[PATCH 3/3] selinux: fix overflow and 0 length allocations
From: William RobertsThroughout the SE Linux LSM, values taken from sepolicy are used in places where length == 0 or length == matter, find and fix these. Signed-off-by: William Roberts --- security/selinux/ss/conditional.c | 3 +++ security/selinux/ss/policydb.c| 4 security/selinux/ss/private.h | 7 +++ 3 files changed, 14 insertions(+) create mode 100644 security/selinux/ss/private.h diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 456e1a9..ecc0fb6 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -16,6 +16,7 @@ #include "security.h" #include "conditional.h" #include "services.h" +#include "private.h" /* * cond_evaluate_expr evaluates a conditional expr @@ -242,6 +243,8 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp) goto err; len = le32_to_cpu(buf[2]); + if (zero_or_saturated(len)) + goto err; rc = -ENOMEM; key = kmalloc(len + 1, GFP_KERNEL); diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 4b24385..0e881f3 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -38,6 +38,7 @@ #include "conditional.h" #include "mls.h" #include "services.h" +#include "private.h" #define _DEBUG_HASHES @@ -1094,6 +1095,9 @@ static int str_read(char **strp, gfp_t flags, void *fp, u32 len) int rc; char *str; + if (zero_or_saturated(len)) + return -EINVAL; + str = kmalloc(len + 1, flags); if (!str) return -ENOMEM; diff --git a/security/selinux/ss/private.h b/security/selinux/ss/private.h new file mode 100644 index 000..0e81a78 --- /dev/null +++ b/security/selinux/ss/private.h @@ -0,0 +1,7 @@ +#ifndef PRIVATE_H_ +#define PRIVATE_H_ + +#define is_saturated(x) (x == (typeof(x))-1) +#define zero_or_saturated(x) ((x == 0) || is_saturated(x)) + +#endif -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 2/3] selinux: initialize structures
From: William Robertslibsepol pointed out an issue where its possible to have an unitialized jmp and invalid dereference, fix this. While we're here, zero allocate all the *_val_to_struct structures. Signed-off-by: William Roberts --- security/selinux/ss/policydb.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 992a315..4b24385 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -541,21 +541,21 @@ static int policydb_index(struct policydb *p) rc = -ENOMEM; p->class_val_to_struct = - kmalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), + kzalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)), GFP_KERNEL); if (!p->class_val_to_struct) goto out; rc = -ENOMEM; p->role_val_to_struct = - kmalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), + kzalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)), GFP_KERNEL); if (!p->role_val_to_struct) goto out; rc = -ENOMEM; p->user_val_to_struct = - kmalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), + kzalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)), GFP_KERNEL); if (!p->user_val_to_struct) goto out; @@ -964,7 +964,7 @@ int policydb_context_isvalid(struct policydb *p, struct context *c) * Role must be authorized for the type. */ role = p->role_val_to_struct[c->role - 1]; - if (!ebitmap_get_bit(>types, c->type - 1)) + if (!role || !ebitmap_get_bit(>types, c->type - 1)) /* role may not be associated with type */ return 0; -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 1/3] selinux: detect invalid ebitmap
From: William RobertsWhen count is 0 and the highbit is not zero, the ebitmap is not valid and the internal node is not allocated. This causes issues when routines, like mls_context_isvalid() attempt to use the ebitmap_for_each_bit() and ebitmap_node_get_bit() as they assume a highbit > 0 will have a node allocated. --- security/selinux/ss/ebitmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c index 894b6cd..7d10e5d 100644 --- a/security/selinux/ss/ebitmap.c +++ b/security/selinux/ss/ebitmap.c @@ -374,6 +374,9 @@ int ebitmap_read(struct ebitmap *e, void *fp) goto ok; } + if (e->highbit && !count) + goto bad; + for (i = 0; i < count; i++) { rc = next_entry(, fp, sizeof(u32)); if (rc < 0) { -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.