[PATCH] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[PATCH] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Debin Zhu]

Added IPv6 socket checks in `calipso_sock_getattr`, `calipso_sock_setattr`,
and `calipso_sock_delattr` functions.
Return `-EAFNOSUPPORT` error code if the socket is not of the IPv6 type.
This fix prevents the IPv6 datagram code from 
incorrectly calling the IPv4 datagram code,
thereby avoiding a NULL pointer exception.

Signed-off-by: Debin Zhu <mowenroot@163.com>
Signed-off-by: Bitao Ouyang <1985755126@qq.com>
---
 net/ipv6/calipso.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index dbcea9fee..ef55e4176 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1072,8 +1072,13 @@ static int calipso_sock_getattr(struct sock *sk,
 	struct ipv6_opt_hdr *hop;
 	int opt_len, len, ret_val = -ENOMSG, offset;
 	unsigned char *opt;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
-
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
+	/* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL  */
+	if (!pinfo)
+		return -EAFNOSUPPORT;
+
+	txopts = txopt_get(pinfo);
 	if (!txopts || !txopts->hopopt)
 		goto done;

@@ -1125,8 +1130,13 @@ static int calipso_sock_setattr(struct sock *sk,
 {
 	int ret_val;
 	struct ipv6_opt_hdr *old, *new;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
-
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
+	/* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL  */
+	if (!pinfo)
+		return -EAFNOSUPPORT;
+
+	txopts = txopt_get(pinfo);
 	old = NULL;
 	if (txopts)
 		old = txopts->hopopt;
@@ -1153,8 +1163,13 @@ static int calipso_sock_setattr(struct sock *sk,
 static void calipso_sock_delattr(struct sock *sk)
 {
 	struct ipv6_opt_hdr *new_hop;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
-
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
+	/* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL  */
+	if (!pinfo)
+		return -EAFNOSUPPORT;
+
+	txopts = txopt_get(pinfo);
 	if (!txopts || !txopts->hopopt)
 		goto done;

--
2.34.1

Re: [PATCH] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Paul Moore]

On Wed, Mar 26, 2025 at 3:44 AM Debin Zhu <mowenroot@163.com> wrote:
>
> Added IPv6 socket checks in `calipso_sock_getattr`, `calipso_sock_setattr`,
> and `calipso_sock_delattr` functions.
> Return `-EAFNOSUPPORT` error code if the socket is not of the IPv6 type.
> This fix prevents the IPv6 datagram code from
> incorrectly calling the IPv4 datagram code,
> thereby avoiding a NULL pointer exception.
>
> Signed-off-by: Debin Zhu <mowenroot@163.com>
> Signed-off-by: Bitao Ouyang <1985755126@qq.com>
> ---
>  net/ipv6/calipso.c | 27 +++++++++++++++++++++------
>  1 file changed, 21 insertions(+), 6 deletions(-)

Adding netdev and Jakub to the To/CC line, original lore link below:

https://lore.kernel.org/all/20250326074355.24016-1-mowenroot@163.com/

> diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
> index dbcea9fee..ef55e4176 100644
> --- a/net/ipv6/calipso.c
> +++ b/net/ipv6/calipso.c
> @@ -1072,8 +1072,13 @@ static int calipso_sock_getattr(struct sock *sk,
>         struct ipv6_opt_hdr *hop;
>         int opt_len, len, ret_val = -ENOMSG, offset;
>         unsigned char *opt;
> -       struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
> -
> +       struct ipv6_pinfo *pinfo = inet6_sk(sk);
> +       struct ipv6_txoptions *txopts;
> +       /* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL  */
> +       if (!pinfo)
> +               return -EAFNOSUPPORT;
> +
> +       txopts = txopt_get(pinfo);
>         if (!txopts || !txopts->hopopt)
>                 goto done;

For all three function, I'd probably add a single blank line between
the local variable declarations and the code below for the sake of
readability.  I'd probably also drop the comment as the code seems
reasonably obvious (inet6_sk() can return NULL, we can't do anything
with a NULL ptr so bail), but neither are reasons for not applying
this patch, if anything they can be fixed up during the merge assuming
the patch author agrees.

Anyway, this looks good to me, Jakub and/or other netdev folks, we
should get this marked for stable and sent up to Linus, do you want to
do that or should I?

