Re: [PATCH] libsepol: add missing ibendport port validity check
On Mon, Oct 22, 2018 at 1:18 AM Ondrej Mosnacek wrote:
>
> The kernel checks if the port is in the range 1-255 when loading an
> ibenportcon rule. Add the same check to libsepol.
>
> Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling")
> Signed-off-by: Ondrej Mosnacek
> ---
> libsepol/src/policydb.c | 11 +--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index db6765ba..e2808b2d 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -2854,7 +2854,9 @@ static int ocontext_read_selinux(struct
> policydb_compat_info *info,
> return -1;
> break;
> }
> - case OCON_IBENDPORT:
> + case OCON_IBENDPORT: {
> + uint32_t port;
> +
> rc = next_entry(buf, fp, sizeof(uint32_t) *
> 2);
> if (rc < 0)
> return -1;
> @@ -2862,6 +2864,10 @@ static int ocontext_read_selinux(struct
> policydb_compat_info *info,
> if (len == 0 || len > IB_DEVICE_NAME_MAX - 1)
> return -1;
>
> + port = le32_to_cpu(buf[1]);
> + if (port > 0xff || port == 0)
> + return -1;
You switched the other code to using UINT16_MAX, should probably use
UINT8_MAX here.
> +
> c->u.ibendport.dev_name = malloc(len + 1);
> if (!c->u.ibendport.dev_name)
> return -1;
> @@ -2869,11 +2875,12 @@ static int ocontext_read_selinux(struct
> policydb_compat_info *info,
> if (rc < 0)
> return -1;
> c->u.ibendport.dev_name[len] = 0;
> - c->u.ibendport.port = le32_to_cpu(buf[1]);
> + c->u.ibendport.port = port;
> if (context_read_and_validate
> (>context[0], p, fp))
> return -1;
> break;
> + }
> case OCON_PORT:
> rc = next_entry(buf, fp, sizeof(uint32_t) *
> 3);
> if (rc < 0)
> --
> 2.17.2
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v5] selinux: policydb - fix byte order and alignment issues
Do the LE conversions before doing the Infiniband-related range checks.
The incorrect checks are otherwise causing a failure to load any policy
with an ibendportcon rule on BE systems. This can be reproduced by
running (on e.g. ppc64):
cat >my_module.cil <
Cc: Eli Cohen
Cc: James Morris
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/policydb.c | 51 --
1 file changed, 36 insertions(+), 15 deletions(-)
Changes in v5:
- defer also assignment to 8-bit ibendport.port
Changes in v4:
- defer assignment to 16-bit struct fields to after the range check
Changes in v3:
- use separate buffer for the 64-bit subnet_prefix
- add comments on the byte ordering of subnet_prefix
- deduplicate the le32_to_cpu() calls from checks
Changes in v2:
- add reproducer to commit message
- update e-mail address of James Morris
- better Cc also the old SELinux ML
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index f4eadd3f7350..d7e8126f32dc 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2108,6 +2108,7 @@ static int ocontext_read(struct policydb *p, struct
policydb_compat_info *info,
{
int i, j, rc;
u32 nel, len;
+ __be64 prefixbuf[1];
__le32 buf[3];
struct ocontext *l, *c;
u32 nodebuf[8];
@@ -2217,21 +2218,30 @@ static int ocontext_read(struct policydb *p, struct
policydb_compat_info *info,
goto out;
break;
}
- case OCON_IBPKEY:
- rc = next_entry(nodebuf, fp, sizeof(u32) * 4);
+ case OCON_IBPKEY: {
+ u32 pkey_lo, pkey_hi;
+
+ rc = next_entry(prefixbuf, fp, sizeof(u64));
+ if (rc)
+ goto out;
+
+ /* we need to have subnet_prefix in CPU order */
+ c->u.ibpkey.subnet_prefix =
be64_to_cpu(prefixbuf[0]);
+
+ rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc)
goto out;
- c->u.ibpkey.subnet_prefix =
be64_to_cpu(*((__be64 *)nodebuf));
+ pkey_lo = le32_to_cpu(buf[0]);
+ pkey_hi = le32_to_cpu(buf[1]);
