kernel: 5.0-rc2
d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
specifically the portion of the patch that does
- isec = msq->q_perm.security;
+ isec = msq->security;
which leaves the code
isec = msq->security;
msec = msg->security;
however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct. Which are defined as
struct msg_security_struct {
u32 sid; /* SID of message */
};
struct ipc_security_struct {
u16 sclass; /* security class of this object */
u32 sid; /* SID of IPC resource */
};
where the msg->security field is allocated as an ipc_security_struct. Access the msec->sid would thus appear to overlay the isec->sclass.
