inet_request_mark(sk, skb);
+ if (security_inet_conn_request(sk, skb, req))
+ goto drop_and_free;
+
if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index d1bfdb9c2f2da..3a54d3947052e 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -183,14 +183,15 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
treq = tcp_rsk(req);
treq->tfo_listener = false;
- if (security_inet_conn_request(sk, skb, req))
- goto out_free;
-
req->mss = mss;
ireq->ir_rmt_port = th->source;
ireq->ir_num = ntohs(th->dest);
ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
+
+ if (security_inet_conn_request(sk, skb, req))
+ goto out_free;
+
if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) ||
np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
--
2.42.0
next prev parent reply other threads:[~2023-11-15 20:04 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-15 19:32 [PATCH 4.14 00/45] 4.14.330-rc1 review Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 01/45] i40e: fix potential memory leaks in i40e_remove() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 02/45] tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 03/45] tcp_metrics: do not create an entry from tcp_init_metrics() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 04/45] wifi: rtlwifi: fix EDCA limit set by BT coexistence Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 05/45] thermal: core: prevent potential string overflow Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 06/45] ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 07/45] ipv6: avoid atomic fragment on GSO packets Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 08/45] clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 09/45] clk: keystone: pll: fix a couple NULL vs IS_ERR() checks Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 10/45] clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 11/45] clk: mediatek: clk-mt2701: " Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 12/45] platform/x86: wmi: Fix probe failure when failing to register WMI devices Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 13/45] drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 14/45] drm/radeon: possible buffer overflow Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 15/45] drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 16/45] ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 17/45] firmware: ti_sci: Mark driver as non removable Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 18/45] hwrng: geode - fix accessing registers Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 19/45] ARM: 9321/1: memset: cast the constant byte to unsigned char Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 20/45] ext4: move ix sanity check to corrent position Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 21/45] RDMA/hfi1: Workaround truncation compilation error Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 22/45] sh: bios: Revive earlyprintk support Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 23/45] ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 24/45] mfd: dln2: Fix double put in dln2_probe Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 25/45] tty: tty_jobctrl: fix pid memleak in disassociate_ctty() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 26/45] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 27/45] dmaengine: ti: edma: handle irq_of_parse_and_map() errors Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 28/45] misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 29/45] USB: usbip: fix stub_dev hub disconnect Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 30/45] dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 31/45] pcmcia: cs: fix possible hung task and memory leak pccardd() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 32/45] pcmcia: ds: fix refcount leak in pcmcia_device_add() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 33/45] pcmcia: ds: fix possible name leak in error path " Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 34/45] media: s3c-camif: Avoid inappropriate kfree() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 35/45] media: dvb-usb-v2: af9035: fix missing unlock Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 36/45] pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 37/45] llc: verify mac len before reading mac header Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 38/45] tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 39/45] dccp: Call security_inet_conn_request() after setting IPv4 addresses Greg Kroah-Hartman
2023-11-15 19:33 ` Greg Kroah-Hartman [this message]
2023-11-15 19:33 ` [PATCH 4.14 41/45] tg3: power down device only on SYSTEM_POWER_OFF Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 42/45] netfilter: xt_recent: fix (increase) ipv6 literal buffer length Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 43/45] fbdev: fsl-diu-fb: mark wr_reg_wa() static Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 44/45] Revert "mmc: core: Capture correct oemid-bits for eMMC cards" Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 45/45] btrfs: use u64 for buffer sizes in the tree search ioctls Greg Kroah-Hartman
2023-11-16 11:29 ` [PATCH 4.14 00/45] 4.14.330-rc1 review Naresh Kamboju
2023-11-16 20:08 ` Harshit Mogalapalli
2023-11-17 4:10 ` Guenter Roeck
2023-11-17 17:00 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231115191421.932938604@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuniyu@amazon.com \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).