Acked-by: Paul Moore <paul@paul-moore.com>

> @@ -1125,8 +1130,13 @@ static int calipso_sock_setattr(struct sock *sk,
>  {
>         int ret_val;
>         struct ipv6_opt_hdr *old, *new;
> -       struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
> -
> +       struct ipv6_pinfo *pinfo = inet6_sk(sk);
> +       struct ipv6_txoptions *txopts;
> +       /* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL  */
> +       if (!pinfo)
> +               return -EAFNOSUPPORT;
> +
> +       txopts = txopt_get(pinfo);
>         old = NULL;
>         if (txopts)
>                 old = txopts->hopopt;
> @@ -1153,8 +1163,13 @@ static int calipso_sock_setattr(struct sock *sk,
>  static void calipso_sock_delattr(struct sock *sk)
>  {
>         struct ipv6_opt_hdr *new_hop;
> -       struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
> -
> +       struct ipv6_pinfo *pinfo = inet6_sk(sk);
> +       struct ipv6_txoptions *txopts;
> +       /* Prevent IPv6 datagram code from calling IPv4 datagram code, causing pinet6 to be NULL  */
> +       if (!pinfo)
> +               return -EAFNOSUPPORT;
> +
> +       txopts = txopt_get(pinfo);
>         if (!txopts || !txopts->hopopt)
>                 goto done;
>
> --
> 2.34.1

-- 
paul-moore.com

Re: [PATCH] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Jakub Kicinski]

On Wed, 26 Mar 2025 15:38:25 -0400 Paul Moore wrote:
> For all three function, I'd probably add a single blank line between
> the local variable declarations and the code below for the sake of
> readability.  I'd probably also drop the comment as the code seems
> reasonably obvious (inet6_sk() can return NULL, we can't do anything
> with a NULL ptr so bail), but neither are reasons for not applying
> this patch, if anything they can be fixed up during the merge assuming
> the patch author agrees.
> 
> Anyway, this looks good to me, Jakub and/or other netdev folks, we
> should get this marked for stable and sent up to Linus, do you want to
> do that or should I?

Thanks for the CC! Feel free to take it to Linus if you're happy with
it. We don't have the posting on the list so it'd be minor pain to apply.

As you say the safety check is probably okay, tho, it's unclear from 
the commit message and comment how we get here with a v4 socket or
perhaps not a fullsock..

Re: [PATCH] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Paul Moore]

On Fri, Mar 28, 2025 at 8:02 AM Jakub Kicinski <kuba@kernel.org> wrote:
> On Wed, 26 Mar 2025 15:38:25 -0400 Paul Moore wrote:
> > For all three function, I'd probably add a single blank line between
> > the local variable declarations and the code below for the sake of
> > readability.  I'd probably also drop the comment as the code seems
> > reasonably obvious (inet6_sk() can return NULL, we can't do anything
> > with a NULL ptr so bail), but neither are reasons for not applying
> > this patch, if anything they can be fixed up during the merge assuming
> > the patch author agrees.
> >
> > Anyway, this looks good to me, Jakub and/or other netdev folks, we
> > should get this marked for stable and sent up to Linus, do you want to
> > do that or should I?
>
> Thanks for the CC! Feel free to take it to Linus if you're happy with
> it. We don't have the posting on the list so it'd be minor pain to apply.

Will do.  As long as it gets up to Linus somehow I'm happy.

> As you say the safety check is probably okay, tho, it's unclear from
> the commit message and comment how we get here with a v4 socket or
> perhaps not a fullsock..

Good point about the root-cause/reproducer; there was some discussion
about this issue on a separate private list and I think we lost some
of the information along the way.  The initial report was for the
connect() case, but while looking into the problem I noticed a few
instances with a similar pattern and since we're only talking about
one additional NULL check during socket-level ops on a CALIPSO marked
socket (nothing per-packet), I figured to err on the side of safety.

Debin Zhu and Bitao Ouyang, considering the other suggested changes to
the code, would you be able to submit a second revision to the patch
that incorporates the suggested changes as well as an improved patch
description which includes your reproducer and notes on testing?  You
can send the email to the LSM <linux-security-module@vger.kernel.org>
list while CC'ing the netdev <netdev@vger.kernel.org> list, the
SELinux <selinux@vger.kernel.org> list, and me directly (just in case
there is another issue with the mailing lists).  This should also give
you an opportunity to try posting to the mailing lists again ;)

-- 
paul-moore.com

[PATCH v2] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Debin Zhu]

Vulnerability Description:

	From Linux Kernel v4.0 to the latest version, 
	a type confusion issue exists in the `netlbl_conn_setattr` 
	function (`net/netlabel/netlabel_kapi.c`) within SELinux, 
	which can lead to a local DoS attack.

