* [PATCH] netlabel: fix out-of-bounds memory accesses
@ 2019-02-26 0:06 Paul Moore
2019-02-28 5:46 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2019-02-26 0:06 UTC (permalink / raw)
To: netdev; +Cc: linux-security-module, selinux
There are two array out-of-bounds memory accesses, one in
cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both
errors are embarassingly simple, and the fixes are straightforward.
As a FYI for anyone backporting this patch to kernels prior to v4.8,
you'll want to apply the netlbl_bitmap_walk() patch to
cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
Linux v4.8.
Reported-by: Jann Horn <jannh@google.com>
Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
net/ipv4/cipso_ipv4.c | 3 ++-
net/netlabel/netlabel_kapi.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 777fa3b7fb13..f4b83de2263e 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level)
case CIPSO_V4_MAP_PASS:
return 0;
case CIPSO_V4_MAP_TRANS:
- if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
+ if ((level < doi_def->map.std->lvl.cipso_size) &&
+ (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL))
return 0;
break;
}
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index ea7c67050792..ee3e5b6471a6 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
(state == 0 && (byte & bitmask) == 0))
return bit_spot;
- bit_spot++;
+ if (++bit_spot >= bitmap_len)
+ return -1;
bitmask >>= 1;
if (bitmask == 0) {
byte = bitmap[++byte_offset];
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] netlabel: fix out-of-bounds memory accesses
2019-02-26 0:06 [PATCH] netlabel: fix out-of-bounds memory accesses Paul Moore
@ 2019-02-28 5:46 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2019-02-28 5:46 UTC (permalink / raw)
To: paul; +Cc: netdev, linux-security-module, selinux
From: Paul Moore <paul@paul-moore.com>
Date: Mon, 25 Feb 2019 19:06:06 -0500
> There are two array out-of-bounds memory accesses, one in
> cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both
> errors are embarassingly simple, and the fixes are straightforward.
>
> As a FYI for anyone backporting this patch to kernels prior to v4.8,
> you'll want to apply the netlbl_bitmap_walk() patch to
> cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
> Linux v4.8.
>
> Reported-by: Jann Horn <jannh@google.com>
> Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
> Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
> Signed-off-by: Paul Moore <paul@paul-moore.com>
Applied, thanks Paul.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-02-28 5:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-26 0:06 [PATCH] netlabel: fix out-of-bounds memory accesses Paul Moore
2019-02-28 5:46 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).