[PATCH net] selinux: fix random read in selinux_ip_postroute_compat()

Thu, 05 Nov 2015 13:40:19 -0800 

From: Eric Dumazet <[email protected]>

In commit e446f9dfe17b ("net: synack packets can be attached to request
sockets"), I missed one remaining case of invalid skb->sk->sk_security
access.

Dmitry Vyukov got a KASan report pointing to it.

Add selinux_skb_sk() helper that is responsible to get back to the
listener if skb is attached to a request socket, instead of
duplicating the logic.

Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of 
listener")
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Dmitry Vyukov <[email protected]>
Cc: Paul Moore <[email protected]>
---
 security/selinux/hooks.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 26f4039d54b8..c9b2d5467477 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4931,11 +4931,23 @@ static unsigned int selinux_ipv4_output(void *priv,
        return selinux_ip_output(skb, PF_INET);
 }
 
+/* SYNACK messages might be attached to request sockets.
+ * To get back to sk_security, we need to look at the listener.
+ */
+static struct sock *selinux_skb_sk(const struct sk_buff *skb)
+{
+       struct sock *sk = skb->sk;
+
+       if (sk && sk->sk_state == TCP_NEW_SYN_RECV)
+               sk = inet_reqsk(sk)->rsk_listener;
+       return sk;
+}
+
 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
                                                int ifindex,
                                                u16 family)
 {
-       struct sock *sk = skb->sk;
+       struct sock *sk = selinux_skb_sk(skb);
        struct sk_security_struct *sksec;
        struct common_audit_data ad;
        struct lsm_network_audit net = {0,};
@@ -4990,7 +5002,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff 
*skb,
        if (!secmark_active && !peerlbl_active)
                return NF_ACCEPT;
 
-       sk = skb->sk;
+       sk = selinux_skb_sk(skb);
 
 #ifdef CONFIG_XFRM
        /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
@@ -5035,8 +5047,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff 
*skb,
                u32 skb_sid;
                struct sk_security_struct *sksec;
 
-               if (sk->sk_state == TCP_NEW_SYN_RECV)
-                       sk = inet_reqsk(sk)->rsk_listener;
                sksec = sk->sk_security;
                if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
                        return NF_DROP;


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to