* [PATCH net-next] netlabel: fix out-of-bounds memory accesses
@ 2022-03-18 6:35 Wang Yufen
2022-03-20 21:55 ` Paul Moore
2022-03-21 11:10 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Wang Yufen @ 2022-03-18 6:35 UTC (permalink / raw)
To: paul, davem, kuba, pabeni; +Cc: netdev, linux-security-module, linux-kernel
In calipso_map_cat_ntoh(), in the for loop, if the return value of
netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when
netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses
of bitmap[byte_offset] occurs.
The bug was found during fuzzing. The following is the fuzzing report
BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0
Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252
CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x21c/0x230
show_stack+0x1c/0x60
dump_stack_lvl+0x64/0x7c
print_address_description.constprop.0+0x70/0x2d0
__kasan_report+0x158/0x16c
kasan_report+0x74/0x120
__asan_load1+0x80/0xa0
netlbl_bitmap_walk+0x3c/0xd0
calipso_opt_getattr+0x1a8/0x230
calipso_sock_getattr+0x218/0x340
calipso_sock_getattr+0x44/0x60
netlbl_sock_getattr+0x44/0x80
selinux_netlbl_socket_setsockopt+0x138/0x170
selinux_socket_setsockopt+0x4c/0x60
security_socket_setsockopt+0x4c/0x90
__sys_setsockopt+0xbc/0x2b0
__arm64_sys_setsockopt+0x6c/0x84
invoke_syscall+0x64/0x190
el0_svc_common.constprop.0+0x88/0x200
do_el0_svc+0x88/0xa0
el0_svc+0x128/0x1b0
el0t_64_sync_handler+0x9c/0x120
el0t_64_sync+0x16c/0x170
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
---
net/netlabel/netlabel_kapi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index beb0e573266d..54c083003947 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -885,6 +885,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
unsigned char bitmask;
unsigned char byte;
+ if (offset >= bitmap_len)
+ return -1;
byte_offset = offset / 8;
byte = bitmap[byte_offset];
bit_spot = offset;
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net-next] netlabel: fix out-of-bounds memory accesses
2022-03-18 6:35 [PATCH net-next] netlabel: fix out-of-bounds memory accesses Wang Yufen
@ 2022-03-20 21:55 ` Paul Moore
2022-03-21 11:10 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2022-03-20 21:55 UTC (permalink / raw)
To: Wang Yufen
Cc: davem, kuba, pabeni, netdev, linux-security-module, linux-kernel
On Fri, Mar 18, 2022 at 2:17 AM Wang Yufen <wangyufen@huawei.com> wrote:
>
> In calipso_map_cat_ntoh(), in the for loop, if the return value of
> netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when
> netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses
> of bitmap[byte_offset] occurs.
>
> The bug was found during fuzzing. The following is the fuzzing report
> BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0
> Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252
>
> CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17
> Hardware name: linux,dummy-virt (DT)
> Call trace:
> dump_backtrace+0x21c/0x230
> show_stack+0x1c/0x60
> dump_stack_lvl+0x64/0x7c
> print_address_description.constprop.0+0x70/0x2d0
> __kasan_report+0x158/0x16c
> kasan_report+0x74/0x120
> __asan_load1+0x80/0xa0
> netlbl_bitmap_walk+0x3c/0xd0
> calipso_opt_getattr+0x1a8/0x230
> calipso_sock_getattr+0x218/0x340
> calipso_sock_getattr+0x44/0x60
> netlbl_sock_getattr+0x44/0x80
> selinux_netlbl_socket_setsockopt+0x138/0x170
> selinux_socket_setsockopt+0x4c/0x60
> security_socket_setsockopt+0x4c/0x90
> __sys_setsockopt+0xbc/0x2b0
> __arm64_sys_setsockopt+0x6c/0x84
> invoke_syscall+0x64/0x190
> el0_svc_common.constprop.0+0x88/0x200
> do_el0_svc+0x88/0xa0
> el0_svc+0x128/0x1b0
> el0t_64_sync_handler+0x9c/0x120
> el0t_64_sync+0x16c/0x170
>
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
> ---
> net/netlabel/netlabel_kapi.c | 2 ++
> 1 file changed, 2 insertions(+)
Looks good to me, thanks for catching this and submitting a fix.
Acked-by: Paul Moore <paul@paul-moore.com>
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index beb0e573266d..54c083003947 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -885,6 +885,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
> unsigned char bitmask;
> unsigned char byte;
>
> + if (offset >= bitmap_len)
> + return -1;
> byte_offset = offset / 8;
> byte = bitmap[byte_offset];
> bit_spot = offset;
--
paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net-next] netlabel: fix out-of-bounds memory accesses
2022-03-18 6:35 [PATCH net-next] netlabel: fix out-of-bounds memory accesses Wang Yufen
2022-03-20 21:55 ` Paul Moore
@ 2022-03-21 11:10 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-03-21 11:10 UTC (permalink / raw)
To: Wang Yufen
Cc: paul, davem, kuba, pabeni, netdev, linux-security-module, linux-kernel
Hello:
This patch was applied to netdev/net-next.git (master)
by David S. Miller <davem@davemloft.net>:
On Fri, 18 Mar 2022 14:35:08 +0800 you wrote:
> In calipso_map_cat_ntoh(), in the for loop, if the return value of
> netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when
> netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses
> of bitmap[byte_offset] occurs.
>
> The bug was found during fuzzing. The following is the fuzzing report
> BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0
> Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252
>
> [...]
Here is the summary with links:
- [net-next] netlabel: fix out-of-bounds memory accesses
https://git.kernel.org/netdev/net-next/c/f22881de730e
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-21 11:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-18 6:35 [PATCH net-next] netlabel: fix out-of-bounds memory accesses Wang Yufen
2022-03-20 21:55 ` Paul Moore
2022-03-21 11:10 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.