Thread (2 messages) 2 messages, 2 authors, 2015-03-31

Re: [Fix kernel crash in cipso_v4_sock_delattr ]

From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2015-03-31 17:52:49
Also in: lkml 

On 3/30/2015 10:09 PM, Maninder Singh wrote:
We are currently using 3.10.58 kernel and  we are facing this issue for samck enabled system.
and as we can check in other APIs like netlbl_sock_getattr and netlbl_conn_setattr have this preventive check so we added this check for netlbl_sock_delattr also.

And regarding patch re-submission, actually we have run checkpatch.pl before submission(successfull)  But when we submit the patch our editor changes tabs into space, we will resubmitt the patch ASAP.
Further review shows that the Smack code in 3.10.72 (I don't believe it changed
after 3.10.58) already checks for the address family being AF_INET. This would indicate
that the netlink code is sending garbage to security_socket_sendmsg().

Can you provide a more specific test case? I would like to see if this problem is
present in newer kernels.

Maninder Singh
------- Original Message -------
Sender : Casey Schaufler[off-list ref]
Date : Mar 31, 2015 02:25 (GMT+09:00)
Title : Re: [Fix kernel crash in cipso_v4_sock_delattr ]

On 3/30/2015 4:32 AM, Paul Moore wrote:
quoted
On Monday, March 30, 2015 11:09:00 AM Maninder Singh wrote:
quoted
Dear All,
we found One Kernel Crash issue in cipso_v4_sock_delattr :-
As Cipso supports only inet sockets so cipso_v4_sock_delattr will crash when
try to access any other socket type.  cipso_v4_sock_delattr access
sk_inet->inet_opt which may contain not NULL but invalid address. we found
this issue with netlink socket.(reproducible by trinity using sendto system
call .) 
Hello,

First, please go read the Documentation/SubmittingPatches from the kernel 
sources; your patch needs to be resubmitted and the instructions in that file 
will show you how to do it correctly next time.

Second, this appears to only affect Smack based systems, yes?  SELinux based 
systems should have the proper checking in place to prevent this (the checks 
are handled in the LSM).
This looks like a problem that was fixed some time ago.
The current Smack code clearly checks for this. What kernel
version are you testing against?
quoted
That said, it probably wouldn't hurt to add the 
extra checking to netlbl_sock_delattr().  If you properly resubmit your patch 
I'll ACK it.

-Paul
N‹§²æìr¸›yúèšØb²X¬¶Ç§vØ^–)Þº{.nÇ+‰·¥Š{±‘êçzX§¶›¡Ü¨}©ž²Æ zÚ&j:+v‰¨¾«‘êçzZ+€Ê+zf£¢·hšˆ§~†­†Ûiÿûàz¹
®w¥¢¸?™¨è­Ú&¢)ߢf”ù^jÇ«y§m…á@A«a¶Úÿ
0¶ìh®å’i
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help