	When calling `netlbl_conn_setattr`, 
	`addr->sa_family` is used to determine the function behavior. 
	If `sk` is an IPv4 socket, 
	but the `connect` function is called with an IPv6 address, 
	the function `calipso_sock_setattr()` is triggered. 
	Inside this function, the following code is executed:

	sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;

	Since `sk` is an IPv4 socket, `pinet6` is `NULL`, 
	leading to a null pointer dereference and triggering a DoS attack.

<TASK>
calipso_sock_setattr+0x4f/0x80 net/netlabel/netlabel_calipso.c:557
netlbl_conn_setattr+0x12a/0x390 net/netlabel/netlabel_kapi.c:1152
selinux_netlbl_socket_connect_helper 
selinux_netlbl_socket_connect_locked+0xf5/0x1d0 
selinux_netlbl_socket_connect+0x22/0x40 security/selinux/netlabel.c:611
selinux_socket_connect+0x60/0x80 security/selinux/hooks.c:4923
security_socket_connect+0x71/0xb0 security/security.c:2260
__sys_connect_file+0xa4/0x190 net/socket.c:2007
__sys_connect+0x145/0x170 net/socket.c:2028
__do_sys_connect net/socket.c:2038 [inline]
__se_sys_connect net/socket.c:2035 [inline]
__x64_sys_connect+0x6e/0xb0 net/socket.c:2035
do_syscall_x64 arch/x86/entry/common.c:51 

Affected Versions:

- Linux 4.0 - Latest Linux Kernel version

Reproduction Steps:

	Use the `netlabelctl` tool and 
	run the following commands to trigger the vulnerability:

	netlabelctl map del default
	netlabelctl cipsov4 add pass doi:8 tags:1
	netlabelctl map add default address:192.168.1.0/24 protocol:cipsov4,8
	netlabelctl calipso add pass doi:7
	netlabelctl map add default address:2001:db8::1/32 protocol:calipso,7

Then, execute the following PoC code:

	int sockfd = socket(AF_INET, SOCK_STREAM, 0);

	struct sockaddr_in6 server_addr = {0};
	server_addr.sin6_family = AF_INET6;     
	server_addr.sin6_port = htons(8080);    

	const char *ipv6_str = "2001:db8::1";    
	inet_pton(AF_INET6, ipv6_str, &server_addr.sin6_addr);

	connect(sockfd, (struct sockaddr*)&server_addr, sizeof(server_addr));

Suggested Fix:

	When using an IPv4 address on an IPv6 UDP/datagram socket, 
	the operation will invoke the IPv4 datagram code through 
	the IPv6 datagram code and execute successfully. 
	It is necessary to check whether the `pinet6` pointer 
	returned by `inet6_sk()` is NULL; otherwise, 
	unexpected issues may occur.

Signed-off-by: Debin Zhu <mowenroot@163.com>
Signed-off-by: Bitao Ouyang <1985755126@qq.com>
---
 net/ipv6/calipso.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index dbcea9fee..a8a8736df 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1072,8 +1072,13 @@ static int calipso_sock_getattr(struct sock *sk,
 	struct ipv6_opt_hdr *hop;
 	int opt_len, len, ret_val = -ENOMSG, offset;
 	unsigned char *opt;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
 
+	if (!pinfo)
+		return -EAFNOSUPPORT;
+
+	txopts = txopt_get(pinfo);
 	if (!txopts || !txopts->hopopt)
 		goto done;
 
@@ -1125,8 +1130,13 @@ static int calipso_sock_setattr(struct sock *sk,
 {
 	int ret_val;
 	struct ipv6_opt_hdr *old, *new;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
-
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
+
+	if (!pinfo)
+		return -EAFNOSUPPORT;
+
+	txopts = txopt_get(pinfo);
 	old = NULL;
 	if (txopts)
 		old = txopts->hopopt;
@@ -1153,8 +1163,13 @@ static int calipso_sock_setattr(struct sock *sk,
 static void calipso_sock_delattr(struct sock *sk)
 {
 	struct ipv6_opt_hdr *new_hop;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
 
