From patchwork Mon Jun 13 14:16:32 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 9173149 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 98ABF60573 for ; Mon, 13 Jun 2016 14:18:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 899C320223 for ; Mon, 13 Jun 2016 14:18:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7ABE1265B9; Mon, 13 Jun 2016 14:18:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3095C20223 for ; Mon, 13 Jun 2016 14:18:49 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.26,466,1459814400"; d="scan'208";a="14588553" IronPort-PHdr: =?us-ascii?q?9a23=3A3ZtHQhElpaP6sAndH5rQp51GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ74ps+wAkXT6L1XgUPTWs2DsrQf27uQ4/mrBzdIyK3CmU5BWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/nhqbiotaNOE1hv3mUX/BbFF2OtwLft80b08NJC50a7V/3mEZOYP?= =?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv/NaVe3GW4hwDfkBVHV1e1wyscvmqRXO?= =?us-ascii?q?UyOR6XYGFGYbiBxFB07C9h6+FpPwtDbq8/Fw0zSAPNHnCLUzVSmm4o91RxLyzi?= =?us-ascii?q?QKLTg09CfQkMM0xLlWpBOnugxX35/fYIbTMuF3OKzaY4A0X21EC/5YSigJJ4S7?= =?us-ascii?q?dYZHW/IEOuFCoqHnqlcOpAf4Dg6pUrC8ggRUj2P7iPVpm98qFhvLiUl5R98=3D?= X-IPAS-Result: =?us-ascii?q?A2E9BQA2wF5X/wHyM5BbHAEBgyCBU4ourEWGICSFewOBNEw?= =?us-ascii?q?BAQEBAQECAmIRFoIwgiICJBMUIA4DCQIXCCEICAMBLRUYBwsFGASID7dxASSGJ?= =?us-ascii?q?4F/hmARAYV3AQSYYZdsF4VDAkaPKFSEClKIU4E1AQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jun 2016 14:18:47 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5DEIglR028298; Mon, 13 Jun 2016 10:18:44 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u5DEGakb277738 for ; Mon, 13 Jun 2016 10:16:36 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u5DEGaiS028011 for ; Mon, 13 Jun 2016 10:16:36 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DSAQC9v15XZBy3hNFbGwEBAYMggVO2c4IlhAgShzdMAQEBAQEBBRsLCgYjGYUKBIECBQImAkkXEogwpn+RE4EBhSaBf4oPgloFmGGXbIVaAkaPKIReIDKKCAEBAQ X-IPAS-Result: A1DSAQC9v15XZBy3hNFbGwEBAYMggVO2c4IlhAgShzdMAQEBAQEBBRsLCgYjGYUKBIECBQImAkkXEogwpn+RE4EBhSaBf4oPgloFmGGXbIVaAkaPKIReIDKKCAEBAQ X-IronPort-AV: E=Sophos;i="5.26,466,1459828800"; d="scan'208";a="5509679" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 13 Jun 2016 10:16:36 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3ArTofvBRIBxeyq6EapIrHJuj1HNpsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa64bRyN2/xhgRfzUJnB7Loc0qyN4/GmCTVLv83JmUtBWaIPfidNsd?= =?us-ascii?q?8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3BPAZ4?= =?us-ascii?q?bt74BpTVx5zukbviqtuDOk4W33KUWvBbElaflU3prM4YgI9veO4a6yDihT92Qd?= =?us-ascii?q?lQ3n5iPlmJnhzxtY+a9Z9n9DlM6bp6r5YTGfayQ6NtS7FEADk4G3466detthTZ?= =?us-ascii?q?SwaLoHwGXSFelhtOHhiA9xzxQ43wrjq/s+1xxS2XFdP5QKpyWjm46apvDhjyh2?= =?us-ascii?q?NPLDM98WfKmuRsnalbp1SnvBU5zInKM6+PM/8rRqrAeZs/Qm1bU44FTylGBZmx?= =?us-ascii?q?R5ECA+oIIaBTqIyr9AhGlge3GQT5XLCn8TRPnHKjhaA=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0H6AQADv15XZBy3hNFbHAEBgyCBU4our?= =?us-ascii?q?EWCJYQIEoc3TAEBAQEBAQICARsLECMZFoIwgkQEgQIFAiYCSRcSiDCmfJETgQG?= =?us-ascii?q?FJoF/ig+CWgWYYZdshVoCRo8ohF4gMooIAQEB?= X-IPAS-Result: =?us-ascii?q?A0H6AQADv15XZBy3hNFbHAEBgyCBU4ourEWCJYQIEoc3TAE?= =?us-ascii?q?BAQEBAQICARsLECMZFoIwgkQEgQIFAiYCSRcSiDCmfJETgQGFJoF/ig+CWgWYY?= =?us-ascii?q?ZdshVoCRo8ohF4gMooIAQEB?= X-IronPort-AV: E=Sophos;i="5.26,466,1459814400"; d="scan'208";a="14588373" Received: from mx1.redhat.com ([209.132.183.28]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jun 2016 14:16:34 +0000 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0FFEC711D9; Mon, 13 Jun 2016 14:16:34 +0000 (UTC) Received: from [127.0.0.1] (vpn-62-8.rdu2.redhat.com [10.10.62.8]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u5DEGXM5021973; Mon, 13 Jun 2016 10:16:33 -0400 Subject: [PATCH] netlabel: handle sparse category maps in netlbl_catmap_getlong() From: Paul Moore To: netdev@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Date: Mon, 13 Jun 2016 10:16:32 -0400 Message-ID: <146582739278.15237.7893325845379293452.stgit@localhost> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 13 Jun 2016 14:16:34 +0000 (UTC) X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: Paul Moore In cases where the category bitmap is sparse enough that gaps exist between netlbl_lsm_catmap structs, callers to netlbl_catmap_getlong() could find themselves prematurely ending their search through the category bitmap. Further, the methods used to calculate the 'idx' and 'off' values were incorrect for bitmaps this large. This patch changes the netlbl_catmap_getlong() behavior so that it always skips over gaps and calculates the index and offset values correctly. Signed-off-by: Paul Moore --- net/netlabel/netlabel_kapi.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index bd007a9..3c070f2 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -609,20 +609,19 @@ int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap, off = catmap->startbit; *offset = off; } - iter = _netlbl_catmap_getnode(&catmap, off, _CM_F_NONE, 0); + iter = _netlbl_catmap_getnode(&catmap, off, _CM_F_WALK, 0); if (iter == NULL) { *offset = (u32)-1; return 0; } if (off < iter->startbit) { - off = iter->startbit; - *offset = off; + *offset = iter->startbit; + off = 0; } else off -= iter->startbit; - idx = off / NETLBL_CATMAP_MAPSIZE; - *bitmap = iter->bitmap[idx] >> (off % NETLBL_CATMAP_SIZE); + *bitmap = iter->bitmap[idx] >> (off % NETLBL_CATMAP_MAPSIZE); return 0; }