From patchwork Tue Aug 23 20:49:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Roberts, William C" X-Patchwork-Id: 9296343 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 83E8E60757 for ; Tue, 23 Aug 2016 21:12:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7226828D32 for ; Tue, 23 Aug 2016 21:12:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6729A28D36; Tue, 23 Aug 2016 21:12:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 959F128D32 for ; Tue, 23 Aug 2016 21:12:39 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,567,1464652800"; d="scan'208";a="18701320" IronPort-PHdr: =?us-ascii?q?9a23=3AFlFKuBMnZ1AjrmoWvC0l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0Kf39rarrMEGX3/hxlliBBdydsKMdzbGK+Pm8BSRAuc/H6yFaNsQUFlcsso?= =?us-ascii?q?Y/p0QYGsmLCEn2frbBThcRO4B8bmJj5GyxKkNPGczzNBX4q3y26iMOSF2kbVIm?= =?us-ascii?q?btr8FoOatcmrzef6o8SVOFQRwmHhKuoucF329VyX7ZhOx9M6a+4Y8VjgmjNwYe?= =?us-ascii?q?NYxGdldxq4vi3XwYOOxqNl6DlaoPk79sRNAu3QdqU8SqFEXnx9azhmrPDxsVH/?= =?us-ascii?q?aSfHpj5FCiRF2iZPVhPI6BD8Q4fZrjrxtu073jKTe8LxU/R8Qjmr6atxTx7kzS?= =?us-ascii?q?MGLCIR7HDciss2irlS5h2muVg32ILPSJ2EP/p5OKXGdJUVQnQScNxWUnleA4e4?= =?us-ascii?q?boIKSeFHJ+FSopPhvHMPqwezAU+nA+a8mXdzmnbq0PhigKwaGgbc0VllRooD?= X-IPAS-Result: =?us-ascii?q?A2EPBgCau7xX/wHyM5BdGgEBAQGDCwEBAQEBHoFSpWGUHiK?= =?us-ascii?q?HdEwBAQEBAQEBAgECWyeCMgQDE4IVAgQBAjcUIA4DCQEBFwghCAgDAS0VEQcHC?= =?us-ascii?q?wUYBIgQvTsBCgEBASOILYZfEQGFdwWPFYozjyECiW6FYJA5VIISHIFsUAGEWoE?= =?us-ascii?q?2AQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 23 Aug 2016 21:12:36 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7NL6Ng3013512; Tue, 23 Aug 2016 17:06:32 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u7NKpM8f124178 for ; Tue, 23 Aug 2016 16:51:22 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7NKpMFZ011579; Tue, 23 Aug 2016 16:51:22 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DNBQCStrxX/yNjr8ZdGgEBAQGDCwEBAQEBHoFStXyEDIYdAoFuTAEBAQEBAQECXoUIAgR5ECAxVwcSiDG9RwEBAQEBAQQBAQEBI4gtjGgFjxWKM48hAo9OkDlUghIcgWxQAYYQAQEB X-IPAS-Result: A1DNBQCStrxX/yNjr8ZdGgEBAQGDCwEBAQEBHoFStXyEDIYdAoFuTAEBAQEBAQECXoUIAgR5ECAxVwcSiDG9RwEBAQEBAQQBAQEBI4gtjGgFjxWKM48hAo9OkDlUghIcgWxQAYYQAQEB X-IronPort-AV: E=Sophos;i="5.28,567,1464667200"; d="scan'208";a="5661316" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 23 Aug 2016 16:51:22 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AuDCsfhUICA1yHOTqEa0yqjkFcR3V8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYZxCGt8tkgFKBZ4jH8fUM07OQ6PG5Hzdcqs/d7DhCKMUKDE5dz5?= =?us-ascii?q?1O3kQJO42sMQXDNvnkbig3ToxpdWRO2DWFC3VTA9v0fFbIo3e/vnY4ExT7Mhdp?= =?us-ascii?q?dKyuQtaBx/q+2+36wZDPeQIA3GP7OuIrak7q5lyN6oFW2dIkcfdpjEOR4zNhQK?= =?us-ascii?q?d//StQP1WdnhLxtI+b3aVI1GBugc8n7NNKSq7gfq41HvRyBTUiNH0ptoWw7UGQ?= =?us-ascii?q?BSPG3HYXU30XnxxUGECFqUiiBtaihBD9rPZw1BOXNszuF/h0BWzjvO9XT0rzhS?= =?us-ascii?q?MGMSMp2H3Ggcx3yqRAqVSuoAI7i5XZaYeZLv1/cubZfMgGbXZQVcZWESpaC8Wz?= =?us-ascii?q?aJVLR/ENJs5EvoL9oB0IthL4Cg6yV831zTodmX7y2awz1qIqVxvB1gE6A8kmsX?= =?us-ascii?q?LIodGzP6AXArP997XB0TiWN6Ae4jz68oWdN055rA=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ESBwDMtrxX/yNjr8ZdGwEBAYMLAQEBA?