Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp2294492imc; Tue, 12 Mar 2019 10:46:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqyM47TuVMyOWe900CsHGNepyWpEfqBL+zJ2XRMoR1rjUlYDCjbFz5mfagV+INWjFbdQMPjj X-Received: by 2002:a65:5303:: with SMTP id m3mr35805128pgq.292.1552412809054; Tue, 12 Mar 2019 10:46:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552412809; cv=none; d=google.com; s=arc-20160816; b=xWhiWx3XfYlj9C+ckBt2nNWnNaruPyLAHPFNMRrZ00EALAQEfRNH55DB/xDHkeHg9x XqpcSjwcsIgb8Bp3LWnCDn6UzS6WstJ1aLvfsMvGI9Eu8FwZbHkYJ9bdCjr/df1mYiV3 b7VVyN7jYKhL/r/EMWmO+UnBtY0nMQK7MC7FPozOgteLZp4Xsm8B+KKz+nQGSiIRP/We wMbXDzQVPtvDeW1g4gnRo2OyGrt2fxanbFUcKfr3XvamuD0Yh9f0/mZKLkFIxdLXcJ96 3EZ9sbvbK6qfqRrebGv1o4LFHst7Aar3w+lvZXYthbQrtMMUIiT7xSN2Ywkqq6IClW3c yhlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qxm5oelh5YKtmO0Vd+3dREte8GCOQTcaZ+wRO4xcy38=; b=0CtacZHVGTqNrkN2jV7RAVf7tzDx2A/BLvd5zoc2plUesfxFjmASNW04jYspaF1SkR rQwUX380cKg9TK32Dae+MRwWgBsvZj2ErODLAMuKOhaWcgthRrRmi04IUaax19FZyDBr 8s+ezPz+wNbkhat0bGJARSH5GmCm+zcBqbIJ/X/Ds4UxKG+dSouY5XRyDvLdwmMgmy1v xSDJ0pnbt2U8E8TqlGjdBjG57LTV6x/up1VZhX8rFa7ZefsWf18xcCmOQa19ZALH3D6h MCuX4BItvBs5DZ0Ll5rNhlx+TvU4moSOyKfOmNfITOEfWuUuur7656aK4ieb0a5UmB+G h2Yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QOo9r7LD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1si7797618pgq.72.2019.03.12.10.46.33; Tue, 12 Mar 2019 10:46:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QOo9r7LD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729050AbfCLRoR (ORCPT + 99 others); Tue, 12 Mar 2019 13:44:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:56628 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728841AbfCLRPl (ORCPT ); Tue, 12 Mar 2019 13:15:41 -0400 Received: from localhost (unknown [104.133.8.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0CB7421741; Tue, 12 Mar 2019 17:15:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552410941; bh=uaAwAj1yzZ91jrTqtwUSk6dtD6lqJ2G8VWG48J3ZWGk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QOo9r7LDmqlbRX7/OEb8PuCqcpgWytH277fr3kuLGMlwQbMKHHp9j7Qo0+jfahY9s vPyKhUNB6qLzDwQnx1MFjWMcKvP6ll1iOwMLV3G44WHdeUkxRZ+XiFXDAt/BToGrGB 8AVtUqHq0bgP4pdY02rYFDWF5ll8RqQoaLl8E6ps= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Paul Moore , "David S. Miller" Subject: [PATCH 4.14 018/135] netlabel: fix out-of-bounds memory accesses Date: Tue, 12 Mar 2019 10:07:45 -0700 Message-Id: <20190312170342.779210471@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190312170341.127810985@linuxfoundation.org> References: <20190312170341.127810985@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Paul Moore [ Upstream commit 5578de4834fe0f2a34fedc7374be691443396d1f ] There are two array out-of-bounds memory accesses, one in cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both errors are embarassingly simple, and the fixes are straightforward. As a FYI for anyone backporting this patch to kernels prior to v4.8, you'll want to apply the netlbl_bitmap_walk() patch to cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before Linux v4.8. Reported-by: Jann Horn Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.") Signed-off-by: Paul Moore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/cipso_ipv4.c | 3 ++- net/netlabel/netlabel_kapi.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const case CIPSO_V4_MAP_PASS: return 0; case CIPSO_V4_MAP_TRANS: - if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL) + if ((level < doi_def->map.std->lvl.cipso_size) && + (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)) return 0; break; } --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned ch (state == 0 && (byte & bitmask) == 0)) return bit_spot; - bit_spot++; + if (++bit_spot >= bitmap_len) + return -1; bitmask >>= 1; if (bitmask == 0) { byte = bitmap[++byte_offset];