path: root/security
diff options
authorEric Dumazet <edumazet@google.com>2015-11-05 13:39:24 -0800
committerDavid S. Miller <davem@davemloft.net>2015-11-05 16:45:51 -0500
commit212cd0895330b775f2db49451f046a5ca4e5704b (patch)
treec4f9be4c046587df4fad72299a5888096153f4c9 /security
parent432599d7a7062ad7e37e72601607dc35596afe40 (diff)
selinux: fix random read in selinux_ip_postroute_compat()
In commit e446f9dfe17b ("net: synack packets can be attached to request sockets"), I missed one remaining case of invalid skb->sk->sk_security access. Dmitry Vyukov got a KASan report pointing to it. Add selinux_skb_sk() helper that is responsible to get back to the listener if skb is attached to a request socket, instead of duplicating the logic. Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
1 files changed, 14 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 26f4039d54b8..c9b2d5467477 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4931,11 +4931,23 @@ static unsigned int selinux_ipv4_output(void *priv,
return selinux_ip_output(skb, PF_INET);
+/* SYNACK messages might be attached to request sockets.
+ * To get back to sk_security, we need to look at the listener.
+ */
+static struct sock *selinux_skb_sk(const struct sk_buff *skb)
+ struct sock *sk = skb->sk;
+ if (sk && sk->sk_state == TCP_NEW_SYN_RECV)
+ sk = inet_reqsk(sk)->rsk_listener;
+ return sk;
static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
int ifindex,
u16 family)
- struct sock *sk = skb->sk;
+ struct sock *sk = selinux_skb_sk(skb);
struct sk_security_struct *sksec;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4990,7 +5002,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
if (!secmark_active && !peerlbl_active)
return NF_ACCEPT;
- sk = skb->sk;
+ sk = selinux_skb_sk(skb);
/* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
@@ -5035,8 +5047,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
u32 skb_sid;
struct sk_security_struct *sksec;
- if (sk->sk_state == TCP_NEW_SYN_RECV)
- sk = inet_reqsk(sk)->rsk_listener;
sksec = sk->sk_security;
if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
return NF_DROP;