- if (nodebuf[2] > 0x ||
- nodebuf[3] > 0x) {
+ if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
rc = -EINVAL;
goto out;
}
- c->u.ibpkey.low_pkey = le32_to_cpu(nodebuf[2]);
- c->u.ibpkey.high_pkey = le32_to_cpu(nodebuf[3]);
+ c->u.ibpkey.low_pkey = pkey_lo;
+ c->u.ibpkey.high_pkey = pkey_hi;
rc = context_read_and_validate(>context[0],
p,
@@ -2239,7 +2249,10 @@ static int ocontext_read(struct policydb *p, struct
policydb_compat_info *info,
if (rc)
goto out;
break;
- case OCON_IBENDPORT:
+ }
+ case OCON_IBENDPORT: {
+ u32 port;
+
rc = next_entry(buf, fp, sizeof(u32) * 2);
if (rc)
goto out;
@@ -2249,12 +2262,13 @@ static int ocontext_read(struct policydb *p, struct
policydb_compat_info *info,
if (rc)
goto out;
- if (buf[1] > 0xff || buf[1] == 0) {
+ port = le32_to_cpu(buf[1]);
+ if (port > 0xff || port == 0) {
rc = -EINVAL;
goto out;
}
- c->u.ibendport.port = le32_to_cpu(buf[1]);
+ c->u.ibendport.port = port;
rc = context_read_and_validate(>context[0],
p,
@@ -2262,7 +2276,8 @@ static int ocontext_read(struct policydb *p, struct
policydb_compat_info *info,
if (rc)
goto out;
[PATCH] libsepol: add missing ibendport port validity check
The kernel checks if the port is in the range 1-255 when loading an
ibenportcon rule. Add the same check to libsepol.
Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling")
Signed-off-by: Ondrej Mosnacek
---
libsepol/src/policydb.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index db6765ba..e2808b2d 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2854,7 +2854,9 @@ static int ocontext_read_selinux(struct
policydb_compat_info *info,
return -1;
break;
}
- case OCON_IBENDPORT:
+ case OCON_IBENDPORT: {
+ uint32_t port;
+
rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
if (rc < 0)
return -1;
@@ -2862,6 +2864,10 @@ static int ocontext_read_selinux(struct
policydb_compat_info *info,
if (len == 0 || len > IB_DEVICE_NAME_MAX - 1)
return -1;
+ port = le32_to_cpu(buf[1]);
+ if (port > 0xff || port == 0)
+ return -1;
+
c->u.ibendport.dev_name = malloc(len + 1);
if (!c->u.ibendport.dev_name)
return -1;
@@ -2869,11 +2875,12 @@ static int ocontext_read_selinux(struct
policydb_compat_info *info,
if (rc < 0)
return -1;
c->u.ibendport.dev_name[len] = 0;
- c->u.ibendport.port = le32_to_cpu(buf[1]);
+ c->u.ibendport.port = port;
if (context_read_and_validate
(>context[0], p, fp))
return -1;
break;
+ }
case OCON_PORT:
rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
if (rc < 0)
--
2.17.2
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH v4] selinux: policydb - fix byte order and alignment issues
On Sat, Oct 20, 2018 at 3:05 AM William Roberts
wrote:
> On Fri, Oct 19, 2018 at 7:28 AM Stephen Smalley wrote:
> >
> > On 10/18/2018 03:47 AM, Ondrej Mosnacek wrote:
> > > Do the LE conversions before doing the Infiniband-related range checks.
> > > The incorrect checks are otherwise causing a failure to load any policy
> > > with an ibendportcon rule on BE systems. This can be reproduced by
> > > running (on e.g. ppc64):
> > >
> > > cat >my_module.cil < > > (type test_ibendport_t)
> > > (roletype object_r test_ibendport_t)
> > > (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0
> > > EOF
> > > semodule -i my_module.cil
> > >
> > > Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
> > > use a correctly aligned buffer.
> > >
> > > Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
> > > should be used instead.
> > >
> > > Tested internally on a ppc64 machine with a RHEL 7 kernel with this
> > > patch applied.
