netdev
[Top] [All Lists]

Re: [PATCH] linux 2.9.10-rc1: Fix oops in unix_dgram_sendmsg when using

To: netdev@xxxxxxxxxxx
Subject: Re: [PATCH] linux 2.9.10-rc1: Fix oops in unix_dgram_sendmsg when using SELinux and SOCK_SEQPACKET
From: Ross Kendall Axe <ross.axe@xxxxxxxxxxxxxxxx>
Date: Wed, 17 Nov 2004 21:29:38 +0000
Cc: Stephen Smalley <sds@xxxxxxxxxxxxxx>, lkml <linux-kernel@xxxxxxxxxxxxxxx>, jmorris@xxxxxxxxxx
In-reply-to: <20041116004122.V14339@build.pdx.osdl.net>
References: <4197A037.1020307@blueyonder.co.uk> <1100525477.31773.38.camel@moss-spartans.epoch.ncsc.mil> <20041116004122.V14339@build.pdx.osdl.net>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.8 (X11/20040913)
Chris Wright wrote:
* Stephen Smalley (sds@xxxxxxxxxxxxxx) wrote:

On Sun, 2004-11-14 at 13:13, Ross Kendall Axe wrote:

With CONFIG_SECURITY_NETWORK=y and CONFIG_SECURITY_SELINUX=y, using
SOCK_SEQPACKET unix domain sockets causes an oops in the superfluous(?)
call to security_unix_may_send in sock_dgram_sendmsg. This patch avoids
making this call for SOCK_SEQPACKET sockets.

I'd prefer to track down the actual issue in the SELinux code and correct it than just omit the security hook call entirely. Do you have the Oops output and a trivial test case? Thanks.


Oops at http://www.rossaxe.pwp.blueyonder.co.uk/seqpacket-oops/seqpacket-oops.txt and test case at http://www.rossaxe.pwp.blueyonder.co.uk/seqpacket-oops/seqpacket-killer.tar.gz Just run 'seqpacket-crashd & seqpacket-crash' a couple of times.


Well, there is one simple case that will trigger the Oops. Send a SEQPACKET to a connected but not yet accepted socket. In this case other->sk_socket is still NULL, and SELinux will deref the NULL pointer in selinux_socket_may_send() when geting other_isec. There is already a check in unix_stream_connect, which is all that's used for normal unix stream sockets. But the seqpacket socket then uses unix_dgram_sendmsg, so triggers the may_send check as well.

thanks,
-chris

A possibility that hadn't occurred to me was using sendto to send packets without connecting. Is this supposed to work? If so, then my patch is indeed inappropriate. If not, then that needs fixing also.

Ross

Attachment: signature.asc
Description: OpenPGP digital signature

<Prev in Thread] Current Thread [Next in Thread>