On Wed, Jan 16, 2019 at 5:14 AM John Johansen
<john.johansen@xxxxxxxxxxxxx> wrote:
>
> kernel: 5.0-rc2
>
> d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
>
> appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
>
> specifically the portion of the patch that does
>
> - isec = msq->q_perm.security;
> + isec = msq->security;
>
> which leaves the code
> isec = msq->security;
> msec = msg->security;
>
> however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct ...
I suspect there may be some mistaken identity regarding "msq" (with a
lower-case "Q") and "msg" (with a lower-case "G").
Looking quickly at selinux_msg_queue_msgsnd() and
selinux_msg_queue_msgrcv() it would appear that in both cases the
kern_ipc_perm->security pointer is assigned to an ipc_security_struct
pointer and the msg_msg->security struct is assigned a
msg_security_struct pointer. This appears to be correct, or is there
something I'm missing in your report?
--
paul moore
www.paul-moore.com
