1. 31 Mar, 2017 1 commit
  2. 29 Mar, 2017 15 commits
  3. 23 Mar, 2017 12 commits
  4. 10 Mar, 2017 2 commits
    • Alexander Potapenko's avatar
      selinux: check for address length in selinux_socket_bind() · e2f586bd
      Alexander Potapenko authored
      KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
      uninitialized memory in selinux_socket_bind():
      
      ==================================================================
      BUG: KMSAN: use of unitialized memory
      inter: 0
      CPU: 3 PID: 1074 Comm: packet2 Tainted: G    B           4.8.0-rc6+ #1916
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48
       ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550
       0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002
      Call Trace:
       [<     inline     >] __dump_stack lib/dump_stack.c:15
       [<ffffffff825759c8>] dump_stack+0x238/0x290 lib/dump_stack.c:51
       [<ffffffff818bdee6>] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008
       [<ffffffff818bf0fb>] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424
       [<ffffffff822dae71>] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288
       [<ffffffff8229357c>] security_socket_bind+0x1ec/0x240 security/security.c:1240
       [<ffffffff84265d98>] SYSC_bind+0x358/0x5f0 net/socket.c:1366
       [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
       [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292
       [<ffffffff8518217c>] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:?
      chained origin: 00000000ba6009bb
       [<ffffffff810bb7a7>] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67
       [<     inline     >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322
       [<     inline     >] kmsan_save_stack mm/kmsan/kmsan.c:337
       [<ffffffff818bd2b8>] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530
       [<ffffffff818bf033>] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380
       [<ffffffff84265b69>] SYSC_bind+0x129/0x5f0 net/socket.c:1356
       [<ffffffff84265a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
       [<ffffffff81005678>] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292
       [<ffffffff8518217c>] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:?
      origin description: ----address@SYSC_bind (origin=00000000b8c00900)
      ==================================================================
      
      (the line numbers are relative to 4.8-rc6, but the bug persists upstream)
      
      , when I run the following program as root:
      
      =======================================================
        #include <string.h>
        #include <sys/socket.h>
        #include <netinet/in.h>
      
        int main(int argc, char *argv[]) {
          struct sockaddr addr;
          int size = 0;
          if (argc > 1) {
            size = atoi(argv[1]);
          }
          memset(&addr, 0, sizeof(addr));
          int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
          bind(fd, &addr, size);
          return 0;
        }
      =======================================================
      
      (for different values of |size| other error reports are printed).
      
      This happens because bind() unconditionally copies |size| bytes of
      |addr| to the kernel, leaving the rest uninitialized. Then
      security_socket_bind() reads the IP address bytes, including the
      uninitialized ones, to determine the port, or e.g. pass them further to
      sel_netnode_find(), which uses them to calculate a hash.
      Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      [PM: fixed some whitespace damage]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      e2f586bd
    • Nicolas Iooss's avatar
      selinux: include sys/socket.h in host programs to have PF_MAX · c017c71c
      Nicolas Iooss authored
      Compiling with clang and -Wundef makes the compiler report a usage of
      undefined PF_MAX macro in security/selinux/include/classmap.h:
      
          In file included from scripts/selinux/mdp/mdp.c:48:
          security/selinux/include/classmap.h:37:31: warning: no previous
          extern declaration for non-static variable 'secclass_map'
          [-Wmissing-variable-declarations]
          struct security_class_mapping secclass_map[] = {
                                        ^
          security/selinux/include/classmap.h:235:5: error: 'PF_MAX' is not
          defined, evaluates to 0 [-Werror,-Wundef]
          #if PF_MAX > 43
              ^
          In file included from scripts/selinux/genheaders/genheaders.c:17:
          security/selinux/include/classmap.h:37:31: warning: no previous
          extern declaration for non-static variable 'secclass_map'
          [-Wmissing-variable-declarations]
          struct security_class_mapping secclass_map[] = {
                                        ^
          security/selinux/include/classmap.h:235:5: error: 'PF_MAX' is not
          defined, evaluates to 0 [-Werror,-Wundef]
          #if PF_MAX > 43
              ^
      
      PF_MAX is defined in include/linux/socket.h but not in
      include/uapi/linux/socket.h. Therefore host programs have to rely on the
      definition from libc's /usr/include/bits/socket.h, included by
      <sys/socket.h>.
      
