Re: [PATCH] linux 2.9.10-rc1: Fix oops in unix_dgram_sendmsg whenusing SELinux and SOCK_SEQPACKET

[Ross Kendall Axe]

Chris Wright wrote:
> * Stephen Smalley (sds@xxxxxxxxxxxxxx) wrote:
>
> > On Sun, 2004-11-14 at 13:13, Ross Kendall Axe wrote:
> >
> > > With CONFIG_SECURITY_NETWORK=y and CONFIG_SECURITY_SELINUX=y, using
> > > SOCK_SEQPACKET unix domain sockets causes an oops in the superfluous(?)
> > > call to security_unix_may_send in sock_dgram_sendmsg. This patch avoids
> > > making this call for SOCK_SEQPACKET sockets.
> >
> > I'd prefer to track down the actual issue in the SELinux code and
> > correct it than just omit the security hook call entirely.  Do you have
> > the Oops output and a trivial test case?  Thanks.

Oops at
http://www.rossaxe.pwp.blueyonder.co.uk/seqpacket-oops/seqpacket-oops.txt
and test case at
http://www.rossaxe.pwp.blueyonder.co.uk/seqpacket-oops/seqpacket-killer.tar.gz
Just run 'seqpacket-crashd & seqpacket-crash' a couple of times.

> Well, there is one simple case that will trigger the Oops.  Send a
> SEQPACKET to a connected but not yet accepted socket.  In this case
> other->sk_socket is still NULL, and SELinux will deref the NULL pointer
> in selinux_socket_may_send() when geting other_isec.  There is already
> a check in unix_stream_connect, which is all that's used for normal unix
> stream sockets.  But the seqpacket socket then uses unix_dgram_sendmsg,
> so triggers the may_send check as well.
>
> thanks,
> -chris

A possibility that hadn't occurred to me was using sendto to send packets
without connecting. Is this supposed to work? If so, then my patch is
indeed inappropriate. If not, then that needs fixing also.

Ross

Attachment: signature.asc
Description: OpenPGP digital signature