> > >
> > > Cc: Daniel Jurgens
> > > Cc: Eli Cohen
> > > Cc: James Morris
> > > Cc: Doug Ledford
> > > Cc: # 4.13+
> > > Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband
> > > support")
> > > Signed-off-by: Ondrej Mosnacek
> > > ---
> > > security/selinux/ss/policydb.c | 46 +++---
> > > 1 file changed, 32 insertions(+), 14 deletions(-)
> > >
> > > Changes in v4:
> > > - defer assignment to 16-bit struct fields to after the range check
> > >
> > > Changes in v3:
> > > - use separate buffer for the 64-bit subnet_prefix
> > > - add comments on the byte ordering of subnet_prefix
> > > - deduplicate the le32_to_cpu() calls from checks
> > >
> > > Changes in v2:
> > > - add reproducer to commit message
> > > - update e-mail address of James Morris
> > > - better Cc also the old SELinux ML
> > >
> > > diff --git a/security/selinux/ss/policydb.c
> > > b/security/selinux/ss/policydb.c
> > > index f4eadd3f7350..d50668006a52 100644
> > > --- a/security/selinux/ss/policydb.c
> > > +++ b/security/selinux/ss/policydb.c
> > > @@ -2108,6 +2108,7 @@ static int ocontext_read(struct policydb *p, struct
> > > policydb_compat_info *info,
> > > {
> > > int i, j, rc;
> > > u32 nel, len;
> > > + __be64 prefixbuf[1];
> > > __le32 buf[3];
> > > struct ocontext *l, *c;
> > > u32 nodebuf[8];
> > > @@ -2217,21 +2218,30 @@ static int ocontext_read(struct policydb *p,
> > > struct policydb_compat_info *info,
> > > goto out;
> > > break;
> > > }
> > > - case OCON_IBPKEY:
> > > - rc = next_entry(nodebuf, fp, sizeof(u32) *
> > > 4);
> > > + case OCON_IBPKEY: {
> > > + u32 pkey_lo, pkey_hi;
> > > +
> > > + rc = next_entry(prefixbuf, fp, sizeof(u64));
> > > + if (rc)
> > > + goto out;
> > > +
> > > + /* we need to have subnet_prefix in CPU
> > > order */
> > > + c->u.ibpkey.subnet_prefix =
> > > be64_to_cpu(prefixbuf[0]);
> > > +
> > > + rc = next_entry(buf, fp, sizeof(u32) * 2);
> > > if (rc)
> > > goto out;
> > >
> > > - c->u.ibpkey.subnet_prefix =
> > > be64_to_cpu(*((__be64 *)nodebuf));
> > > + pkey_lo = le32_to_cpu(buf[0]);
> > > + pkey_hi = le32_to_cpu(buf[1]);
> > >
> > > - if (nodebuf[2] > 0x ||
> > > - nodebuf[3] > 0x) {
> > > + if (pkey_lo > U16_MAX || pkey_hi > U16_MAX)
> > > {
> > > rc = -EINVAL;
> > > goto out;
> > > }
> > >
> > > - c->u.ibpkey.low_pkey =
> > > le32_to_cpu(nodebuf[2]);
> > > - c->u.ibpkey.high_pkey =
> > > le32_to_cpu(nodebuf[3]);
> > > + c->u.ibpkey.low_pkey = pkey_lo;
> > > + c->u.ibpkey.high_pkey = pkey_hi;
> > >
> > > rc =
> > > context_read_and_validate(>context[0],
> > > p,
> > > @@ -2239,6 +2249,7 @@ static int ocontext_read(struct policydb *p, struct
> > > policydb_compat_info *info,
> > > if (rc)
> > > goto out;
> > > break;
> > > + }
> > > case OCON_IBENDPORT:
> > > rc = next_entry(buf, fp, sizeof(u32) * 2);
> > > if
Re: [PATCH v4] selinux: policydb - fix byte order and alignment issues
On Fri, Oct 19, 2018 at 4:26 PM Stephen Smalley wrote:
> On 10/18/2018 03:47 AM, Ondrej Mosnacek wrote:
> > Do the LE conversions before doing the Infiniband-related range checks.
