SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2] selinux: check sidtab limit before adding a new entry
@ 2019-07-23  6:50 Ondrej Mosnacek
  2019-07-23 22:15 ` Kees Cook
  2019-07-24 15:18 ` Paul Moore
  0 siblings, 2 replies; 3+ messages in thread
From: Ondrej Mosnacek @ 2019-07-23  6:50 UTC (permalink / raw)
  To: selinux, Paul Moore
  Cc: NitinGote, kernel-hardening, Kees Cook, William Roberts

We need to error out when trying to add an entry above SIDTAB_MAX in
sidtab_reverse_lookup() to avoid overflow on the odd chance that this
happens.

Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 security/selinux/ss/sidtab.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index e63a90ff2728..1f0a6eaa2d6a 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context,
 		++count;
 	}
 
+	/* bail out if we already reached max entries */
+	rc = -EOVERFLOW;
+	if (count >= SIDTAB_MAX)
+		goto out_unlock;
+
 	/* insert context into new entry */
 	rc = -ENOMEM;
 	dst = sidtab_do_lookup(s, count, 1);
-- 
2.21.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] selinux: check sidtab limit before adding a new entry
  2019-07-23  6:50 [PATCH v2] selinux: check sidtab limit before adding a new entry Ondrej Mosnacek
@ 2019-07-23 22:15 ` Kees Cook
  2019-07-24 15:18 ` Paul Moore
  1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2019-07-23 22:15 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: selinux, Paul Moore, NitinGote, kernel-hardening, William Roberts

On Tue, Jul 23, 2019 at 08:50:59AM +0200, Ondrej Mosnacek wrote:
> We need to error out when trying to add an entry above SIDTAB_MAX in
> sidtab_reverse_lookup() to avoid overflow on the odd chance that this
> happens.
> 
> Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  security/selinux/ss/sidtab.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
> index e63a90ff2728..1f0a6eaa2d6a 100644
> --- a/security/selinux/ss/sidtab.c
> +++ b/security/selinux/ss/sidtab.c
> @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context,
>  		++count;
>  	}
>  
> +	/* bail out if we already reached max entries */
> +	rc = -EOVERFLOW;
> +	if (count >= SIDTAB_MAX)
> +		goto out_unlock;
> +
>  	/* insert context into new entry */
>  	rc = -ENOMEM;
>  	dst = sidtab_do_lookup(s, count, 1);
> -- 
> 2.21.0
> 

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] selinux: check sidtab limit before adding a new entry
  2019-07-23  6:50 [PATCH v2] selinux: check sidtab limit before adding a new entry Ondrej Mosnacek
  2019-07-23 22:15 ` Kees Cook
@ 2019-07-24 15:18 ` Paul Moore
  1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2019-07-24 15:18 UTC (permalink / raw)
  To: Ondrej Mosnacek
  Cc: selinux, NitinGote, kernel-hardening, Kees Cook, William Roberts

On Tue, Jul 23, 2019 at 2:51 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> We need to error out when trying to add an entry above SIDTAB_MAX in
> sidtab_reverse_lookup() to avoid overflow on the odd chance that this
> happens.
>
> Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>  security/selinux/ss/sidtab.c | 5 +++++
>  1 file changed, 5 insertions(+)

Thanks.  This looks like -stable material to me so I've marked it as
such and merged it into selinux/stable-5.3; assuming it passes
testing, and as long as I don't hear any objections, I'll send it up
to Linus later this week.

> diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
> index e63a90ff2728..1f0a6eaa2d6a 100644
> --- a/security/selinux/ss/sidtab.c
> +++ b/security/selinux/ss/sidtab.c
> @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context,
>                 ++count;
>         }
>
> +       /* bail out if we already reached max entries */
> +       rc = -EOVERFLOW;
> +       if (count >= SIDTAB_MAX)
> +               goto out_unlock;
> +
>         /* insert context into new entry */
>         rc = -ENOMEM;
>         dst = sidtab_do_lookup(s, count, 1);
> --
> 2.21.0

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-23  6:50 [PATCH v2] selinux: check sidtab limit before adding a new entry Ondrej Mosnacek
2019-07-23 22:15 ` Kees Cook
2019-07-24 15:18 ` Paul Moore

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox