tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netlabel: cope with NULL catmap

The cipso and calipso code can set the MLS_CAT attribute on
successful parsing, even if the corresponding catmap has
not been allocated, as per current configuration and external
input.

Later, selinux code tries to access the catmap if the MLS_CAT flag
is present via netlbl_catmap_getlong(). That may cause null ptr
dereference while processing incoming network traffic.

Address the issue setting the MLS_CAT flag only if the catmap is
really allocated. Additionally let netlbl_catmap_getlong() cope
with NULL catmap.

Reported-by: Matthew Sheets <matthew.sheets@gd-ms.com>
Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions")
Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Paolo Abeni and committed by
David S. Miller eead1c2e 24adbc16

+12 -3
+4 -2
net/ipv4/cipso_ipv4.c
··· 1258 1258 return ret_val; 1259 1259 } 1260 1260 1261 - secattr->flags |= NETLBL_SECATTR_MLS_CAT; 1261 + if (secattr->attr.mls.cat) 1262 + secattr->flags |= NETLBL_SECATTR_MLS_CAT; 1262 1263 } 1263 1264 1264 1265 return 0; ··· 1440 1439 return ret_val; 1441 1440 } 1442 1441 1443 - secattr->flags |= NETLBL_SECATTR_MLS_CAT; 1442 + if (secattr->attr.mls.cat) 1443 + secattr->flags |= NETLBL_SECATTR_MLS_CAT; 1444 1444 } 1445 1445 1446 1446 return 0;
+2 -1
net/ipv6/calipso.c
··· 1047 1047 goto getattr_return; 1048 1048 } 1049 1049 1050 - secattr->flags |= NETLBL_SECATTR_MLS_CAT; 1050 + if (secattr->attr.mls.cat) 1051 + secattr->flags |= NETLBL_SECATTR_MLS_CAT; 1051 1052 } 1052 1053 1053 1054 secattr->type = NETLBL_NLTYPE_CALIPSO;
+6
net/netlabel/netlabel_kapi.c
··· 734 734 if ((off & (BITS_PER_LONG - 1)) != 0) 735 735 return -EINVAL; 736 736 737 + /* a null catmap is equivalent to an empty one */ 738 + if (!catmap) { 739 + *offset = (u32)-1; 740 + return 0; 741 + } 742 + 737 743 if (off < catmap->startbit) { 738 744 off = catmap->startbit; 739 745 *offset = off;