From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Anton Blanchard <anton@samba.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [17/90] net: Fix security_socket_sendmsg() bypass problem.
Date: Fri, 12 Aug 2011 14:04:02 -0700 [thread overview]
Message-ID: <20110812210553.587939730@clark.kroah.org> (raw)
In-Reply-To: <20110812210626.GA4725@kroah.com>
3.0-stable review patch. If anyone has any objections, please let us know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
The sendmmsg() introduced by commit 228e548e "net: Add sendmmsg socket system
call" is capable of sending to multiple different destination addresses.
SMACK is using destination's address for checking sendmsg() permission.
However, security_socket_sendmsg() is called for only once even if multiple
different destination addresses are passed to sendmmsg().
Therefore, we need to call security_socket_sendmsg() for each destination
address rather than only the first destination address.
Since calling security_socket_sendmsg() every time when only single destination
address was passed to sendmmsg() is a waste of time, omit calling
security_socket_sendmsg() unless destination address of previous datagram and
that of current datagram differs.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/socket.c | 43 ++++++++++++++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 9 deletions(-)
--- a/net/socket.c
+++ b/net/socket.c
@@ -1871,8 +1871,14 @@ SYSCALL_DEFINE2(shutdown, int, fd, int,
#define COMPAT_NAMELEN(msg) COMPAT_MSG(msg, msg_namelen)
#define COMPAT_FLAGS(msg) COMPAT_MSG(msg, msg_flags)
+struct used_address {
+ struct sockaddr_storage name;
+ unsigned int name_len;
+};
+
static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
- struct msghdr *msg_sys, unsigned flags, int nosec)
+ struct msghdr *msg_sys, unsigned flags,
+ struct used_address *used_address)
{
struct compat_msghdr __user *msg_compat =
(struct compat_msghdr __user *)msg;
@@ -1953,8 +1959,28 @@ static int __sys_sendmsg(struct socket *
if (sock->file->f_flags & O_NONBLOCK)
msg_sys->msg_flags |= MSG_DONTWAIT;
- err = (nosec ? sock_sendmsg_nosec : sock_sendmsg)(sock, msg_sys,
- total_len);
+ /*
+ * If this is sendmmsg() and current destination address is same as
+ * previously succeeded address, omit asking LSM's decision.
+ * used_address->name_len is initialized to UINT_MAX so that the first
+ * destination address never matches.
+ */
+ if (used_address && used_address->name_len == msg_sys->msg_namelen &&
+ !memcmp(&used_address->name, msg->msg_name,
+ used_address->name_len)) {
+ err = sock_sendmsg_nosec(sock, msg_sys, total_len);
+ goto out_freectl;
+ }
+ err = sock_sendmsg(sock, msg_sys, total_len);
+ /*
+ * If this is sendmmsg() and sending to current destination address was
+ * successful, remember it.
+ */
+ if (used_address && err >= 0) {
+ used_address->name_len = msg_sys->msg_namelen;
+ memcpy(&used_address->name, msg->msg_name,
+ used_address->name_len);
+ }
out_freectl:
if (ctl_buf != ctl)
@@ -1979,7 +2005,7 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
if (!sock)
goto out;
- err = __sys_sendmsg(sock, msg, &msg_sys, flags, 0);
+ err = __sys_sendmsg(sock, msg, &msg_sys, flags, NULL);
fput_light(sock->file, fput_needed);
out:
@@ -1998,6 +2024,7 @@ int __sys_sendmmsg(int fd, struct mmsghd
struct mmsghdr __user *entry;
struct compat_mmsghdr __user *compat_entry;
struct msghdr msg_sys;
+ struct used_address used_address;
if (vlen > UIO_MAXIOV)
vlen = UIO_MAXIOV;
@@ -2008,24 +2035,22 @@ int __sys_sendmmsg(int fd, struct mmsghd
if (!sock)
return err;
+ used_address.name_len = UINT_MAX;
entry = mmsg;
compat_entry = (struct compat_mmsghdr __user *)mmsg;
err = 0;
while (datagrams < vlen) {
- /*
- * No need to ask LSM for more than the first datagram.
