diff options
| author | Mickaël Salaün <mic@digikod.net> | 2024-01-03 17:34:15 +0100 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2024-01-04 16:54:54 -0500 |
| commit | bbf5a1d0e5d0fb3bdf90205aa872636122692a50 (patch) | |
| tree | ac2621f04c8c8fe92502e528afda137b065f3c03 /security | |
| parent | cc2a7341994a5b46abd8a1e05ca018b88f29fe45 (diff) | |
selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket
The IPv6 network stack first checks the sockaddr length (-EINVAL error)
before checking the family (-EAFNOSUPPORT error).
This was discovered thanks to commit a549d055a22e ("selftests/landlock:
Add network tests").
Cc: Eric Paris <eparis@parisplace.org>
Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@collabora.com
Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Tested-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 863ff67e7849..7c69ce62c106 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4695,6 +4695,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in return -EINVAL; addr4 = (struct sockaddr_in *)address; if (family_sa == AF_UNSPEC) { + if (family == PF_INET6) { + /* Length check from inet6_bind_sk() */ + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + /* Family check from __inet6_bind() */ + goto err_af; + } /* see __inet_bind(), we only want to allow * AF_UNSPEC if the address is INADDR_ANY */ |