+	if (!pinfo)
+		return;
+
+	txopts = txopt_get(pinfo);
 	if (!txopts || !txopts->hopopt)
 		goto done;
 
-- 
mowenroot@163.com

Re: [PATCH v2] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Paolo Abeni]

On 3/30/25 12:40 PM, Debin Zhu wrote:
> Vulnerability Description:
> 
> 	From Linux Kernel v4.0 to the latest version, 
> 	a type confusion issue exists in the `netlbl_conn_setattr` 
> 	function (`net/netlabel/netlabel_kapi.c`) within SELinux, 
> 	which can lead to a local DoS attack.
> 
> 	When calling `netlbl_conn_setattr`, 
> 	`addr->sa_family` is used to determine the function behavior. 
> 	If `sk` is an IPv4 socket, 
> 	but the `connect` function is called with an IPv6 address, 
> 	the function `calipso_sock_setattr()` is triggered. 
> 	Inside this function, the following code is executed:
> 
> 	sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
> 
> 	Since `sk` is an IPv4 socket, `pinet6` is `NULL`, 
> 	leading to a null pointer dereference and triggering a DoS attack.
> 
> <TASK>
> calipso_sock_setattr+0x4f/0x80 net/netlabel/netlabel_calipso.c:557
> netlbl_conn_setattr+0x12a/0x390 net/netlabel/netlabel_kapi.c:1152
> selinux_netlbl_socket_connect_helper 
> selinux_netlbl_socket_connect_locked+0xf5/0x1d0 
> selinux_netlbl_socket_connect+0x22/0x40 security/selinux/netlabel.c:611
> selinux_socket_connect+0x60/0x80 security/selinux/hooks.c:4923
> security_socket_connect+0x71/0xb0 security/security.c:2260
> __sys_connect_file+0xa4/0x190 net/socket.c:2007
> __sys_connect+0x145/0x170 net/socket.c:2028
> __do_sys_connect net/socket.c:2038 [inline]
> __se_sys_connect net/socket.c:2035 [inline]
> __x64_sys_connect+0x6e/0xb0 net/socket.c:2035
> do_syscall_x64 arch/x86/entry/common.c:51 
> 
> Affected Versions:
> 
> - Linux 4.0 - Latest Linux Kernel version
> 
> Reproduction Steps:
> 
> 	Use the `netlabelctl` tool and 
> 	run the following commands to trigger the vulnerability:
> 
> 	netlabelctl map del default
> 	netlabelctl cipsov4 add pass doi:8 tags:1
> 	netlabelctl map add default address:192.168.1.0/24 protocol:cipsov4,8
> 	netlabelctl calipso add pass doi:7
> 	netlabelctl map add default address:2001:db8::1/32 protocol:calipso,7
> 
> Then, execute the following PoC code:
> 
> 	int sockfd = socket(AF_INET, SOCK_STREAM, 0);
> 
> 	struct sockaddr_in6 server_addr = {0};
> 	server_addr.sin6_family = AF_INET6;     
> 	server_addr.sin6_port = htons(8080);    
> 
> 	const char *ipv6_str = "2001:db8::1";    
> 	inet_pton(AF_INET6, ipv6_str, &server_addr.sin6_addr);
> 
> 	connect(sockfd, (struct sockaddr*)&server_addr, sizeof(server_addr));
> 
> Suggested Fix:
> 
> 	When using an IPv4 address on an IPv6 UDP/datagram socket, 
> 	the operation will invoke the IPv4 datagram code through 
> 	the IPv6 datagram code and execute successfully. 
> 	It is necessary to check whether the `pinet6` pointer 
> 	returned by `inet6_sk()` is NULL; otherwise, 
> 	unexpected issues may occur.

The fix makes sense to me, but the commit message could use a
significant rewrite, avoiding the formatting and 'splitting' it in
several 'sections' with 'headers'.

The 'Affected Versions:' info is irrelevant, instead please include a
suitable 'Fixes:' tag, like:

Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the
secattr.")

and Paul's ack.

Thanks,

Paolo

[PATCH v3] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Debin Zhu]

When calling netlbl_conn_setattr(), addr->sa_family is used
to determine the function behavior. If sk is an IPv4 socket,
but the connect function is called with an IPv6 address,
the function calipso_sock_setattr() is triggered.
Inside this function, the following code is executed:

sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;

Since sk is an IPv4 socket, pinet6 is NULL, leading to a
null pointer dereference.