- */
if (MSG_CMSG_COMPAT & flags) {
err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
- &msg_sys, flags, datagrams);
+ &msg_sys, flags, &used_address);
if (err < 0)
break;
err = __put_user(err, &compat_entry->msg_len);
++compat_entry;
} else {
err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
- &msg_sys, flags, datagrams);
+ &msg_sys, flags, &used_address);
if (err < 0)
break;
err = put_user(err, &entry->msg_len);
next prev parent reply other threads:[~2011-08-14 16:06 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-12 21:06 [00/90] 3.0.2-stable review Greg KH
2011-08-12 21:03 ` [01/90] cris: fix a build error in kernel/fork.c Greg KH
2011-08-12 21:03 ` [02/90] cris: fix a build error in sync_serial_open() Greg KH
2011-08-12 21:03 ` [03/90] cris: fix the prototype of sync_serial_ioctl() Greg KH
2011-08-12 21:03 ` [04/90] cris: add missing declaration of kgdb_init() and breakpoint() Greg KH
2011-08-12 21:03 ` [05/90] futex: Fix regression with read only mappings Greg KH
2011-08-12 21:03 ` [06/90] [PARISC] wire up sendmmsg syscall Greg KH
2011-08-12 21:03 ` [07/90] [PARISC] Fix futex support Greg KH
2011-08-12 21:03 ` [08/90] [PARISC] fix return type of __atomic64_add_return Greg KH
2011-08-12 21:03 ` [09/90] rt2x00: rt2800: fix zeroing skb structure Greg KH
2011-08-12 21:03 ` [10/90] rt2x00: fix usage of NULL queue Greg KH
2011-08-12 21:03 ` [11/90] rtlwifi: Fix kernel oops on ARM SOC Greg KH
2011-08-12 21:03 ` [12/90] iwlegacy: set tx power after rxon_assoc Greg KH
2011-08-12 21:03 ` [13/90] ath9k: initialize tx chainmask before testing channel tx power values Greg KH
2011-08-12 21:03 ` [14/90] ath9k: skip ->config_pci_powersave() if PCIe port has ASPM disabled Greg KH
2011-08-12 21:04 ` [15/90] net: sendmmsg should only return an error if no messages were sent Greg KH
2011-08-12 21:04 ` [16/90] net: Cap number of elements for sendmmsg Greg KH
2011-08-12 21:04 ` Greg KH [this message]
2011-08-12 21:04 ` [18/90] xen: allow enable use of VGA console on dom0 Greg KH
2011-08-12 21:04 ` [19/90] drm: Separate EDID Header Check from EDID Block Check Greg KH
2011-08-12 21:04 ` [20/90] drm/radeon: Extended DDC Probing for Connectors with Improperly Wired DDC Lines (here: Asus M2A-VM HDMI) Greg KH
2011-08-12 21:04 ` [21/90] drm/radeon: Extended DDC Probing for ECS A740GM-M DVI-D Connector Greg KH
2011-08-12 21:04 ` [22/90] drm/radeon: Log Subsystem Vendor and Device Information Greg KH
2011-08-12 21:04 ` [23/90] drm/i915/pch: Fix integer math bugs in panel fitting Greg KH
2011-08-12 21:04 ` [24/90] drm/i915: load the LUT before pipe enable on ILK+ Greg KH
2011-08-12 21:04 ` [25/90] drm/i915: Fix typo in DRM_I915_OVERLAY_PUT_IMAGE ioctl define Greg KH
2011-08-12 21:04 ` [26/90] drm/i915: Initialize RCS ring status page address in intel_render_ring_init_dri Greg KH
2011-08-12 21:04 ` [27/90] drm/i915: Hold mode_config->mutex during hotplug processing Greg KH
