tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netlabel: fix out-of-bounds memory accesses

There are two array out-of-bounds memory accesses, one in
cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both
errors are embarassingly simple, and the fixes are straightforward.

As a FYI for anyone backporting this patch to kernels prior to v4.8,
you'll want to apply the netlbl_bitmap_walk() patch to
cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
Linux v4.8.

Reported-by: Jann Horn <jannh@google.com>
Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Paul Moore and committed by
David S. Miller 5578de48 a1fd1ad2

+4 -2
+2 -1
net/ipv4/cipso_ipv4.c
··· 667 667 case CIPSO_V4_MAP_PASS: 668 668 return 0; 669 669 case CIPSO_V4_MAP_TRANS: 670 - if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL) 670 + if ((level < doi_def->map.std->lvl.cipso_size) && 671 + (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)) 671 672 return 0; 672 673 break; 673 674 }
+2 -1
net/netlabel/netlabel_kapi.c
··· 903 903 (state == 0 && (byte & bitmask) == 0)) 904 904 return bit_spot; 905 905 906 - bit_spot++; 906 + if (++bit_spot >= bitmap_len) 907 + return -1; 907 908 bitmask >>= 1; 908 909 if (bitmask == 0) { 909 910 byte = bitmap[++byte_offset];