= =?us-ascii?q?QEegVKlYZAbhAyGHQKBbkwBAQEBAQEBAgECWyeCMgQBFYIVAgR5ECAxVwcSiDG?= =?us-ascii?q?9SAEBAQEBAQQBAQEBASKILYxoBY8VijOPIQKPTpA5VIISHIFsUAGGEAEBAQ?= X-IPAS-Result: =?us-ascii?q?A0ESBwDMtrxX/yNjr8ZdGwEBAYMLAQEBAQEegVKlYZAbhAy?= =?us-ascii?q?GHQKBbkwBAQEBAQEBAgECWyeCMgQBFYIVAgR5ECAxVwcSiDG9SAEBAQEBAQQBA?= =?us-ascii?q?QEBASKILYxoBY8VijOPIQKPTpA5VIISHIFsUAGGEAEBAQ?= X-IronPort-AV: E=Sophos;i="5.28,567,1464652800"; d="scan'208";a="18700778" Received: from fmsmga002-icc.fm.intel.com ([198.175.99.35]) by emsm-gh1-uea11.nsa.gov with ESMTP; 23 Aug 2016 20:51:21 +0000 Received: from fmsmga003-icc.fm.intel.com ([198.175.99.8]) by fmsmga002-icc.fm.intel.com with ESMTP; 23 Aug 2016 13:51:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,567,1464678000"; d="scan'208";a="752611579" Received: from hshedbal-mobl7.amr.corp.intel.com (HELO wcrobert-MOBL1.amr.corp.intel.com) ([10.254.183.34]) by FMSMGA003.fm.intel.com with ESMTP; 23 Aug 2016 13:51:17 -0700 From: william.c.roberts@intel.com To: selinux@tycho.nsa.gov, seandroid-list@tycho.nsa.gov, sds@tycho.nsa.gov Subject: [PATCH 3/3] selinux: fix overflow and 0 length allocations Date: Tue, 23 Aug 2016 13:49:25 -0700 Message-Id: <1471985365-1197-3-git-send-email-william.c.roberts@intel.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1471985365-1197-1-git-send-email-william.c.roberts@intel.com> References: <1471985365-1197-1-git-send-email-william.c.roberts@intel.com> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: William Roberts Throughout the SE Linux LSM, values taken from sepolicy are used in places where length == 0 or length == matter, find and fix these. Signed-off-by: William Roberts --- security/selinux/ss/conditional.c | 3 +++ security/selinux/ss/policydb.c | 4 ++++ security/selinux/ss/private.h | 7 +++++++ 3 files changed, 14 insertions(+) create mode 100644 security/selinux/ss/private.h diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 456e1a9..ecc0fb6 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -16,6 +16,7 @@ #include "security.h" #include "conditional.h" #include "services.h" +#include "private.h" /* * cond_evaluate_expr evaluates a conditional expr @@ -242,6 +243,8 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp) goto err; len = le32_to_cpu(buf[2]); + if (zero_or_saturated(len)) + goto err; rc = -ENOMEM; key = kmalloc(len + 1, GFP_KERNEL); diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 4b24385..0e881f3 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -38,6 +38,7 @@ #include "conditional.h" #include "mls.h" #include "services.h" +#include "private.h" #define _DEBUG_HASHES @@ -1094,6 +1095,9 @@ static int str_read(char **strp, gfp_t flags, void *fp, u32 len) int rc; char *str; + if (zero_or_saturated(len)) + return -EINVAL; + str = kmalloc(len + 1, flags); if (!str) return -ENOMEM; diff --git a/security/selinux/ss/private.h b/security/selinux/ss/private.h new file mode 100644 index 0000000..0e81a78 --- /dev/null +++ b/security/selinux/ss/private.h @@ -0,0 +1,7 @@ +#ifndef PRIVATE_H_ +#define PRIVATE_H_ + +#define is_saturated(x) (x == (typeof(x))-1) +#define zero_or_saturated(x) ((x == 0) || is_saturated(x)) + +#endif