| Message ID | 20240315172859.634263-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [v2] selinux: reject invalid ebitmaps | expand |
On Mar 15, 2024 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> wrote: > > Reject ebitmaps with a node containing an empty map or with an incorrect > highbit. Both checks are already performed by userspace, the former > since 2008 (patch 13cd4c896068 ("initial import from svn trunk revision > 2950")), the latter since v2.7 in 2017 (patch 75b14a5de10a ("libsepol: > ebitmap: reject loading bitmaps with incorrect high bit")). > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > v2: > update wording as suggested in [1] > > [1]: https://lore.kernel.org/selinux/d476b21729cafb28c1b881113a563b1f.paul@paul-moore.com/ > --- > security/selinux/ss/ebitmap.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) Merged into selinux/dev, thanks. -- paul-moore.com
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index 67c1a73cd5ee..f1ba333f127d 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c @@ -448,6 +448,10 @@ int ebitmap_read(struct ebitmap *e, void *fp) goto bad; } map = le64_to_cpu(mapbits); + if (!map) { + pr_err("SELinux: ebitmap: empty map\n"); + goto bad; + } index = (startbit - n->startbit) / EBITMAP_UNIT_SIZE; while (map) { @@ -455,6 +459,13 @@ int ebitmap_read(struct ebitmap *e, void *fp) map = EBITMAP_SHIFT_UNIT_SIZE(map); } } + + if (n && n->startbit + EBITMAP_SIZE != e->highbit) { + pr_err("SELinux: ebitmap: high bit %d is not equal to the expected value %ld\n", + e->highbit, n->startbit + EBITMAP_SIZE); + goto bad; + } + ok: rc = 0; out:
Reject ebitmaps with a node containing an empty map or with an incorrect highbit. Both checks are already performed by userspace, the former since 2008 (patch 13cd4c896068 ("initial import from svn trunk revision 2950")), the latter since v2.7 in 2017 (patch 75b14a5de10a ("libsepol: ebitmap: reject loading bitmaps with incorrect high bit")). Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v2: update wording as suggested in [1] [1]: https://lore.kernel.org/selinux/d476b21729cafb28c1b881113a563b1f.paul@paul-moore.com/ --- security/selinux/ss/ebitmap.c | 11 +++++++++++ 1 file changed, 11 insertions(+)