Commit 5578de48 authored Feb 25, 2019 by Paul Moore Committed by David S. Miller Feb 27, 2019

netlabel: fix out-of-bounds memory accesses



There are two array out-of-bounds memory accesses, one in
cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk().  Both
errors are embarassingly simple, and the fixes are straightforward.

As a FYI for anyone backporting this patch to kernels prior to v4.8,
you'll want to apply the netlbl_bitmap_walk() patch to
cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
Linux v4.8.

Reported-by: Jann Horn <jannh@google.com>
Fixes: 446fda4f ("[NetLabel]: CIPSOv4 engine")
Fixes: 3faa8f98 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent a1fd1ad2

net/ipv4/cipso_ipv4.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level)
		case CIPSO_V4_MAP_PASS:
		return 0;
		case CIPSO_V4_MAP_TRANS:
		if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
		if ((level < doi_def->map.std->lvl.cipso_size) &&
		(doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL))
		return 0;
		break;
		}

net/netlabel/netlabel_kapi.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
		(state == 0 && (byte & bitmask) == 0))
		return bit_spot;

		bit_spot++;
		if (++bit_spot >= bitmap_len)
		return -1;
		bitmask >>= 1;
		if (bitmask == 0) {
		byte = bitmap[++byte_offset];