5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mickaël Salaün <mic@xxxxxxxxxxx>
[ Upstream commit bbf5a1d0e5d0fb3bdf90205aa872636122692a50 ]
The IPv6 network stack first checks the sockaddr length (-EINVAL error)
before checking the family (-EAFNOSUPPORT error).
This was discovered thanks to commit a549d055a22e ("selftests/landlock:
Add network tests").
Cc: Eric Paris <eparis@xxxxxxxxxxxxxx>
Cc: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
Cc: Paul Moore <paul@xxxxxxxxxxxxxx>
Cc: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
Reported-by: Muhammad Usama Anjum <usama.anjum@xxxxxxxxxxxxx>
Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@xxxxxxxxxxxxx
Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()")
Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
Tested-by: Muhammad Usama Anjum <usama.anjum@xxxxxxxxxxxxx>
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
security/selinux/hooks.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d9f15c84aab7..c1bf319b459a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4625,6 +4625,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
return -EINVAL;
addr4 = (struct sockaddr_in *)address;
if (family_sa == AF_UNSPEC) {
+ if (family == PF_INET6) {
+ /* Length check from inet6_bind_sk() */
+ if (addrlen < SIN6_LEN_RFC2133)
+ return -EINVAL;
+ /* Family check from __inet6_bind() */
+ goto err_af;
+ }
/* see __inet_bind(), we only want to allow
* AF_UNSPEC if the address is INADDR_ANY
*/
--
2.43.0