2011-08-12 21:04 ` [28/90] drm/i915: Fixup for Hold mode_config->mutex during hotplug Greg KH
2011-08-12 21:04 ` [29/90] crypto: Move md5_transform to lib/md5.c Greg KH
2011-08-12 21:04 ` [30/90] net: Compute protocol sequence numbers and fragment IDs using MD5 Greg KH
2011-08-12 21:04 ` [31/90] asus-wmi: fix hwmon/pwm1 Greg KH
2011-08-12 21:04 ` [32/90] asus-wmi: return proper value in store_cpufv() Greg KH
2011-08-12 21:04 ` [33/90] CIFS: Fix missing a decrement of inFlight value Greg KH
2011-08-12 21:04 ` [34/90] cifs: cope with negative dentries in cifs_get_root Greg KH
2011-08-12 21:04 ` [35/90] cifs: convert prefixpath delimiters in Greg KH
2011-08-12 21:04 ` [36/90] ASoC: sgtl5000: fix cache handling Greg KH
2011-08-12 21:04 ` [37/90] ALSA: timer - Fix Oops at closing slave timer Greg KH
2011-08-12 21:04 ` [38/90] ALSA: snd-usb-caiaq: Fix keymap for RigKontrol3 Greg KH
2011-08-12 21:04 ` [39/90] ALSA: snd-usb: avoid dividing by zero on invalid input Greg KH
2011-08-12 21:04 ` [40/90] ALSA: snd-usb: operate on given mixer interface only Greg KH
2011-08-12 21:04 ` [41/90] ALSA: snd-usb: Accept UAC2 FORMAT_TYPE descriptors with Greg KH
2011-08-12 21:04 ` [42/90] ipv6: make fragment identifications less predictable Greg KH
2011-08-12 21:04 ` [43/90] icmp: Fix regression in nexthop resolution during replies Greg KH
2011-08-12 21:04 ` [44/90] ipv4: Constrain UFO fragment sizes to multiples of 8 bytes Greg KH
2011-08-12 21:04 ` [45/90] ipv4: fix the reusing of routing cache entries Greg KH
2011-08-12 21:04 ` [46/90] IPVS: Free resources on module removal Greg KH
2011-08-12 21:04 ` [47/90] net: adjust array index Greg KH
2011-08-12 21:04 ` [48/90] drivers/net/niu.c: " Greg KH
2011-08-12 21:04 ` [49/90] sch_sfq: fix sfq_enqueue() Greg KH
2011-08-12 21:04 ` [50/90] IPv4: Send gratuitous ARP for secondary IP addresses also Greg KH
2011-08-12 21:04 ` [51/90] net: add IFF_SKB_TX_SHARED flag to priv_flags Greg KH
2011-08-12 21:04 ` [52/90] net: Audit drivers to identify those needing IFF_TX_SKB_SHARING cleared Greg KH
2011-08-12 21:04 ` [53/90] bonding: fix string comparison errors Greg KH
2011-08-12 21:04 ` [54/90] Fix cdc-phonet build Greg KH
2011-08-12 21:04 ` [55/90] xfrm: Fix key lengths for rfc3686(ctr(aes)) Greg KH
2011-08-12 21:04 ` [56/90] sis190: Rx filter init is needed for MAC address change Greg KH
2011-08-12 21:04 ` [57/90] r8169: Add support for D-Link 530T rev C1 (Kernel Bug 38862) Greg KH
2011-08-12 21:04 ` [58/90] net: allow netif_carrier to be called safely from IRQ Greg KH
2011-08-12 21:04 ` [59/90] ipv4: use RT_TOS after some rt_tos conversions Greg KH
2011-08-12 21:04 ` [60/90] gre: fix improper error handling Greg KH
2011-08-12 21:04 ` [61/90] iwlagn: 5000 do not support idle mode Greg KH
2011-08-12 21:04 ` [62/90] [SCSI] mpt2sas: Fixed Big Indian Issues on 32 bit PPC Greg KH
