Re: [PATCH v2] selinux: check for address length in selinux_socket_bind()

From: David Miller
Date: Thu Mar 09 2017 - 02:12:20 EST


From: Alexander Potapenko <glider@xxxxxxxxxx>
Date: Mon, 6 Mar 2017 19:46:14 +0100

> KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
> uninitialized memory in selinux_socket_bind():
...
> (the line numbers are relative to 4.8-rc6, but the bug persists upstream)
>
> , when I run the following program as root:
...
> (for different values of |size| other error reports are printed).
>
> This happens because bind() unconditionally copies |size| bytes of
> |addr| to the kernel, leaving the rest uninitialized. Then
> security_socket_bind() reads the IP address bytes, including the
> uninitialized ones, to determine the port, or e.g. pass them further to
> sel_netnode_find(), which uses them to calculate a hash.
>
> Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>

Are the SELINUX folks going to pick this up or should I?