[PATCH 3/3] selinux: fix overflow and 0 length allocations

2016-08-23 Thread william . c . roberts 
From: William Roberts 

Throughout the SE Linux LSM, values taken from sepolicy are
used in places where length == 0 or length == 
matter, find and fix these.

Signed-off-by: William Roberts 
---
 security/selinux/ss/conditional.c | 3 +++
 security/selinux/ss/policydb.c| 4 
 security/selinux/ss/private.h | 7 +++
 3 files changed, 14 insertions(+)
 create mode 100644 security/selinux/ss/private.h

diff --git a/security/selinux/ss/conditional.c 
b/security/selinux/ss/conditional.c
index 456e1a9..ecc0fb6 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -16,6 +16,7 @@
 #include "security.h"
 #include "conditional.h"
 #include "services.h"
+#include "private.h"
 
 /*
  * cond_evaluate_expr evaluates a conditional expr
@@ -242,6 +243,8 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, 
void *fp)
goto err;
 
len = le32_to_cpu(buf[2]);
+   if (zero_or_saturated(len))
+   goto err;
 
rc = -ENOMEM;
key = kmalloc(len + 1, GFP_KERNEL);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 4b24385..0e881f3 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -38,6 +38,7 @@
 #include "conditional.h"
 #include "mls.h"
 #include "services.h"
+#include "private.h"
 
 #define _DEBUG_HASHES
 
@@ -1094,6 +1095,9 @@ static int str_read(char **strp, gfp_t flags, void *fp, 
u32 len)
int rc;
char *str;
 
+   if (zero_or_saturated(len))
+   return -EINVAL;
+
str = kmalloc(len + 1, flags);
if (!str)
return -ENOMEM;
diff --git a/security/selinux/ss/private.h b/security/selinux/ss/private.h
new file mode 100644
index 000..0e81a78
--- /dev/null
+++ b/security/selinux/ss/private.h
@@ -0,0 +1,7 @@
+#ifndef PRIVATE_H_
+#define PRIVATE_H_
+
+#define is_saturated(x) (x == (typeof(x))-1)
+#define zero_or_saturated(x) ((x == 0) || is_saturated(x))
+
+#endif
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 2/3] selinux: initialize structures

2016-08-23 Thread william . c . roberts 
From: William Roberts 

libsepol pointed out an issue where its possible to have
an unitialized jmp and invalid dereference, fix this.
While we're here, zero allocate all the *_val_to_struct
structures.

Signed-off-by: William Roberts 
---
 security/selinux/ss/policydb.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 992a315..4b24385 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -541,21 +541,21 @@ static int policydb_index(struct policydb *p)
 
rc = -ENOMEM;
p->class_val_to_struct =
-   kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)),
+   kzalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)),
GFP_KERNEL);
if (!p->class_val_to_struct)
goto out;
 
rc = -ENOMEM;
p->role_val_to_struct =
-   kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
+   kzalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
GFP_KERNEL);
if (!p->role_val_to_struct)
goto out;
 
rc = -ENOMEM;
p->user_val_to_struct =
-   kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
+   kzalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
GFP_KERNEL);
if (!p->user_val_to_struct)
goto out;
@@ -964,7 +964,7 @@ int policydb_context_isvalid(struct policydb *p, struct 
context *c)
 * Role must be authorized for the type.
 */
role = p->role_val_to_struct[c->role - 1];
-   if (!ebitmap_get_bit(>types, c->type - 1))
+   if (!role || !ebitmap_get_bit(>types, c->type - 1))
/* role may not be associated with type */
return 0;
 
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 1/3] selinux: detect invalid ebitmap

2016-08-23 Thread william . c . roberts 
From: William Roberts 

When count is 0 and the highbit is not zero, the ebitmap is not
valid and the internal node is not allocated. This causes issues
when routines, like mls_context_isvalid() attempt to use the
ebitmap_for_each_bit() and ebitmap_node_get_bit() as they assume
a highbit > 0 will have a node allocated.
---
 security/selinux/ss/ebitmap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 894b6cd..7d10e5d 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -374,6 +374,9 @@ int ebitmap_read(struct ebitmap *e, void *fp)
goto ok;
}
 
+   if (e->highbit && !count)
+   goto bad;
+
for (i = 0; i < count; i++) {
rc = next_entry(, fp, sizeof(u32));
if (rc < 0) {
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.