      Fix the issue by using sys/socket.h in mdp and genheaders. When
      classmap.h is included by security/selinux/avc.c, it uses the kernel
      definition of PF_MAX, which makes the test consistent.
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      c017c71c
  5. 06 Mar, 2017 3 commits
  6. 05 Mar, 2017 4 commits
    • Stephen Smalley's avatar
      selinux: fix kernel BUG on prlimit(..., NULL, NULL) · 84e6885e
      Stephen Smalley authored
      commit 79bcf325e6b32b3c ("prlimit,security,selinux: add a security hook
      for prlimit") introduced a security hook for prlimit() and implemented it
      for SELinux.  However, if prlimit() is called with NULL arguments for both
      the new limit and the old limit, then the hook is called with 0 for the
      read/write flags, since the prlimit() will neither read nor write the
      process' limits.  This would in turn lead to calling avc_has_perm() with 0
      for the requested permissions, which triggers a BUG_ON() in
      avc_has_perm_noaudit() since the kernel should never be invoking
      avc_has_perm() with no permissions.  Fix this in the SELinux hook by
      returning immediately if the flags are 0.  Arguably prlimit64() itself
      ought to return immediately if both old_rlim and new_rlim are NULL since
      it is effectively a no-op in that case.
      
      Reported by the lkp-robot based on trinity testing.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      84e6885e
    • Stephen Smalley's avatar
      prlimit,security,selinux: add a security hook for prlimit · 791ec491
      Stephen Smalley authored
      When SELinux was first added to the kernel, a process could only get
      and set its own resource limits via getrlimit(2) and setrlimit(2), so no
      MAC checks were required for those operations, and thus no security hooks
      were defined for them. Later, SELinux introduced a hook for setlimit(2)
      with a check if the hard limit was being changed in order to be able to
      rely on the hard limit value as a safe reset point upon context
      transitions.
      
      Later on, when prlimit(2) was added to the kernel with the ability to get
      or set resource limits (hard or soft) of another process, LSM/SELinux was
      not updated other than to pass the target process to the setrlimit hook.
      This resulted in incomplete control over both getting and setting the
      resource limits of another process.
      
      Add a new security_task_prlimit() hook to the check_prlimit_permission()
      function to provide complete mediation.  The hook is only called when
      acting on another task, and only if the existing DAC/capability checks
      would allow access.  Pass flags down to the hook to indicate whether the
      prlimit(2) call will read, write, or both read and write the resource
      limits of the target process.
      
      The existing security_task_setrlimit() hook is left alone; it continues
      to serve a purpose in supporting the ability to make decisions based on
      the old and/or new resource limit values when setting limits.  This
      is consistent with the DAC/capability logic, where
      check_prlimit_permission() performs generic DAC/capability checks for
      acting on another task, while do_prlimit() performs a capability check
      based on a comparison of the old and new resource limits.  Fix the
      inline documentation for the hook to match the code.
      
      Implement the new hook for SELinux.  For setting resource limits, we
      reuse the existing setrlimit permission.  Note that this does overload
      the setrlimit permission to mean the ability to set the resource limit
      (soft or hard) of another process or the ability to change one's own
      hard limit.  For getting resource limits, a new getrlimit permission
      is defined.  This was not originally defined since getrlimit(2) could
      only be used to obtain a process' own limits.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      791ec491
    • Linus Torvalds's avatar
      Linux 4.11-rc1 · c1ae3cfa
      Linus Torvalds authored
      c1ae3cfa
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8d70eeb8
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix double-free in batman-adv, from Sven Eckelmann.
      
       2) Fix packet stats for fast-RX path, from Joannes Berg.
      
       3) Netfilter's ip_route_me_harder() doesn't handle request sockets
          properly, fix from Florian Westphal.
      
       4) Fix sendmsg deadlock in rxrpc, from David Howells.
      
       5) Add missing RCU locking to transport hashtable scan, from Xin Long.
      
       6) Fix potential packet loss in mlxsw driver, from Ido Schimmel.
      
       7) Fix race in NAPI handling between poll handlers and busy polling,
          from Eric Dumazet.
      
       8) TX path in vxlan and geneve need proper RCU locking, from Jakub
          Kicinski.
      
       9) SYN processing in DCCP and TCP need to disable BH, from Eric
          Dumazet.
      
      10) Properly handle net_enable_timestamp() being invoked from IRQ
          context, also from Eric Dumazet.
      
      11) Fix crash on device-tree systems in xgene driver, from Alban Bedel.
      
      12) Do not call sk_free() on a locked socket, from Arnaldo Carvalho de
          Melo.
      
      13) Fix use-after-free in netvsc driver, from Dexuan Cui.
      