> > The incorrect checks are otherwise causing a failure to load any policy
> > with an ibendportcon rule on BE systems. This can be reproduced by
> > running (on e.g. ppc64):
> >
> > cat >my_module.cil < > (type test_ibendport_t)
> > (roletype object_r test_ibendport_t)
> > (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0
> > EOF
> > semodule -i my_module.cil
> >
> > Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
> > use a correctly aligned buffer.
> >
> > Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
> > should be used instead.
> >
> > Tested internally on a ppc64 machine with a RHEL 7 kernel with this
> > patch applied.
> >
> > Cc: Daniel Jurgens
> > Cc: Eli Cohen
> > Cc: James Morris
> > Cc: Doug Ledford
> > Cc: # 4.13+
> > Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband
> > support")
> > Signed-off-by: Ondrej Mosnacek
> > ---
> > security/selinux/ss/policydb.c | 46 +++---
> > 1 file changed, 32 insertions(+), 14 deletions(-)
> >
> > Changes in v4:
> > - defer assignment to 16-bit struct fields to after the range check
> >
> > Changes in v3:
> > - use separate buffer for the 64-bit subnet_prefix
> > - add comments on the byte ordering of subnet_prefix
> > - deduplicate the le32_to_cpu() calls from checks
> >
> > Changes in v2:
> > - add reproducer to commit message
> > - update e-mail address of James Morris
> > - better Cc also the old SELinux ML
> >
> > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > index f4eadd3f7350..d50668006a52 100644
> > --- a/security/selinux/ss/policydb.c
> > +++ b/security/selinux/ss/policydb.c
> > @@ -2108,6 +2108,7 @@ static int ocontext_read(struct policydb *p, struct
> > policydb_compat_info *info,
> > {
> > int i, j, rc;
> > u32 nel, len;
> > + __be64 prefixbuf[1];
> > __le32 buf[3];
> > struct ocontext *l, *c;
> > u32 nodebuf[8];
> > @@ -2217,21 +2218,30 @@ static int ocontext_read(struct policydb *p, struct
> > policydb_compat_info *info,
> > goto out;
> > break;
> > }
> > - case OCON_IBPKEY:
> > - rc = next_entry(nodebuf, fp, sizeof(u32) * 4);
> > + case OCON_IBPKEY: {
> > + u32 pkey_lo, pkey_hi;
> > +
> > + rc = next_entry(prefixbuf, fp, sizeof(u64));
> > + if (rc)
> > + goto out;
> > +
> > + /* we need to have subnet_prefix in CPU order
> > */
> > + c->u.ibpkey.subnet_prefix =
> > be64_to_cpu(prefixbuf[0]);
> > +
> > + rc = next_entry(buf, fp, sizeof(u32) * 2);
> > if (rc)
> > goto out;
> >
> > - c->u.ibpkey.subnet_prefix =
> > be64_to_cpu(*((__be64 *)nodebuf));
> > + pkey_lo = le32_to_cpu(buf[0]);
> > + pkey_hi = le32_to_cpu(buf[1]);
> >
> > - if (nodebuf[2] > 0x ||
> > - nodebuf[3] > 0x) {
> > + if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
> > rc = -EINVAL;
> > goto out;
> > }
> >
> > - c->u.ibpkey.low_pkey =
> > le32_to_cpu(nodebuf[2]);
> > - c->u.ibpkey.high_pkey =
> > le32_to_cpu(nodebuf[3]);
> > + c->u.ibpkey.low_pkey = pkey_lo;
> > + c->u.ibpkey.high_pkey = pkey_hi;
> >
> > rc = context_read_and_validate(>context[0],
> > p,
> > @@ -2239,6 +2249,7 @@ static int ocontext_read(struct policydb *p, struct
> > policydb_compat_info *info,
> > if (rc)
> > goto out;
> > break;
> > + }
> > case OCON_IBENDPORT:
> > rc = next_entry(buf, fp, sizeof(u32) * 2);
> > if (rc)
> > @@ -2249,13 +2260,14 @@ static int ocontext_read(struct policydb *p, struct
> > policydb_compat_info *info,
> > if (rc)
> > goto out;
> >
> > - if (buf[1] > 0xff || buf[1] == 0) {
> > +
