Drop "selinux: properly handle multiple messages in selinux_netlink_send()"
This commit is contained in:
parent
7cbcb7e493
commit
790b310863
|
@ -169,7 +169,6 @@ linux (4.19.121-1) UNRELEASED; urgency=medium
|
||||||
- ALSA: opti9xx: shut up gcc-10 range warning
|
- ALSA: opti9xx: shut up gcc-10 range warning
|
||||||
- nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl
|
- nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl
|
||||||
- dmaengine: dmatest: Fix iteration non-stop logic
|
- dmaengine: dmatest: Fix iteration non-stop logic
|
||||||
- selinux: properly handle multiple messages in selinux_netlink_send()
|
|
||||||
- btrfs: fix partial loss of prealloc extent past i_size after fsync
|
- btrfs: fix partial loss of prealloc extent past i_size after fsync
|
||||||
- btrfs: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info
|
- btrfs: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info
|
||||||
- mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop
|
- mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop
|
||||||
|
|
|
@ -1,112 +0,0 @@
|
||||||
From: Paul Moore <paul@paul-moore.com>
|
|
||||||
Date: Tue, 28 Apr 2020 09:59:02 -0400
|
|
||||||
Subject: selinux: properly handle multiple messages in selinux_netlink_send()
|
|
||||||
Origin: https://git.kernel.org/linus/fb73974172ffaaf57a7c42f35424d9aece1a5af6
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-10751
|
|
||||||
|
|
||||||
Fix the SELinux netlink_send hook to properly handle multiple netlink
|
|
||||||
messages in a single sk_buff; each message is parsed and subject to
|
|
||||||
SELinux access control. Prior to this patch, SELinux only inspected
|
|
||||||
the first message in the sk_buff.
|
|
||||||
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
|
||||||
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
|
||||||
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
||||||
---
|
|
||||||
security/selinux/hooks.c | 70 ++++++++++++++++++++++++++--------------
|
|
||||||
1 file changed, 45 insertions(+), 25 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
|
||||||
index c574285966f9..452254fd89f8 100644
|
|
||||||
--- a/security/selinux/hooks.c
|
|
||||||
+++ b/security/selinux/hooks.c
|
|
||||||
@@ -5595,40 +5595,60 @@ static int selinux_tun_dev_open(void *security)
|
|
||||||
|
|
||||||
static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
|
|
||||||
{
|
|
||||||
- int err = 0;
|
|
||||||
- u32 perm;
|
|
||||||
+ int rc = 0;
|
|
||||||
+ unsigned int msg_len;
|
|
||||||
+ unsigned int data_len = skb->len;
|
|
||||||
+ unsigned char *data = skb->data;
|
|
||||||
struct nlmsghdr *nlh;
|
|
||||||
struct sk_security_struct *sksec = sk->sk_security;
|
|
||||||
+ u16 sclass = sksec->sclass;
|
|
||||||
+ u32 perm;
|
|
||||||
|
|
||||||
- if (skb->len < NLMSG_HDRLEN) {
|
|
||||||
- err = -EINVAL;
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
- nlh = nlmsg_hdr(skb);
|
|
||||||
+ while (data_len >= nlmsg_total_size(0)) {
|
|
||||||
+ nlh = (struct nlmsghdr *)data;
|
|
||||||
+
|
|
||||||
+ /* NOTE: the nlmsg_len field isn't reliably set by some netlink
|
|
||||||
+ * users which means we can't reject skb's with bogus
|
|
||||||
+ * length fields; our solution is to follow what
|
|
||||||
+ * netlink_rcv_skb() does and simply skip processing at
|
|
||||||
+ * messages with length fields that are clearly junk
|
|
||||||
+ */
|
|
||||||
+ if (nlh->nlmsg_len < NLMSG_HDRLEN || nlh->nlmsg_len > data_len)
|
|
||||||
+ return 0;
|
|
||||||
|
|
||||||
- err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
|
|
||||||
- if (err) {
|
|
||||||
- if (err == -EINVAL) {
|
|
||||||
+ rc = selinux_nlmsg_lookup(sclass, nlh->nlmsg_type, &perm);
|
|
||||||
+ if (rc == 0) {
|
|
||||||
+ rc = sock_has_perm(sk, perm);
|
|
||||||
+ if (rc)
|
|
||||||
+ return rc;
|
|
||||||
+ } else if (rc == -EINVAL) {
|
|
||||||
+ /* -EINVAL is a missing msg/perm mapping */
|
|
||||||
pr_warn_ratelimited("SELinux: unrecognized netlink"
|
|
||||||
- " message: protocol=%hu nlmsg_type=%hu sclass=%s"
|
|
||||||
- " pig=%d comm=%s\n",
|
|
||||||
- sk->sk_protocol, nlh->nlmsg_type,
|
|
||||||
- secclass_map[sksec->sclass - 1].name,
|
|
||||||
- task_pid_nr(current), current->comm);
|
|
||||||
- if (!enforcing_enabled(&selinux_state) ||
|
|
||||||
- security_get_allow_unknown(&selinux_state))
|
|
||||||
- err = 0;
|
|
||||||
+ " message: protocol=%hu nlmsg_type=%hu sclass=%s"
|
|
||||||
+ " pid=%d comm=%s\n",
|
|
||||||
+ sk->sk_protocol, nlh->nlmsg_type,
|
|
||||||
+ secclass_map[sclass - 1].name,
|
|
||||||
+ task_pid_nr(current), current->comm);
|
|
||||||
+ if (enforcing_enabled(&selinux_state) &&
|
|
||||||
+ !security_get_allow_unknown(&selinux_state))
|
|
||||||
+ return rc;
|
|
||||||
+ rc = 0;
|
|
||||||
+ } else if (rc == -ENOENT) {
|
|
||||||
+ /* -ENOENT is a missing socket/class mapping, ignore */
|
|
||||||
+ rc = 0;
|
|
||||||
+ } else {
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Ignore */
|
|
||||||
- if (err == -ENOENT)
|
|
||||||
- err = 0;
|
|
||||||
- goto out;
|
|
||||||
+ /* move to the next message after applying netlink padding */
|
|
||||||
+ msg_len = NLMSG_ALIGN(nlh->nlmsg_len);
|
|
||||||
+ if (msg_len >= data_len)
|
|
||||||
+ return 0;
|
|
||||||
+ data_len -= msg_len;
|
|
||||||
+ data += msg_len;
|
|
||||||
}
|
|
||||||
|
|
||||||
- err = sock_has_perm(sk, perm);
|
|
||||||
-out:
|
|
||||||
- return err;
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef CONFIG_NETFILTER
|
|
||||||
--
|
|
||||||
2.27.0.rc0
|
|
||||||
|
|
|
@ -296,7 +296,6 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
debian/ntfs-mark-it-as-broken.patch
|
debian/ntfs-mark-it-as-broken.patch
|
||||||
bugfix/all/selinux-properly-handle-multiple-messages-in-selinux.patch
|
|
||||||
bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
|
bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
|
||||||
bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
|
bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
|
||||||
bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
|
bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
|
||||||
|
|
Loading…
Reference in New Issue