This patch fixes the issue by checking if inet6_sk(sk)
returns a NULL pointer before accessing pinet6.

Fixes: ceba1832b1b2("calipso: Set the calipso socket label to match the secattr.")
Signed-off-by: Debin Zhu <mowenroot@163.com>
Signed-off-by: Bitao Ouyang <1985755126@qq.com>
Acked-by: Paul Moore <paul@paul-moore.com>

---
 net/ipv6/calipso.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index dbcea9fee..a8a8736df 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1072,8 +1072,13 @@ static int calipso_sock_getattr(struct sock *sk,
 	struct ipv6_opt_hdr *hop;
 	int opt_len, len, ret_val = -ENOMSG, offset;
 	unsigned char *opt;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
 
+	if (!pinfo)
+		return -EAFNOSUPPORT;
+
+	txopts = txopt_get(pinfo);
 	if (!txopts || !txopts->hopopt)
 		goto done;
 
@@ -1125,8 +1130,13 @@ static int calipso_sock_setattr(struct sock *sk,
 {
 	int ret_val;
 	struct ipv6_opt_hdr *old, *new;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
-
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
+
+	if (!pinfo)
+		return -EAFNOSUPPORT;
+
+	txopts = txopt_get(pinfo);
 	old = NULL;
 	if (txopts)
 		old = txopts->hopopt;
@@ -1153,8 +1163,13 @@ static int calipso_sock_setattr(struct sock *sk,
 static void calipso_sock_delattr(struct sock *sk)
 {
 	struct ipv6_opt_hdr *new_hop;
-	struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
+	struct ipv6_pinfo *pinfo = inet6_sk(sk);
+	struct ipv6_txoptions *txopts;
 
+	if (!pinfo)
+		return;
+
+	txopts = txopt_get(pinfo);
 	if (!txopts || !txopts->hopopt)
 		goto done;
 
-- 
2.34.1

Re: [PATCH v3] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Paul Moore]

On Tue, Apr 1, 2025 at 8:40 AM Debin Zhu <mowenroot@163.com> wrote:
>
> When calling netlbl_conn_setattr(), addr->sa_family is used
> to determine the function behavior. If sk is an IPv4 socket,
> but the connect function is called with an IPv6 address,
> the function calipso_sock_setattr() is triggered.
> Inside this function, the following code is executed:
>
> sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
>
> Since sk is an IPv4 socket, pinet6 is NULL, leading to a
> null pointer dereference.
>
> This patch fixes the issue by checking if inet6_sk(sk)
> returns a NULL pointer before accessing pinet6.
>
> Fixes: ceba1832b1b2("calipso: Set the calipso socket label to match the secattr.")
> Signed-off-by: Debin Zhu <mowenroot@163.com>
> Signed-off-by: Bitao Ouyang <1985755126@qq.com>
> Acked-by: Paul Moore <paul@paul-moore.com>

As a FYI in case people aren't seeing the previous messages in this
thread, I did ACK an earlier version of this patch, and while there
have been some changes to the code, they are largely superficial and
my ACK still applies.

The commit description looks okay to me.  Paolo, do you plan to take
this via the netdev tree or would you like me to take this?
Regardless, the patch should also be marked for stable.

> ---
>  net/ipv6/calipso.c | 23 +++++++++++++++++++----
>  1 file changed, 19 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
> index dbcea9fee..a8a8736df 100644
> --- a/net/ipv6/calipso.c
> +++ b/net/ipv6/calipso.c
> @@ -1072,8 +1072,13 @@ static int calipso_sock_getattr(struct sock *sk,
>         struct ipv6_opt_hdr *hop;
>         int opt_len, len, ret_val = -ENOMSG, offset;
>         unsigned char *opt;
> -       struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
> +       struct ipv6_pinfo *pinfo = inet6_sk(sk);
> +       struct ipv6_txoptions *txopts;
>
> +       if (!pinfo)
> +               return -EAFNOSUPPORT;
> +
> +       txopts = txopt_get(pinfo);
>         if (!txopts || !txopts->hopopt)
>                 goto done;
>
> @@ -1125,8 +1130,13 @@ static int calipso_sock_setattr(struct sock *sk,
>  {
>         int ret_val;
>         struct ipv6_opt_hdr *old, *new;
> -       struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
> -
> +       struct ipv6_pinfo *pinfo = inet6_sk(sk);
> +       struct ipv6_txoptions *txopts;
> +
> +       if (!pinfo)
> +               return -EAFNOSUPPORT;
> +
> +       txopts = txopt_get(pinfo);
>         old = NULL;
>         if (txopts)
>                 old = txopts->hopopt;
> @@ -1153,8 +1163,13 @@ static int calipso_sock_setattr(struct sock *sk,
>  static void calipso_sock_delattr(struct sock *sk)
>  {
>         struct ipv6_opt_hdr *new_hop;
> -       struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
> +       struct ipv6_pinfo *pinfo = inet6_sk(sk);
> +       struct ipv6_txoptions *txopts;
>
> +       if (!pinfo)
> +               return;
> +
> +       txopts = txopt_get(pinfo);
>         if (!txopts || !txopts->hopopt)
>                 goto done;
>
> --
> 2.34.1

