On 1/16/19 5:14 AM, John Johansen wrote:
kernel: 5.0-rc2
d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
specifically the portion of the patch that does
- isec = msq->q_perm.security;
+ isec = msq->security;
which leaves the code
isec = msq->security;
msec = msg->security;
however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct. Which are defined as
struct msg_security_struct {
u32 sid; /* SID of message */
};
struct ipc_security_struct {
u16 sclass; /* security class of this object */
u32 sid; /* SID of IPC resource */
};
where the msg->security field is allocated as an ipc_security_struct. Access the msec->sid would thus appear to overlay the isec->sclass.
The only thing that changed in that commit was directly passing
&msgq->q_perm to the hook instead of passing msgq to the hook and then
dereferencing msq->q_perm to reach the ipc security blob.
msg is a different object from msq with its own security blob (msg is an
individual message; msq is the message queue). isec and msec point to
two different security blobs with different structures.
I don't see a problem offhand.
