Re: [PATCH] selinux: check for address length in selinux_socket_bind()

From: Alexander Potapenko
Date: Fri Mar 03 2017 - 12:35:06 EST

Next message: Igor Mammedov: "Re: [RFC PATCH] mm, hotplug: get rid of auto_online_blocks"
Previous message: Dmitry Vyukov: "net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone"
In reply to: Alexander Potapenko: "[PATCH] selinux: check for address length in selinux_socket_bind()"
Next in thread: Eric Dumazet: "Re: [PATCH] selinux: check for address length in selinux_socket_bind()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 3, 2017 at 6:23 PM, Alexander Potapenko <glider@xxxxxxxxxx> wrote:
> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
> uninitialized memory in packet_bind_spkt():
Should be "in selinux_socket_bind()", will fix in the next patch version.
> ==================================================================
> BUG: KMSAN: use of unitialized memory
> inter: 0
> CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48
> ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550
> 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002
> Call Trace:
> [< inline >] __dump_stack lib/dump_stack.c:15
> [<ffffffff825759c8>] dump_stack+0x238/0x290 lib/dump_stack.c:51
> [<ffffffff818bdee6>] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008
> [<ffffffff818bf0fb>] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424
> [<ffffffff822dae71>] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288
> [<ffffffff8229357c>] security_socket_bind+0x1ec/0x240 security/security.c:1240
> [<ffffffff84265d98>] SYSC_bind+0x358/0x5f0 net/socket.c:1366
> [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
> [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292
> [<ffffffff8518217c>] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:?
> chained origin: 00000000ba6009bb
> [<ffffffff810bb7a7>] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67
> [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322
> [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337
> [<ffffffff818bd2b8>] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530
> [<ffffffff818bf033>] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380
> [<ffffffff84265b69>] SYSC_bind+0x129/0x5f0 net/socket.c:1356
> [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
> [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292
> [<ffffffff8518217c>] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:?
> origin description: ----address@SYSC_bind (origin=00000000b8c00900)
> ==================================================================
>
> (the line numbers are relative to 4.8-rc6, but the bug persists upstream)
>
> , when I run the following program as root:
>
> =======================================================
> #include <string.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
>
> int main(int argc, char *argv[]) {
> struct sockaddr addr;
> int size = 0;
> if (argc > 1) {
> size = atoi(argv[1]);
> }
> memset(&addr, 0, sizeof(addr));
> int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
> bind(fd, &addr, size);
> return 0;
> }
> =======================================================
>
> (for different values of |size| other error reports are printed).
>
> This happens because bind() unconditionally copies |size| bytes of
> |addr| to the kernel, leaving the rest uninitialized. Then
> security_socket_bind() reads the IP address bytes, including the
> uninitialized ones, to determine the port, or e.g. pass them further to
> sel_netnode_find(), which uses them to calculate a hash.
>
> Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
> ---
> security/selinux/hooks.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0a4b4b040e0a..eba54489b11b 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4351,10 +4351,19 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
> u32 sid, node_perm;
>
> if (family == PF_INET) {
> + if (addrlen != sizeof(struct sockaddr_in)) {
> + err = -EINVAL;
> + goto out;
> + }
> addr4 = (struct sockaddr_in *)address;
> snum = ntohs(addr4->sin_port);
> addrp = (char *)&addr4->sin_addr.s_addr;
> +
> } else {
> + if (addrlen != sizeof(struct sockaddr_in6)) {
> + err = -EINVAL;
> + goto out;
> + }
> addr6 = (struct sockaddr_in6 *)address;
> snum = ntohs(addr6->sin6_port);
> addrp = (char *)&addr6->sin6_addr.s6_addr;
> --
> 2.12.0.rc1.440.g5b76565f74-goog
>

--
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-StraÃe, 33
80636 MÃnchen

GeschÃftsfÃhrer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Next message: Igor Mammedov: "Re: [RFC PATCH] mm, hotplug: get rid of auto_online_blocks"
Previous message: Dmitry Vyukov: "net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone"
In reply to: Alexander Potapenko: "[PATCH] selinux: check for address length in selinux_socket_bind()"
Next in thread: Eric Dumazet: "Re: [PATCH] selinux: check for address length in selinux_socket_bind()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]