diff mbox series

[net-next] netlabel: fix out-of-bounds memory accesses

Message ID 20220318063508.1348148-1-wangyufen@huawei.com (mailing list archive)
State Accepted
Commit f22881de730ebd472e15bcc2c0d1d46e36a87b9c
Delegated to: Netdev Maintainers
Headers show
Series [net-next] netlabel: fix out-of-bounds memory accesses | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 7 this patch: 7
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

wangyufen March 18, 2022, 6:35 a.m. UTC
In calipso_map_cat_ntoh(), in the for loop, if the return value of
netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when 
netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses
of bitmap[byte_offset] occurs.

The bug was found during fuzzing. The following is the fuzzing report
 BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0
 Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252
 
 CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17
 Hardware name: linux,dummy-virt (DT)
 Call trace:
  dump_backtrace+0x21c/0x230
  show_stack+0x1c/0x60
  dump_stack_lvl+0x64/0x7c
  print_address_description.constprop.0+0x70/0x2d0
  __kasan_report+0x158/0x16c
  kasan_report+0x74/0x120
  __asan_load1+0x80/0xa0
  netlbl_bitmap_walk+0x3c/0xd0
  calipso_opt_getattr+0x1a8/0x230
  calipso_sock_getattr+0x218/0x340
  calipso_sock_getattr+0x44/0x60
  netlbl_sock_getattr+0x44/0x80
  selinux_netlbl_socket_setsockopt+0x138/0x170
  selinux_socket_setsockopt+0x4c/0x60
  security_socket_setsockopt+0x4c/0x90
  __sys_setsockopt+0xbc/0x2b0
  __arm64_sys_setsockopt+0x6c/0x84
  invoke_syscall+0x64/0x190
  el0_svc_common.constprop.0+0x88/0x200
  do_el0_svc+0x88/0xa0
  el0_svc+0x128/0x1b0
  el0t_64_sync_handler+0x9c/0x120
  el0t_64_sync+0x16c/0x170

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
---
 net/netlabel/netlabel_kapi.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Paul Moore March 20, 2022, 9:55 p.m. UTC | #1
On Fri, Mar 18, 2022 at 2:17 AM Wang Yufen <wangyufen@huawei.com> wrote:
>
> In calipso_map_cat_ntoh(), in the for loop, if the return value of
> netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when
> netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses
> of bitmap[byte_offset] occurs.
>
> The bug was found during fuzzing. The following is the fuzzing report
>  BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0
>  Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252
>
>  CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17
>  Hardware name: linux,dummy-virt (DT)
>  Call trace:
>   dump_backtrace+0x21c/0x230
>   show_stack+0x1c/0x60
>   dump_stack_lvl+0x64/0x7c
>   print_address_description.constprop.0+0x70/0x2d0
>   __kasan_report+0x158/0x16c
>   kasan_report+0x74/0x120
>   __asan_load1+0x80/0xa0
>   netlbl_bitmap_walk+0x3c/0xd0
>   calipso_opt_getattr+0x1a8/0x230
>   calipso_sock_getattr+0x218/0x340
>   calipso_sock_getattr+0x44/0x60
>   netlbl_sock_getattr+0x44/0x80
>   selinux_netlbl_socket_setsockopt+0x138/0x170
>   selinux_socket_setsockopt+0x4c/0x60
>   security_socket_setsockopt+0x4c/0x90
>   __sys_setsockopt+0xbc/0x2b0
>   __arm64_sys_setsockopt+0x6c/0x84
>   invoke_syscall+0x64/0x190
>   el0_svc_common.constprop.0+0x88/0x200
>   do_el0_svc+0x88/0xa0
>   el0_svc+0x128/0x1b0
>   el0t_64_sync_handler+0x9c/0x120
>   el0t_64_sync+0x16c/0x170
>
> Reported-by: Hulk Robot <hulkci@huawei.com>
> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
> ---
>  net/netlabel/netlabel_kapi.c | 2 ++
>  1 file changed, 2 insertions(+)

Looks good to me, thanks for catching this and submitting a fix.

Acked-by: Paul Moore <paul@paul-moore.com>

> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index beb0e573266d..54c083003947 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -885,6 +885,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
>         unsigned char bitmask;
>         unsigned char byte;
>
> +       if (offset >= bitmap_len)
> +               return -1;
>         byte_offset = offset / 8;
>         byte = bitmap[byte_offset];
>         bit_spot = offset;
patchwork-bot+netdevbpf@kernel.org March 21, 2022, 11:10 a.m. UTC | #2
Hello:

This patch was applied to netdev/net-next.git (master)
by David S. Miller <davem@davemloft.net>:

On Fri, 18 Mar 2022 14:35:08 +0800 you wrote:
> In calipso_map_cat_ntoh(), in the for loop, if the return value of
> netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when
> netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses
> of bitmap[byte_offset] occurs.
> 
> The bug was found during fuzzing. The following is the fuzzing report
>  BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0
>  Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252
> 
> [...]

Here is the summary with links:
  - [net-next] netlabel: fix out-of-bounds memory accesses
    https://git.kernel.org/netdev/net-next/c/f22881de730e

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index beb0e573266d..54c083003947 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -885,6 +885,8 @@  int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
 	unsigned char bitmask;
 	unsigned char byte;
 
+	if (offset >= bitmap_len)
+		return -1;
 	byte_offset = offset / 8;
 	byte = bitmap[byte_offset];
 	bit_spot = offset;