      14) Fix max MTU setting in bonding driver, from WANG Cong.
      
      15) xen-netback hash table can be allocated from softirq context, so use
          GFP_ATOMIC. From Anoob Soman.
      
      16) Fix MAC address change bug in bgmac driver, from Hari Vyas.
      
      17) strparser needs to destroy strp_wq on module exit, from WANG Cong.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
        strparser: destroy workqueue on module exit
        sfc: fix IPID endianness in TSOv2
        sfc: avoid max() in array size
        rds: remove unnecessary returned value check
        rxrpc: Fix potential NULL-pointer exception
        nfp: correct DMA direction in XDP DMA sync
        nfp: don't tell FW about the reserved buffer space
        net: ethernet: bgmac: mac address change bug
        net: ethernet: bgmac: init sequence bug
        xen-netback: don't vfree() queues under spinlock
        xen-netback: keep a local pointer for vif in backend_disconnect()
        netfilter: nf_tables: don't call nfnetlink_set_err() if nfnetlink_send() fails
        netfilter: nft_set_rbtree: incorrect assumption on lower interval lookups
        netfilter: nf_conntrack_sip: fix wrong memory initialisation
        can: flexcan: fix typo in comment
        can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
        can: gs_usb: fix coding style
        can: gs_usb: Don't use stack memory for USB transfers
        ixgbe: Limit use of 2K buffers on architectures with 256B or larger cache lines
        ixgbe: update the rss key on h/w, when ethtool ask for it
        ...
      8d70eeb8
  7. 04 Mar, 2017 3 commits
    • Linus Torvalds's avatar
      Merge tag 'kvm-4.11-2' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 2d62e076
      Linus Torvalds authored
      Pull more KVM updates from Radim Krčmář:
       "Second batch of KVM changes for the 4.11 merge window:
      
        PPC:
         - correct assumption about ASDR on POWER9
         - fix MMIO emulation on POWER9
      
        x86:
         - add a simple test for ioperm
         - cleanup TSS (going through KVM tree as the whole undertaking was
           caused by VMX's use of TSS)
         - fix nVMX interrupt delivery
         - fix some performance counters in the guest
      
        ... and two cleanup patches"
      
      * tag 'kvm-4.11-2' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: nVMX: Fix pending events injection
        x86/kvm/vmx: remove unused variable in segment_base()
        selftests/x86: Add a basic selftest for ioperm
        x86/asm: Tidy up TSS limit code
        kvm: convert kvm.users_count from atomic_t to refcount_t
        KVM: x86: never specify a sample period for virtualized in_tx_cp counters
        KVM: PPC: Book3S HV: Don't use ASDR for real-mode HPT faults on POWER9
        KVM: PPC: Book3S HV: Fix software walk of guest process page tables
      2d62e076
    • Linus Torvalds's avatar
      Merge tag 'docs-4.11-fixes' of git://git.lwn.net/linux · be834aaf
      Linus Torvalds authored
      Pull documentation fixes from Jonathan Corbet:
       "A few fixes for the docs tree, including one for a 4.11 build
        regression"
      
      * tag 'docs-4.11-fixes' of git://git.lwn.net/linux:
        Documentation/sphinx: fix primary_domain configuration
        docs: Fix htmldocs build failure
        doc/ko_KR/memory-barriers: Update control-dependencies section
        pcieaer doc: update the link
        Documentation: Update path to sysrq.txt
      be834aaf
    • Linus Torvalds's avatar
      Merge tag 'staging-4.11-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 91aff98b
      Linus Torvalds authored
      Pull staging/IIO driver fixes from Greg KH:
       "Here are a few small staging and IIO driver fixes for issues that
        showed up after the big set if changes you merged last week.
      
        Nothing major, just small bugs resolved in some IIO drivers, a lustre
        allocation fix, and some RaspberryPi driver fixes for reported
        problems, as well as a MAINTAINERS entry update.
      
        All of these have been in linux-next for a week with no reported
        issues"
      
      * tag 'staging-4.11-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: fsl-mc: fix warning in DT ranges parser
        MAINTAINERS: Remove Noralf Trønnes as fbtft maintainer
        staging: vchiq_2835_arm: Make cache-line-size a required DT property
        staging: bcm2835/mmal-vchiq: unlock on error in buffer_from_host()
        staging/lustre/lnet: Fix allocation size for sv_cpt_data
        iio: adc: xilinx: Fix error handling
        iio: 104-quad-8: Fix off-by-one error when addressing flag register
        iio: adc: handle unknow of_device_id data
      91aff98b