[PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

[PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

[Eric Dumazet]

In blamed commit, TCP started to attach timewait sockets to
some skbs.

syzbot reported that selinux_ip_output() was not expecting them yet.

Note that using sk_to_full_sk() is still allowing the
following sk_listener() check to work as before.

BUG: KASAN: slab-out-of-bounds in selinux_sock security/selinux/include/objsec.h:207 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761
Read of size 8 at addr ffff88804e86e758 by task syz-executor347/5894

CPU: 0 UID: 0 PID: 5894 Comm: syz-executor347 Not tainted 6.12.0-syzkaller-05480-gfcc79e1714e8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <IRQ>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
  print_address_description mm/kasan/report.c:377 [inline]
  print_report+0xc3/0x620 mm/kasan/report.c:488
  kasan_report+0xd9/0x110 mm/kasan/report.c:601
  selinux_sock security/selinux/include/objsec.h:207 [inline]
  selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761
  nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
  nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
  nf_hook+0x386/0x6d0 include/linux/netfilter.h:269
  __ip_local_out+0x339/0x640 net/ipv4/ip_output.c:119
  ip_local_out net/ipv4/ip_output.c:128 [inline]
  ip_send_skb net/ipv4/ip_output.c:1505 [inline]
  ip_push_pending_frames+0xa0/0x5b0 net/ipv4/ip_output.c:1525
  ip_send_unicast_reply+0xd0e/0x1650 net/ipv4/ip_output.c:1672
  tcp_v4_send_ack+0x976/0x13f0 net/ipv4/tcp_ipv4.c:1024
  tcp_v4_timewait_ack net/ipv4/tcp_ipv4.c:1077 [inline]
  tcp_v4_rcv+0x2f96/0x4390 net/ipv4/tcp_ipv4.c:2428
  ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x316/0x570 net/ipv4/ip_input.c:233
  NF_HOOK include/linux/netfilter.h:314 [inline]
  NF_HOOK include/linux/netfilter.h:308 [inline]
  ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254
  dst_input include/net/dst.h:460 [inline]
  ip_rcv_finish net/ipv4/ip_input.c:447 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  NF_HOOK include/linux/netfilter.h:308 [inline]
  ip_rcv+0x2c3/0x5d0 net/ipv4/ip_input.c:567
  __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5672
  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785
  process_backlog+0x443/0x15f0 net/core/dev.c:6117
  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6877
  napi_poll net/core/dev.c:6946 [inline]
  net_rx_action+0xa94/0x1010 net/core/dev.c:7068
  handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
  do_softirq kernel/softirq.c:455 [inline]
  do_softirq+0xb2/0xf0 kernel/softirq.c:442
 </IRQ>
 <TASK>
  __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
  local_bh_enable include/linux/bottom_half.h:33 [inline]
  rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
  __dev_queue_xmit+0x8af/0x43e0 net/core/dev.c:4461
  dev_queue_xmit include/linux/netdevice.h:3168 [inline]
  neigh_hh_output include/net/neighbour.h:523 [inline]
  neigh_output include/net/neighbour.h:537 [inline]
  ip_finish_output2+0xc6c/0x2150 net/ipv4/ip_output.c:236
  __ip_finish_output net/ipv4/ip_output.c:314 [inline]
  __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:296
  ip_finish_output+0x35/0x380 net/ipv4/ip_output.c:324
  NF_HOOK_COND include/linux/netfilter.h:303 [inline]
  ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:434
  dst_output include/net/dst.h:450 [inline]
  ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:130
  __ip_queue_xmit+0x777/0x1970 net/ipv4/ip_output.c:536
  __tcp_transmit_skb+0x2b39/0x3df0 net/ipv4/tcp_output.c:1466
  tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
  tcp_write_xmit+0x12b1/0x8560 net/ipv4/tcp_output.c:2827
  __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3010
  tcp_send_fin+0x154/0xc70 net/ipv4/tcp_output.c:3616
  __tcp_close+0x96b/0xff0 net/ipv4/tcp.c:3130
  tcp_close+0x28/0x120 net/ipv4/tcp.c:3221
  inet_release+0x13c/0x280 net/ipv4/af_inet.c:435
  __sock_release net/socket.c:640 [inline]
  sock_release+0x8e/0x1d0 net/socket.c:668
  smc_clcsock_release+0xb7/0xe0 net/smc/smc_close.c:34
  __smc_release+0x5c2/0x880 net/smc/af_smc.c:301
  smc_release+0x1fc/0x5f0 net/smc/af_smc.c:344
  __sock_release+0xb0/0x270 net/socket.c:640
  sock_close+0x1c/0x30 net/socket.c:1408
  __fput+0x3f8/0xb60 fs/file_table.c:450
  __fput_sync+0xa1/0xc0 fs/file_table.c:535
  __do_sys_close fs/open.c:1550 [inline]
  __se_sys_close fs/open.c:1535 [inline]
  __x64_sys_close+0x86/0x100 fs/open.c:1535
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6814c9ae10
Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d b1 e2 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
RSP: 002b:00007fffb2389758 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6814c9ae10
RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000202 R12: 00007fffb23897b0
R13: 00000000000141c3 R14: 00007fffb238977c R15: 00007fffb2389790
 </TASK>

