Re: [PATCH] netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
From: Paul Moore
Date: Fri Mar 28 2025 - 12:02:20 EST
On Fri, Mar 28, 2025 at 8:02 AM Jakub Kicinski <kuba@xxxxxxxxxx> wrote:
> On Wed, 26 Mar 2025 15:38:25 -0400 Paul Moore wrote:
> > For all three function, I'd probably add a single blank line between
> > the local variable declarations and the code below for the sake of
> > readability. I'd probably also drop the comment as the code seems
> > reasonably obvious (inet6_sk() can return NULL, we can't do anything
> > with a NULL ptr so bail), but neither are reasons for not applying
> > this patch, if anything they can be fixed up during the merge assuming
> > the patch author agrees.
> >
> > Anyway, this looks good to me, Jakub and/or other netdev folks, we
> > should get this marked for stable and sent up to Linus, do you want to
> > do that or should I?
>
> Thanks for the CC! Feel free to take it to Linus if you're happy with
> it. We don't have the posting on the list so it'd be minor pain to apply.
Will do. As long as it gets up to Linus somehow I'm happy.
> As you say the safety check is probably okay, tho, it's unclear from
> the commit message and comment how we get here with a v4 socket or
> perhaps not a fullsock..
Good point about the root-cause/reproducer; there was some discussion
about this issue on a separate private list and I think we lost some
of the information along the way. The initial report was for the
connect() case, but while looking into the problem I noticed a few
instances with a similar pattern and since we're only talking about
one additional NULL check during socket-level ops on a CALIPSO marked
socket (nothing per-packet), I figured to err on the side of safety.
Debin Zhu and Bitao Ouyang, considering the other suggested changes to
the code, would you be able to submit a second revision to the patch
that incorporates the suggested changes as well as an improved patch
description which includes your reproducer and notes on testing? You
can send the email to the LSM <linux-security-module@xxxxxxxxxxxxxxx>
list while CC'ing the netdev <netdev@xxxxxxxxxxxxxxx> list, the
SELinux <selinux@xxxxxxxxxxxxxxx> list, and me directly (just in case
there is another issue with the mailing lists). This should also give
you an opportunity to try posting to the mailing lists again ;)
--
paul-moore.com