Re: [RFC PATCH 08/17] ipv6: Add ipv6_renew_options_kern() that accepts a kernel mem pointer.

2015-12-22 Thread Hannes Frederic Sowa 
On 22.12.2015 12:46, Huw Davies wrote:
> The functionality is equivalent to ipv6_renew_options() except
> that the newopt pointer is in kernel, not user, memory
> 
> The kernel memory implementation will be used by the CALIPSO network
> labelling engine, which needs to be able to set IPv6 hop-by-hop
> options.
> 
> Signed-off-by: Huw Davies 
> ---
>  include/net/ipv6.h |   6 +++
>  net/ipv6/exthdrs.c | 131 
> -
>  2 files changed, 125 insertions(+), 12 deletions(-)
> 
> diff --git a/include/net/ipv6.h b/include/net/ipv6.h
> index 9a5c9f0..5a72ffd 100644
> --- a/include/net/ipv6.h
> +++ b/include/net/ipv6.h
> @@ -304,6 +304,12 @@ struct ipv6_txoptions *ipv6_renew_options(struct sock 
> *sk,
> int newtype,
> struct ipv6_opt_hdr __user *newopt,
> int newoptlen);
> +struct ipv6_txoptions *
> +ipv6_renew_options_kern(struct sock *sk,
> + struct ipv6_txoptions *opt,
> + int newtype,
> + struct ipv6_opt_hdr *newopt,
> + int newoptlen);
>  struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space,
> struct ipv6_txoptions *opt);
>  
> diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
> index ea7c4d6..9426b26 100644
> --- a/net/ipv6/exthdrs.c
> +++ b/net/ipv6/exthdrs.c
> @@ -734,11 +734,16 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions 
> *opt)
>  EXPORT_SYMBOL_GPL(ipv6_dup_options);
>  
>  static int ipv6_renew_option(void *ohdr,
> -  struct ipv6_opt_hdr __user *newopt, int newoptlen,
> +  struct ipv6_opt_hdr __user *newopt_user,
> +  struct ipv6_opt_hdr *newopt,
> +  int newoptlen,
>int inherit,
>struct ipv6_opt_hdr **hdr,
>char **p)


This looks quite ugly to me.

Wouldn't it be possible to do something like this:


ipv6_renew_option_kern(...)
{
int ret;
const mm_segment_t old_fs = get_fs();
set_fs(KERNEL_DS);
ret = ipv6_renew_option(...); // maybe you need to forcefully cast the
user away here
set_fs(old_fs);
return ret;
}

Bye,
Hannes

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 16/17] calipso: Add validation of CALIPSO option.

2015-12-22 Thread Hannes Frederic Sowa 
On 22.12.2015 12:46, Huw Davies wrote:
>  
> +/* CALIPSO RFC 5570 */
> +
> +static bool ipv6_hop_calipso(struct sk_buff *skb, int optoff)
> +{
> + const unsigned char *nh = skb_network_header(skb);
> +
> + if (nh[optoff + 1] < 8)
> + goto drop;
> +
> + if (nh[optoff + 6] * 4 + 8 > nh[optoff + 1])
> + goto drop;
> +
> + if (!calipso_validate(skb, nh + optoff))
> + goto drop;
> +
> + return true;
> +
> +drop:
> + kfree_skb(skb);
> + return false;
> +}
> +

Formally, if an extension header could not be processed, the packet
should be discarded and an icmp error parameter extension should be
send. I think we shouldn't let those packets pass here.

Thanks,
Hannes

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 13/17] calipso: Allow request sockets to be relabelled by the lsm.

2015-12-22 Thread Hannes Frederic Sowa 
On 22.12.2015 12:46, Huw Davies wrote:
>   tot_len += sizeof(*opt2);
> - opt2 = sock_kmalloc(sk, tot_len, GFP_ATOMIC);
> + if (sk)
> + opt2 = sock_kmalloc(sk, tot_len, GFP_ATOMIC);
> + else
> + opt2 = kmalloc(tot_len, GFP_ATOMIC);
>   if (!opt2)
>   return ERR_PTR(-ENOBUFS);

This change looks dangerous to me in terms of control of memory
depletion from a remote host. Could you use sk_to_full_sk and account
options towards the listener socket?

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html