Fixes: 79636038d37e ("ipv4: tcp: give socket pointer to control skbs")
Reported-by: syzbot+2d9f5f948c31dcb7745e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/6745e1a2.050a0220.1286eb.001c.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>
Cc: selinux@vger.kernel.org
Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: Brian Vazquez <brianvv@google.com>
---
 security/selinux/hooks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f5a08f94e09402b6b0b1538fae1a7a3f5af19fe6..366c87a40bd15707f6da4f25e8de4ddce3d281fc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5738,7 +5738,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
 	 * because we want to make sure we apply the necessary labeling
 	 * before IPsec is applied so we can leverage AH protection */
-	sk = skb->sk;
+	sk = sk_to_full_sk(skb->sk);
 	if (sk) {
 		struct sk_security_struct *sksec;
 
-- 
2.47.0.338.g60cca15819-goog

Re: [PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

[Paul Moore]

On Tue, Nov 26, 2024 at 9:59 AM Eric Dumazet <edumazet@google.com> wrote:
>
> In blamed commit, TCP started to attach timewait sockets to
> some skbs.
>
> syzbot reported that selinux_ip_output() was not expecting them yet.
>
> Note that using sk_to_full_sk() is still allowing the
> following sk_listener() check to work as before.
>
> BUG: KASAN: slab-out-of-bounds in selinux_sock security/selinux/include/objsec.h:207 [inline]
> BUG: KASAN: slab-out-of-bounds in selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761
> Read of size 8 at addr ffff88804e86e758 by task syz-executor347/5894
>
> CPU: 0 UID: 0 PID: 5894 Comm: syz-executor347 Not tainted 6.12.0-syzkaller-05480-gfcc79e1714e8 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
> Call Trace:

...

> Fixes: 79636038d37e ("ipv4: tcp: give socket pointer to control skbs")
> Reported-by: syzbot+2d9f5f948c31dcb7745e@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/lkml/6745e1a2.050a0220.1286eb.001c.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> ---
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
> Cc: Ondrej Mosnacek <omosnace@redhat.com>
> Cc: selinux@vger.kernel.org
> Cc: Kuniyuki Iwashima <kuniyu@amazon.com>
> Cc: Brian Vazquez <brianvv@google.com>
> ---
>  security/selinux/hooks.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

This looks okay to me and based on the "net" marking in the subject
I'm guessing you're planning to send this up to Linus via the netdev
tree?  If not, let me know and I'll send this up via the selinux tree.
As long as we fix it I'm happy.

Acked-by: Paul Moore <paul@paul-moore.com>

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f5a08f94e09402b6b0b1538fae1a7a3f5af19fe6..366c87a40bd15707f6da4f25e8de4ddce3d281fc 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5738,7 +5738,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
>         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
>          * because we want to make sure we apply the necessary labeling
>          * before IPsec is applied so we can leverage AH protection */
> -       sk = skb->sk;
> +       sk = sk_to_full_sk(skb->sk);
>         if (sk) {
>                 struct sk_security_struct *sksec;
>
> --
> 2.47.0.338.g60cca15819-goog

-- 
paul-moore.com

Re: [PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

[Kuniyuki Iwashima]