-- 
paul-moore.com

Re: [PATCH v3] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Simon Horman]

On Tue, Apr 01, 2025 at 08:40:18PM +0800, Debin Zhu wrote:
> When calling netlbl_conn_setattr(), addr->sa_family is used
> to determine the function behavior. If sk is an IPv4 socket,
> but the connect function is called with an IPv6 address,
> the function calipso_sock_setattr() is triggered.
> Inside this function, the following code is executed:
> 
> sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
> 
> Since sk is an IPv4 socket, pinet6 is NULL, leading to a
> null pointer dereference.
> 
> This patch fixes the issue by checking if inet6_sk(sk)
> returns a NULL pointer before accessing pinet6.
> 
> Fixes: ceba1832b1b2("calipso: Set the calipso socket label to match the secattr.")

There is probably no need to repost for this, but
there is a missing space in the Fixes tag. It should be like this:

Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")

> Signed-off-by: Debin Zhu <mowenroot@163.com>
> Signed-off-by: Bitao Ouyang <1985755126@qq.com>
> Acked-by: Paul Moore <paul@paul-moore.com>

...

Re: [PATCH v3] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Paul Moore]

On Wed, Apr 2, 2025 at 5:36 AM Simon Horman <horms@kernel.org> wrote:
> On Tue, Apr 01, 2025 at 08:40:18PM +0800, Debin Zhu wrote:
> > When calling netlbl_conn_setattr(), addr->sa_family is used
> > to determine the function behavior. If sk is an IPv4 socket,
> > but the connect function is called with an IPv6 address,
> > the function calipso_sock_setattr() is triggered.
> > Inside this function, the following code is executed:
> >
> > sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
> >
> > Since sk is an IPv4 socket, pinet6 is NULL, leading to a
> > null pointer dereference.
> >
> > This patch fixes the issue by checking if inet6_sk(sk)
> > returns a NULL pointer before accessing pinet6.
> >
> > Fixes: ceba1832b1b2("calipso: Set the calipso socket label to match the secattr.")
>
> There is probably no need to repost for this, but
> there is a missing space in the Fixes tag. It should be like this:
>
> Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")

Thanks.

Not sure if the netdev folks are going to pick this up or if I'll end
up taking it, but if I end up taking it I'll update the tag while
merging.

> > Signed-off-by: Debin Zhu <mowenroot@163.com>
> > Signed-off-by: Bitao Ouyang <1985755126@qq.com>
> > Acked-by: Paul Moore <paul@paul-moore.com>

-- 
paul-moore.com

Re: [PATCH v3] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[Jakub Kicinski]

On Wed, 2 Apr 2025 14:28:40 -0400 Paul Moore wrote:
> Not sure if the netdev folks are going to pick this up or if I'll end
> up taking it, but if I end up taking it I'll update the tag while
> merging.

Fixed and applied to net, thanks!

Re: Re: [PATCH] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

[mowenroot]

Hi Paul, Jakub, and all maintainers,

Thanks for your review and suggestions.

I have submitted the v2 patch and made the following improvements:

- Added a blank line between local variable declarations and the main logic for better readability.
- Removed unnecessary comments as the code is self-explanatory.
- Improved the commit message and included more detailed information, including the reproducer steps.

Many thanks to Paul for your careful guidance—you are a great teacher.

Thanks again for your feedback!

Thanks again.
 Debin Zhu & Bitao Ouyang

--
mowenroot@163.com