Hi,
4.14 is failing the selinux-testsuite labeled IPSEC tests despite
having just been fixed in commit cf37966751747727 ("xfrm: do
unconditional template resolution before pcpu cache check"). The
breaking commit is the very next one, commit c9f3f813d462c72d ("xfrm:
Fix stack-out-of-bounds read in xfrm_state_find."). Unlike the earlier
breakage, which caused use of the wrong SA, this one leads to a failure
on connect(). Running ip xfrm monitor during one of the failing tests
shows the following:
acquire proto ah
sel src 127.0.0.1/32 dst 127.0.0.1/32 proto tcp sport 0 dport 65535
dev lo
policy src 127.0.0.1/32 dst 127.0.0.1/32 proto tcp
security context
unconfined_u:unconfined_r:test_inet_client_t:s0-s0:c0.c1023
dir out priority 0 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto ah reqid 0 mode transport
Expired src 127.0.0.1 dst 0.0.0.0
proto ah spi 0x00000000 reqid 0 mode transport
replay-window 0
sel src 127.0.0.1/32 dst 127.0.0.1/32 proto tcp sport 0 dport
65535 dev lo
hard 1
On the last working commit, connect() instead succeeds and ip xfrm
monitor shows the following:
Async event (0x20) timer expired
src 127.0.0.1 dst 127.0.0.1 reqid 0x0 protocol ah SPI 0x200
Async event (0x10) replay update
src 127.0.0.1 dst 127.0.0.1 reqid 0x0 protocol ah SPI 0x200
Async event (0x10) replay update
src 127.0.0.1 dst 127.0.0.1 reqid 0x0 protocol ah SPI 0x200
Reproducer:
# Install a Fedora VM w/ SELinux enabled (default).
$ git clone https://github.com/SELinuxProject/selinux-testsuite/
# Make sure you have the requisite kernel config options enabled.
$ cd linux
$ ./scripts/kconfig/merge_config.sh .config ../selinux-
testsuite/defconfig
$ make
$ sudo make modules_install install
$ sudo reboot
# Install dependencies.
sudo dnf install perl-Test perl-Test-Harness perl-Test-Simple selinux-
policy-devel gcc libselinux-devel net-tools netlabel_tools iptables
# Build and run the tests
sudo make test
After running once as above, you can run just the inet socket tests
again via:
cd tests/inet_socket
./test
