From patchwork Tue Feb 26 00:06:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 10829311 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 373581399 for ; Tue, 26 Feb 2019 00:06:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1C19C2B35F for ; Tue, 26 Feb 2019 00:06:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0D7812B7C9; Tue, 26 Feb 2019 00:06:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9F4342B35F for ; Tue, 26 Feb 2019 00:06:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728922AbfBZAGK (ORCPT ); Mon, 25 Feb 2019 19:06:10 -0500 Received: from mail-qt1-f195.google.com ([209.85.160.195]:41405 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728530AbfBZAGJ (ORCPT ); Mon, 25 Feb 2019 19:06:09 -0500 Received: by mail-qt1-f195.google.com with SMTP id v10so12867979qtp.8 for ; Mon, 25 Feb 2019 16:06:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=from:subject:to:cc:date:message-id:user-agent:mime-version :content-transfer-encoding; bh=FsQY+v0ElZ+UC5/pLE9pTQWvKqfzoalmfhBWkpQl2jk=; b=BNtnvDYfTTNyfUZtpkP0KG9yslkrrDyEYIcS2Y/131BvhiYUZ98FykDsFOFyusplUw 57VpYTYZbN9G55YqDsMWekhV74gDCzl3zITTeGHMeAFv/ADuIPWqKijyU7fVf66KMDQe m7LSthKdQl8/urBda8+JCAQLZhTUfrIo53ClKESKHxUhhcPcVKnK3MoHVXNKe7GxLtJb rshvYtEK+FAFzPP2mQSdwycFF8k5ztuk8NyUHD96mdSDeilghwKgz2iNZoFiJM/VBeFM HyEBrC2DaqaePhGd68eHzXH2AJfgzYqCT4Nw62PKddHsMrC2ZJkY9ZnMZANVnmCUg1Av HklQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:date:message-id:user-agent :mime-version:content-transfer-encoding; bh=FsQY+v0ElZ+UC5/pLE9pTQWvKqfzoalmfhBWkpQl2jk=; b=fWp68MhP4KxrfpttWDoFgPLSFlPBBFRF/hHKDUxqmbtozQjQ9DlbHAR0szjfoi/5hI P1mbRuoHlehVHZhkECNyEHVHKpIXWOE6DbuqOIfO2eMDAodj9izk4as4UYnJlaoEufgp Ss4AMq4kfvw2+kN+kXEFsz7IWtOjjAERA453xfFsxIdtNxqAlwVwN/zoaKK4MUmbBTxq l4D+2ZyDlKrNwEW5JBuFnwJprkAPwuE3LQvcr4gaToRXT7SwRaDsh9SYHOh+aH+t87N2 RkYobl5ML3W6IPiWHwVa7QxEsIn4uOEXS8rRqr7olTTxpH7CwLgUks+ksaJc6wMcQx0R iuDA== X-Gm-Message-State: AHQUAuar+sUVhlWihF+KJ9Z+xEcRBcUwT7BK/SdIxYJdYFcScwbFsjZc Yrc/NUFyYsxN7bEQYk5H9cN5 X-Google-Smtp-Source: AHgI3IZuHBCds4U35jZctyo5v3ttdMh4QnmOVyfgCebH+r0xL/6V15Bgx9nIS0dzN/eTrgprQcfMDw== X-Received: by 2002:a0c:d963:: with SMTP id t32mr15638036qvj.231.1551139568527; Mon, 25 Feb 2019 16:06:08 -0800 (PST) Received: from localhost (static-96-233-112-89.bstnma.ftas.verizon.net. [96.233.112.89]) by smtp.gmail.com with ESMTPSA id o2sm8071374qtf.46.2019.02.25.16.06.07 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 25 Feb 2019 16:06:07 -0800 (PST) From: Paul Moore X-Google-Original-From: Paul Moore Subject: [PATCH] netlabel: fix out-of-bounds memory accesses To: netdev@vger.kernel.org Cc: linux-security-module@vger.kernel.org, selinux@vger.kernel.org Date: Mon, 25 Feb 2019 19:06:06 -0500 Message-ID: <155113956675.10125.14312108729252175194.stgit@chester> User-Agent: StGit/0.19-dirty MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP There are two array out-of-bounds memory accesses, one in cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both errors are embarassingly simple, and the fixes are straightforward. As a FYI for anyone backporting this patch to kernels prior to v4.8, you'll want to apply the netlbl_bitmap_walk() patch to cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before Linux v4.8. Reported-by: Jann Horn Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.") Signed-off-by: Paul Moore --- net/ipv4/cipso_ipv4.c | 3 ++- net/netlabel/netlabel_kapi.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 777fa3b7fb13..f4b83de2263e 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level) case CIPSO_V4_MAP_PASS: return 0; case CIPSO_V4_MAP_TRANS: - if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL) + if ((level < doi_def->map.std->lvl.cipso_size) && + (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)) return 0; break; } diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index ea7c67050792..ee3e5b6471a6 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len, (state == 0 && (byte & bitmask) == 0)) return bit_spot; - bit_spot++; + if (++bit_spot >= bitmap_len) + return -1; bitmask >>= 1; if (bitmask == 0) { byte = bitmap[++byte_offset];