From: Eric Dumazet <edumazet@google.com>
Date: Tue, 26 Nov 2024 14:59:11 +0000
> In blamed commit, TCP started to attach timewait sockets to
> some skbs.
> 
> syzbot reported that selinux_ip_output() was not expecting them yet.
> 
> Note that using sk_to_full_sk() is still allowing the
> following sk_listener() check to work as before.
> 
> BUG: KASAN: slab-out-of-bounds in selinux_sock security/selinux/include/objsec.h:207 [inline]
> BUG: KASAN: slab-out-of-bounds in selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761
> Read of size 8 at addr ffff88804e86e758 by task syz-executor347/5894
> 
> CPU: 0 UID: 0 PID: 5894 Comm: syz-executor347 Not tainted 6.12.0-syzkaller-05480-gfcc79e1714e8 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
> Call Trace:
>  <IRQ>
>   __dump_stack lib/dump_stack.c:94 [inline]
>   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
>   print_address_description mm/kasan/report.c:377 [inline]
>   print_report+0xc3/0x620 mm/kasan/report.c:488
>   kasan_report+0xd9/0x110 mm/kasan/report.c:601
>   selinux_sock security/selinux/include/objsec.h:207 [inline]
>   selinux_ip_output+0x1e0/0x1f0 security/selinux/hooks.c:5761
>   nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
>   nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
>   nf_hook+0x386/0x6d0 include/linux/netfilter.h:269
>   __ip_local_out+0x339/0x640 net/ipv4/ip_output.c:119
>   ip_local_out net/ipv4/ip_output.c:128 [inline]
>   ip_send_skb net/ipv4/ip_output.c:1505 [inline]
>   ip_push_pending_frames+0xa0/0x5b0 net/ipv4/ip_output.c:1525
>   ip_send_unicast_reply+0xd0e/0x1650 net/ipv4/ip_output.c:1672
>   tcp_v4_send_ack+0x976/0x13f0 net/ipv4/tcp_ipv4.c:1024
>   tcp_v4_timewait_ack net/ipv4/tcp_ipv4.c:1077 [inline]
>   tcp_v4_rcv+0x2f96/0x4390 net/ipv4/tcp_ipv4.c:2428
>   ip_protocol_deliver_rcu+0xba/0x4c0 net/ipv4/ip_input.c:205
>   ip_local_deliver_finish+0x316/0x570 net/ipv4/ip_input.c:233
>   NF_HOOK include/linux/netfilter.h:314 [inline]
>   NF_HOOK include/linux/netfilter.h:308 [inline]
>   ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254
>   dst_input include/net/dst.h:460 [inline]
>   ip_rcv_finish net/ipv4/ip_input.c:447 [inline]
>   NF_HOOK include/linux/netfilter.h:314 [inline]
>   NF_HOOK include/linux/netfilter.h:308 [inline]
>   ip_rcv+0x2c3/0x5d0 net/ipv4/ip_input.c:567
>   __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5672
>   __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785
>   process_backlog+0x443/0x15f0 net/core/dev.c:6117
>   __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6877
>   napi_poll net/core/dev.c:6946 [inline]
>   net_rx_action+0xa94/0x1010 net/core/dev.c:7068
>   handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
>   do_softirq kernel/softirq.c:455 [inline]
>   do_softirq+0xb2/0xf0 kernel/softirq.c:442
>  </IRQ>
>  <TASK>
>   __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
>   local_bh_enable include/linux/bottom_half.h:33 [inline]
>   rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
>   __dev_queue_xmit+0x8af/0x43e0 net/core/dev.c:4461
>   dev_queue_xmit include/linux/netdevice.h:3168 [inline]
>   neigh_hh_output include/net/neighbour.h:523 [inline]
>   neigh_output include/net/neighbour.h:537 [inline]
>   ip_finish_output2+0xc6c/0x2150 net/ipv4/ip_output.c:236
>   __ip_finish_output net/ipv4/ip_output.c:314 [inline]
>   __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:296
>   ip_finish_output+0x35/0x380 net/ipv4/ip_output.c:324
>   NF_HOOK_COND include/linux/netfilter.h:303 [inline]
>   ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:434
>   dst_output include/net/dst.h:450 [inline]
>   ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:130
>   __ip_queue_xmit+0x777/0x1970 net/ipv4/ip_output.c:536
>   __tcp_transmit_skb+0x2b39/0x3df0 net/ipv4/tcp_output.c:1466
>   tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
>   tcp_write_xmit+0x12b1/0x8560 net/ipv4/tcp_output.c:2827
>   __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3010
>   tcp_send_fin+0x154/0xc70 net/ipv4/tcp_output.c:3616
>   __tcp_close+0x96b/0xff0 net/ipv4/tcp.c:3130
>   tcp_close+0x28/0x120 net/ipv4/tcp.c:3221
>   inet_release+0x13c/0x280 net/ipv4/af_inet.c:435
>   __sock_release net/socket.c:640 [inline]
>   sock_release+0x8e/0x1d0 net/socket.c:668
>   smc_clcsock_release+0xb7/0xe0 net/smc/smc_close.c:34
>   __smc_release+0x5c2/0x880 net/smc/af_smc.c:301
>   smc_release+0x1fc/0x5f0 net/smc/af_smc.c:344
>   __sock_release+0xb0/0x270 net/socket.c:640
>   sock_close+0x1c/0x30 net/socket.c:1408
>   __fput+0x3f8/0xb60 fs/file_table.c:450
>   __fput_sync+0xa1/0xc0 fs/file_table.c:535
>   __do_sys_close fs/open.c:1550 [inline]
>   __se_sys_close fs/open.c:1535 [inline]
>   __x64_sys_close+0x86/0x100 fs/open.c:1535
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f6814c9ae10
> Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d b1 e2 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
> RSP: 002b:00007fffb2389758 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6814c9ae10
> RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
> RBP: 00000000000f4240 R08: 0000000000000001 R09: 0000000000000001
> R10: 0000000000000001 R11: 0000000000000202 R12: 00007fffb23897b0
> R13: 00000000000141c3 R14: 00007fffb238977c R15: 00007fffb2389790
>  </TASK>
> 
> Fixes: 79636038d37e ("ipv4: tcp: give socket pointer to control skbs")
> Reported-by: syzbot+2d9f5f948c31dcb7745e@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/lkml/6745e1a2.050a0220.1286eb.001c.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>

