Re: [PATCH v2] selinux: check for address length in selinux_socket_bind()
From: David Miller
Date: Thu Mar 09 2017 - 02:12:20 EST
From: Alexander Potapenko <glider@xxxxxxxxxx>
Date: Mon, 6 Mar 2017 19:46:14 +0100
> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
> uninitialized memory in selinux_socket_bind():
> (the line numbers are relative to 4.8-rc6, but the bug persists upstream)
> , when I run the following program as root:
> (for different values of |size| other error reports are printed).
> This happens because bind() unconditionally copies |size| bytes of
> |addr| to the kernel, leaving the rest uninitialized. Then
> security_socket_bind() reads the IP address bytes, including the
> uninitialized ones, to determine the port, or e.g. pass them further to
> sel_netnode_find(), which uses them to calculate a hash.
> Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
Are the SELINUX folks going to pick this up or should I?