Message ID | 20190722132111.25743-1-omosnace@redhat.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | selinux: check sidtab limit before adding a new entry | expand |
On Mon, Jul 22, 2019 at 8:34 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > We need to error out when trying to add an entry above SIDTAB_MAX in > sidtab_reverse_lookup() to avoid overflow on the odd chance that this > happens. > > Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > security/selinux/ss/sidtab.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c > index e63a90ff2728..54c1ba1e79ab 100644 > --- a/security/selinux/ss/sidtab.c > +++ b/security/selinux/ss/sidtab.c > @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context, > ++count; > } > > + /* bail out if we already reached max entries */ > + rc = -ENOMEM; Wouldn't -EOVERFLOW be better? > + if (count == SIDTAB_MAX) > + goto out_unlock; > + > /* insert context into new entry */ > rc = -ENOMEM; > dst = sidtab_do_lookup(s, count, 1); > -- > 2.21.0 >
On Mon, Jul 22, 2019 at 03:21:11PM +0200, Ondrej Mosnacek wrote: > We need to error out when trying to add an entry above SIDTAB_MAX in > sidtab_reverse_lookup() to avoid overflow on the odd chance that this > happens. > > Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Is this reachable from unprivileged userspace? > --- > security/selinux/ss/sidtab.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c > index e63a90ff2728..54c1ba1e79ab 100644 > --- a/security/selinux/ss/sidtab.c > +++ b/security/selinux/ss/sidtab.c > @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context, > ++count; > } > > + /* bail out if we already reached max entries */ > + rc = -ENOMEM; > + if (count == SIDTAB_MAX) Do you want to use >= here instead? -Kees > + goto out_unlock; > + > /* insert context into new entry */ > rc = -ENOMEM; > dst = sidtab_do_lookup(s, count, 1); > -- > 2.21.0 >
On Mon, Jul 22, 2019 at 12:50 PM Kees Cook <keescook@chromium.org> wrote: > On Mon, Jul 22, 2019 at 03:21:11PM +0200, Ondrej Mosnacek wrote: > > We need to error out when trying to add an entry above SIDTAB_MAX in > > sidtab_reverse_lookup() to avoid overflow on the odd chance that this > > happens. > > > > Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > Is this reachable from unprivileged userspace? I believe it's reachable via selinuxfs under /sys/fs/selinux/context, and the DAC permissions are for the relevant files are 0666, but the SELinux policy might restrict that. > > --- > > security/selinux/ss/sidtab.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c > > index e63a90ff2728..54c1ba1e79ab 100644 > > --- a/security/selinux/ss/sidtab.c > > +++ b/security/selinux/ss/sidtab.c > > @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context, > > ++count; > > } > > > > + /* bail out if we already reached max entries */ > > + rc = -ENOMEM; > > + if (count == SIDTAB_MAX) > > Do you want to use >= here instead? Yes, definitely.
On Mon, Jul 22, 2019 at 4:17 PM William Roberts <bill.c.roberts@gmail.com> wrote: > On Mon, Jul 22, 2019 at 8:34 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > We need to error out when trying to add an entry above SIDTAB_MAX in > > sidtab_reverse_lookup() to avoid overflow on the odd chance that this > > happens. > > > > Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > security/selinux/ss/sidtab.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c > > index e63a90ff2728..54c1ba1e79ab 100644 > > --- a/security/selinux/ss/sidtab.c > > +++ b/security/selinux/ss/sidtab.c > > @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context, > > ++count; > > } > > > > + /* bail out if we already reached max entries */ > > + rc = -ENOMEM; > > Wouldn't -EOVERFLOW be better? Good point. Will change it in v2. > > > + if (count == SIDTAB_MAX) > > + goto out_unlock; > > + > > /* insert context into new entry */ > > rc = -ENOMEM; > > dst = sidtab_do_lookup(s, count, 1); > > -- > > 2.21.0 > > Thanks,
On Mon, Jul 22, 2019 at 6:50 PM Kees Cook <keescook@chromium.org> wrote: > On Mon, Jul 22, 2019 at 03:21:11PM +0200, Ondrej Mosnacek wrote: > > We need to error out when trying to add an entry above SIDTAB_MAX in > > sidtab_reverse_lookup() to avoid overflow on the odd chance that this > > happens. > > > > Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > Is this reachable from unprivileged userspace? > > > --- > > security/selinux/ss/sidtab.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c > > index e63a90ff2728..54c1ba1e79ab 100644 > > --- a/security/selinux/ss/sidtab.c > > +++ b/security/selinux/ss/sidtab.c > > @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context, > > ++count; > > } > > > > + /* bail out if we already reached max entries */ > > + rc = -ENOMEM; > > + if (count == SIDTAB_MAX) > > Do you want to use >= here instead? Makes sense. Also staged for v2. > > -Kees > > > + goto out_unlock; > > + > > /* insert context into new entry */ > > rc = -ENOMEM; > > dst = sidtab_do_lookup(s, count, 1); > > -- > > 2.21.0 > > > > -- > Kees Cook Thanks,
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index e63a90ff2728..54c1ba1e79ab 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context, ++count; } + /* bail out if we already reached max entries */ + rc = -ENOMEM; + if (count == SIDTAB_MAX) + goto out_unlock; + /* insert context into new entry */ rc = -ENOMEM; dst = sidtab_do_lookup(s, count, 1);
We need to error out when trying to add an entry above SIDTAB_MAX in sidtab_reverse_lookup() to avoid overflow on the odd chance that this happens. Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/ss/sidtab.c | 5 +++++ 1 file changed, 5 insertions(+)