Re: [PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 26 Nov 2024 14:59:11 +0000 you wrote:
> In blamed commit, TCP started to attach timewait sockets to
> some skbs.
> 
> syzbot reported that selinux_ip_output() was not expecting them yet.
> 
> Note that using sk_to_full_sk() is still allowing the
> following sk_listener() check to work as before.
> 
> [...]

Here is the summary with links:
  - [net] selinux: use sk_to_full_sk() in selinux_ip_output()
    https://git.kernel.org/netdev/net/c/eedcad2f2a37

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

[Paul Moore]

On Sat, Nov 30, 2024 at 4:50 PM <patchwork-bot+netdevbpf@kernel.org> wrote:
>
> Hello:
>
> This patch was applied to netdev/net.git (main)
> by Jakub Kicinski <kuba@kernel.org>:

Jakub, do you know when we can expect to see this sent up to Linus?

> On Tue, 26 Nov 2024 14:59:11 +0000 you wrote:
> > In blamed commit, TCP started to attach timewait sockets to
> > some skbs.
> >
> > syzbot reported that selinux_ip_output() was not expecting them yet.
> >
> > Note that using sk_to_full_sk() is still allowing the
> > following sk_listener() check to work as before.
> >
> > [...]
>
> Here is the summary with links:
>   - [net] selinux: use sk_to_full_sk() in selinux_ip_output()
>     https://git.kernel.org/netdev/net/c/eedcad2f2a37
>
> You are awesome, thank you!
> --
> Deet-doot-dot, I am a bot.
> https://korg.docs.kernel.org/patchwork/pwbot.html

-- 
paul-moore.com

Re: [PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

[Jakub Kicinski]

On Tue, 3 Dec 2024 15:50:46 -0500 Paul Moore wrote:
> > This patch was applied to netdev/net.git (main)
> > by Jakub Kicinski <kuba@kernel.org>:  
> 
> Jakub, do you know when we can expect to see this sent up to Linus?

If I'm looking at our schedule right - Thursday (5th) evening EU time.

Re: [PATCH net] selinux: use sk_to_full_sk() in selinux_ip_output()

[Paul Moore]

On Tue, Dec 3, 2024 at 7:55 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Tue, 3 Dec 2024 15:50:46 -0500 Paul Moore wrote:
> > > This patch was applied to netdev/net.git (main)
> > > by Jakub Kicinski <kuba@kernel.org>:
> >
> > Jakub, do you know when we can expect to see this sent up to Linus?
>
> If I'm looking at our schedule right - Thursday (5th) evening EU time.

Thanks.

-- 
paul-moore.com