| Message ID | 20220318063508.1348148-1-wangyufen@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | f22881de730ebd472e15bcc2c0d1d46e36a87b9c |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next] netlabel: fix out-of-bounds memory accesses | expand |
On Fri, Mar 18, 2022 at 2:17 AM Wang Yufen <wangyufen@huawei.com> wrote: > > In calipso_map_cat_ntoh(), in the for loop, if the return value of > netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when > netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses > of bitmap[byte_offset] occurs. > > The bug was found during fuzzing. The following is the fuzzing report > BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0 > Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252 > > CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17 > Hardware name: linux,dummy-virt (DT) > Call trace: > dump_backtrace+0x21c/0x230 > show_stack+0x1c/0x60 > dump_stack_lvl+0x64/0x7c > print_address_description.constprop.0+0x70/0x2d0 > __kasan_report+0x158/0x16c > kasan_report+0x74/0x120 > __asan_load1+0x80/0xa0 > netlbl_bitmap_walk+0x3c/0xd0 > calipso_opt_getattr+0x1a8/0x230 > calipso_sock_getattr+0x218/0x340 > calipso_sock_getattr+0x44/0x60 > netlbl_sock_getattr+0x44/0x80 > selinux_netlbl_socket_setsockopt+0x138/0x170 > selinux_socket_setsockopt+0x4c/0x60 > security_socket_setsockopt+0x4c/0x90 > __sys_setsockopt+0xbc/0x2b0 > __arm64_sys_setsockopt+0x6c/0x84 > invoke_syscall+0x64/0x190 > el0_svc_common.constprop.0+0x88/0x200 > do_el0_svc+0x88/0xa0 > el0_svc+0x128/0x1b0 > el0t_64_sync_handler+0x9c/0x120 > el0t_64_sync+0x16c/0x170 > > Reported-by: Hulk Robot <hulkci@huawei.com> > Signed-off-by: Wang Yufen <wangyufen@huawei.com> > --- > net/netlabel/netlabel_kapi.c | 2 ++ > 1 file changed, 2 insertions(+) Looks good to me, thanks for catching this and submitting a fix. Acked-by: Paul Moore <paul@paul-moore.com> > diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c > index beb0e573266d..54c083003947 100644 > --- a/net/netlabel/netlabel_kapi.c > +++ b/net/netlabel/netlabel_kapi.c > @@ -885,6 +885,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len, > unsigned char bitmask; > unsigned char byte; > > + if (offset >= bitmap_len) > + return -1; > byte_offset = offset / 8; > byte = bitmap[byte_offset]; > bit_spot = offset;
Hello: This patch was applied to netdev/net-next.git (master) by David S. Miller <davem@davemloft.net>: On Fri, 18 Mar 2022 14:35:08 +0800 you wrote: > In calipso_map_cat_ntoh(), in the for loop, if the return value of > netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when > netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses > of bitmap[byte_offset] occurs. > > The bug was found during fuzzing. The following is the fuzzing report > BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0 > Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252 > > [...] Here is the summary with links: - [net-next] netlabel: fix out-of-bounds memory accesses https://git.kernel.org/netdev/net-next/c/f22881de730e You are awesome, thank you!
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index beb0e573266d..54c083003947 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -885,6 +885,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len, unsigned char bitmask; unsigned char byte; + if (offset >= bitmap_len) + return -1; byte_offset = offset / 8; byte = bitmap[byte_offset]; bit_spot = offset;
In calipso_map_cat_ntoh(), in the for loop, if the return value of netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses of bitmap[byte_offset] occurs. The bug was found during fuzzing. The following is the fuzzing report BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0 Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252 CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x21c/0x230 show_stack+0x1c/0x60 dump_stack_lvl+0x64/0x7c print_address_description.constprop.0+0x70/0x2d0 __kasan_report+0x158/0x16c kasan_report+0x74/0x120 __asan_load1+0x80/0xa0 netlbl_bitmap_walk+0x3c/0xd0 calipso_opt_getattr+0x1a8/0x230 calipso_sock_getattr+0x218/0x340 calipso_sock_getattr+0x44/0x60 netlbl_sock_getattr+0x44/0x80 selinux_netlbl_socket_setsockopt+0x138/0x170 selinux_socket_setsockopt+0x4c/0x60 security_socket_setsockopt+0x4c/0x90 __sys_setsockopt+0xbc/0x2b0 __arm64_sys_setsockopt+0x6c/0x84 invoke_syscall+0x64/0x190 el0_svc_common.constprop.0+0x88/0x200 do_el0_svc+0x88/0xa0 el0_svc+0x128/0x1b0 el0t_64_sync_handler+0x9c/0x120 el0t_64_sync+0x16c/0x170 Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Yufen <wangyufen@huawei.com> --- net/netlabel/netlabel_kapi.c | 2 ++ 1 file changed, 2 insertions(+)