From: Paul Moore <paul@paul-moore.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: John Stultz <johnstul@us.ibm.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
lkml <linux-kernel@vger.kernel.org>,
James Morris <james.l.morris@oracle.com>,
selinux@tycho.nsa.gov, Eric Dumazet <edumazet@google.com>,
john.johansen@canonical.com
Subject: Re: NULL pointer dereference in selinux_ip_postroute_compat
Date: Wed, 08 Aug 2012 15:50:47 -0400 [thread overview]
Message-ID: <1469977.Edv3iizobX@sifl> (raw)
In-Reply-To: <1344454701.28967.233.camel@edumazet-glaptop>
On Wednesday, August 08, 2012 09:38:21 PM Eric Dumazet wrote:
> On Wed, 2012-08-08 at 15:26 -0400, Paul Moore wrote:
> > On Wednesday, August 08, 2012 12:14:42 PM John Stultz wrote:
> > > So I bisected this down and it seems to be the following commit:
> > >
> > > commit be9f4a44e7d41cee50ddb5f038fc2391cbbb4046
> > > Author: Eric Dumazet <edumazet@google.com>
> > > Date: Thu Jul 19 07:34:03 2012 +0000
> > >
> > > ipv4: tcp: remove per net tcp_sock
> > >
> > > It doesn't revert totally cleanly, but after fixing up the rejections
> > > and booting with this patch removed on top of Linus' head the oops on
> > > shutdown goes away.
> >
> > Thanks!
> >
> > It looks the like there is a bug in ip_send_unicast_reply() which uses a
> > inet_sock/sock struct which does not have the LSM data properly
> > initialized.
> >
> > I'll put together a patch shortly.
>
> Something like this ?
Yep. I was just trying to see if there was a way we could avoid having to
make it conditional on CONFIG_SECURITY, but I think this is a better approach
than the alternatives.
I'm also looking into making sure we get a sane LSM label on the per-cpu sock
as security_sk_alloc() just allocates and initializes the LSM blob to a basic
starting value (unlabeled_t in the case of SELinux) ... that is likely to be
the tricky bit.
Regardless, I'm okay with us merging the patch below now to fix the panic and
I'll supply a follow-up patch to fix the labeling once I figure out a solution
that seems reasonable. Does that work for you? David?
Acked-by: Paul Moore <paul@paul-moore.com>
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index ba39a52..027a331 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1524,6 +1524,10 @@ void ip_send_unicast_reply(struct net *net, struct
> sk_buff *skb, __be32 daddr, sk->sk_priority = skb->priority;
> sk->sk_protocol = ip_hdr(skb)->protocol;
> sk->sk_bound_dev_if = arg->bound_dev_if;
> +#ifdef CONFIG_SECURITY
> + if (!sk->sk_security && security_sk_alloc(sk, PF_INET, GFP_ATOMIC))
> + goto out;
> +#endif
> sock_net_set(sk, net);
> __skb_queue_head_init(&sk->sk_write_queue);
> sk->sk_sndbuf = sysctl_wmem_default;
> @@ -1539,7 +1543,7 @@ void ip_send_unicast_reply(struct net *net, struct
> sk_buff *skb, __be32 daddr, skb_set_queue_mapping(nskb,
> skb_get_queue_mapping(skb));
> ip_push_pending_frames(sk, &fl4);
> }
> -
> +out:
> put_cpu_var(unicast_sock);
>
> ip_rt_put(rt);
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2012-08-08 19:50 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-07 18:12 NULL pointer dereference in selinux_ip_postroute_compat John Stultz
2012-08-07 21:50 ` Paul Moore
2012-08-07 21:58 ` John Stultz
2012-08-07 22:01 ` Paul Moore
2012-08-07 22:17 ` Serge E. Hallyn
2012-08-07 22:23 ` Paul Moore
2012-08-07 22:37 ` John Stultz
2012-08-08 19:14 ` John Stultz
2012-08-08 19:26 ` Paul Moore
2012-08-08 19:38 ` Eric Dumazet
2012-08-08 19:49 ` John Stultz
2012-08-08 20:04 ` Eric Dumazet
2012-08-08 19:50 ` Paul Moore [this message]
2012-08-08 20:04 ` Eric Dumazet
2012-08-08 19:59 ` Eric Paris
2012-08-08 20:09 ` Eric Dumazet
2012-08-08 20:32 ` Eric Dumazet
2012-08-08 20:46 ` Paul Moore
2012-08-08 21:54 ` Eric Dumazet
2012-08-09 0:00 ` Casey Schaufler
2012-08-09 13:30 ` Paul Moore
2012-08-09 14:27 ` Eric Dumazet
2012-08-09 15:04 ` Paul Moore
2012-08-09 14:50 ` [PATCH] ipv4: tcp: security_sk_alloc() needed for unicast_sock Eric Dumazet
2012-08-09 15:07 ` Paul Moore
2012-08-09 15:36 ` Eric Dumazet
2012-08-09 15:59 ` Paul Moore
2012-08-09 16:05 ` Eric Paris
2012-08-09 16:09 ` Paul Moore
2012-08-09 17:46 ` Eric Dumazet
2012-08-09 20:06 ` Eric Paris
2012-08-09 20:19 ` Paul Moore
2012-08-09 21:29 ` Eric Dumazet
2012-08-09 21:53 ` Casey Schaufler
2012-08-09 22:05 ` Eric Dumazet
2012-08-09 22:26 ` Casey Schaufler
2012-08-09 23:38 ` David Miller
2012-08-09 23:56 ` [PATCH] ipv4: tcp: unicast_sock should not land outside of TCP stack Eric Dumazet
2012-08-10 4:05 ` David Miller
2012-08-08 20:35 ` NULL pointer dereference in selinux_ip_postroute_compat Paul Moore
2012-08-08 20:51 ` Eric Paris
2012-08-08 21:03 ` Paul Moore
2012-08-08 21:09 ` Eric Paris
2012-08-08 19:29 ` Eric Dumazet
2012-08-08 16:58 ` John Johansen
2012-08-07 22:26 ` John Stultz
2012-08-07 22:31 ` John Stultz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469977.Edv3iizobX@sifl \
--to=paul@paul-moore.com \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=johnstul@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox