[PATCH] cipso, calipso: resolve a number of problems with the DOI refcounts
Paul Moore
paul at paul-moore.com
Thu Mar 4 21:32:53 UTC 2021
On Thu, Mar 4, 2021 at 4:29 PM Paul Moore <paul at paul-moore.com> wrote:
>
> The current CIPSO and CALIPSO refcounting scheme for the DOI
> definitions is a bit flawed in that we:
>
> 1. Don't correctly match gets/puts in netlbl_cipsov4_list().
> 2. Decrement the refcount on each attempt to remove the DOI from the
> DOI list, only removing it from the list once the refcount drops
> to zero.
>
> This patch fixes these problems by adding the missing "puts" to
> netlbl_cipsov4_list() and introduces a more conventional, i.e.
> not-buggy, refcounting mechanism to the DOI definitions. Upon the
> addition of a DOI to the DOI list, it is initialized with a refcount
> of one, removing a DOI from the list removes it from the list and
> drops the refcount by one; "gets" and "puts" behave as expected with
> respect to refcounts, increasing and decreasing the DOI's refcount by
> one.
>
> Fixes: b1edeb102397 ("netlabel: Replace protocol/NetLabel linking with refrerence counts")
> Fixes: d7cce01504a0 ("netlabel: Add support for removing a CALIPSO DOI.")
> Reported-by: syzbot+9ec037722d2603a9f52e at syzkaller.appspotmail.com
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
> net/ipv4/cipso_ipv4.c | 11 +----------
> net/ipv6/calipso.c | 14 +++++---------
> net/netlabel/netlabel_cipso_v4.c | 3 +++
> 3 files changed, 9 insertions(+), 19 deletions(-)
As a FYI, this patch has been tested by looping through a number of
NetLabel/CALIPSO/CIPSO tests overnight, a reproducer from one of the
syzbot reports (multiple times), and the selinux-testsuite tests;
everything looked good at the end of the testing.
Thanks to syzbot and Dmitry for finding and reporting the bug.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list