Re: Use-after-free in selinux_ip_postroute_compat

From: Eric Dumazet
Date: Thu Nov 05 2015 - 14:46:54 EST


On Thu, 2015-11-05 at 20:36 +0100, Dmitry Vyukov wrote:
> Hello,
>
> I've updated from bcee19f424a0d8c26ecf2607b73c690802658b29 (Sep 21) to
> 8e483ed1342a4ea45b70f0f33ac54eff7a33d918 (Nov 4) and start seeing the
> following use-after-free reports:
>

Thanks for your report, I will add a followup to this fix :

commit e446f9dfe17bbaa76a1fe22912636f38be1e1af8
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date: Thu Oct 8 05:01:55 2015 -0700

net: synack packets can be attached to request sockets

selinux needs few changes to accommodate fact that SYNACK messages
can be attached to a request socket, lacking sk_security pointer

(Only syncookies are still attached to a TCP_LISTEN socket)

Adds a new sk_listener() helper, and use it in selinux and sch_fq

Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Reported by: kernel test robot <ying.huang@xxxxxxxxxxxxxxx>
Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
Cc: Stephen Smalley <sds@xxxxxxxxxxxxx>
Cc: Eric Paris <eparis@xxxxxxxxxxxxxx>
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/