2011-08-12 21:04 ` [63/90] sparc: Dont leave sparc_pmu_type NULL on sun4v Greg KH
2011-08-12 21:04 ` [64/90] sparc: Add T3 sun4v cpu type and hypervisor group defines Greg KH
2011-08-12 21:04 ` [65/90] sparc: Dont do expensive hypervisor PCR write unless necessary Greg KH
2011-08-12 21:04 ` [66/90] sparc: Detect and handle UltraSPARC-T3 cpu types Greg KH
2011-08-12 21:04 ` [67/90] sparc: Sanitize cpu feature detection and reporting Greg KH
2011-08-12 21:04 ` [68/90] sparc: Minor tweaks to Niagara page copy/clear Greg KH
2011-08-12 21:04 ` [69/90] sparc: Use popc if possible for hweight routines Greg KH
2011-08-12 21:04 ` [70/90] sparc: Use hweight64() in popc emulation Greg KH
2011-08-12 21:04 ` [71/90] sparc: Add some missing hypervisor API groups Greg KH
2011-08-12 21:04 ` [72/90] sparc: Set reboot-cmd using reboot data hypervisor call if available Greg KH
2011-08-12 21:04 ` [73/90] sparc: Use popc when possible for ffs/__ffs/ffz Greg KH
2011-08-12 21:04 ` [74/90] sparc: Access kernel TSB using physical addressing when possible Greg KH
2011-08-12 21:05 ` [75/90] sparc: Size mondo queues more sanely Greg KH
2011-08-12 21:05 ` [76/90] sparc: Fix build with DEBUG_PAGEALLOC enabled Greg KH
2011-08-12 21:05 ` [77/90] Ecryptfs: Add mount option to check uid of device being Greg KH
2011-08-12 21:05 ` [78/90] eCryptfs: Return error when lower file pointer is NULL Greg KH
2011-08-12 21:05 ` [79/90] powerpc/pseries: Fix kexec on recent firmware versions Greg KH
2011-08-12 21:05 ` [80/90] powerpc: Fix device tree claim code Greg KH
2011-08-12 21:05 ` [81/90] powerpc: pseries: Fix kexec on machines with more than 4TB of RAM Greg KH
2011-08-12 21:05 ` [82/90] ext3: Properly count journal credits for long symlinks Greg KH
2011-08-12 21:05 ` [83/90] ext4: " Greg KH
2011-08-12 21:05 ` [84/90] e1000e: alternate MAC address does not work on device id 0x1060 Greg KH
2011-08-12 21:05 ` [85/90] gianfar: fix fiper alignment after resetting the time Greg KH
2011-08-12 21:05 ` [86/90] dp83640: increase receive time stamp buffer size Greg KH
2011-08-12 21:05 ` [87/90] ath9k_hw: Fix incorrect Tx control power in AR9003 template Greg KH
2011-08-12 21:05 ` [88/90] ath9k: fix a misprint which leads to incorrect calibration Greg KH
2011-08-12 21:05 ` [89/90] sparc: Dont do hypervisor calls on non-sun4v in DS driver Greg KH
2011-08-12 21:05 ` [90/90] mm: Fix fixup_user_fault() for MMU=n Greg KH
2011-08-14 10:31 ` [00/90] 3.0.2-stable review Jiri Slaby
2011-08-14 16:18 ` Greg KH
2011-08-15 20:56 ` Dave Jones
2011-08-16 1:24 ` Greg KH
2011-08-16 17:46 ` Arnaud Lacombe
2011-08-16 17:59 ` Greg KH
2011-08-16 18:10 ` Linus Torvalds
2011-08-16 21:11 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110812210553.587939730@clark.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=anton@samba.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox