6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mickaël Salaün <mic@xxxxxxxxxxx> [ Upstream commit bbf5a1d0e5d0fb3bdf90205aa872636122692a50 ] The IPv6 network stack first checks the sockaddr length (-EINVAL error) before checking the family (-EAFNOSUPPORT error). This was discovered thanks to commit a549d055a22e ("selftests/landlock: Add network tests"). Cc: Eric Paris <eparis@xxxxxxxxxxxxxx> Cc: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx> Cc: Paul Moore <paul@xxxxxxxxxxxxxx> Cc: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> Reported-by: Muhammad Usama Anjum <usama.anjum@xxxxxxxxxxxxx> Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@xxxxxxxxxxxxx Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()") Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx> Tested-by: Muhammad Usama Anjum <usama.anjum@xxxxxxxxxxxxx> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- security/selinux/hooks.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d88c399b0e86..d45e9fa74e62 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4690,6 +4690,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in return -EINVAL; addr4 = (struct sockaddr_in *)address; if (family_sa == AF_UNSPEC) { + if (family == PF_INET6) { + /* Length check from inet6_bind_sk() */ + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + /* Family check from __inet6_bind() */ + goto err_af; + } /* see __inet_bind(), we only want to allow * AF_UNSPEC if the address is INADDR_ANY */ -- 2.43.0