On 1/16/19 6:47 AM, Stephen Smalley wrote:
> On 1/16/19 5:14 AM, John Johansen wrote:
>> kernel: 5.0-rc2
>>
>> d8c6e85432944 ("msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks")
>>
>> appears to have introduced a bug into selinux_msg_queue_msgsnd and selinux_msg_queue_msgrcv
>>
>>
>> specifically the portion of the patch that does
>>
>> - isec = msq->q_perm.security;
>> + isec = msq->security;
>>
>> which leaves the code
>> isec = msq->security;
>> msec = msg->security;
>>
>> however isec and msec are different size structures. specifically isec is an ipc_security_struct and msec is a msg_security_struct. Which are defined as
>>
>> struct msg_security_struct {
>> u32 sid; /* SID of message */
>> };
>>
>> struct ipc_security_struct {
>> u16 sclass; /* security class of this object */
>> u32 sid; /* SID of IPC resource */
>> };
>>
>> where the msg->security field is allocated as an ipc_security_struct. Access the msec->sid would thus appear to overlay the isec->sclass.
>
> The only thing that changed in that commit was directly passing &msgq->q_perm to the hook instead of passing msgq to the hook and then dereferencing msq->q_perm to reach the ipc security blob.
>
> msg is a different object from msq with its own security blob (msg is an individual message; msq is the message queue). isec and msec point to two different security blobs with different structures.
>
> I don't see a problem offhand.
yep, sorry combination of bad fonts, and being 3am. sorry for the bad report
