Received: by 2002:a17:90a:bc8d:0:0:0:0 with SMTP id x13csp1572901pjr; Mon, 18 May 2020 16:45:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxpEgf7qudIKKCkK8F0WNw5dHA8zVUYdTdnV48+BRvn1avM5nQxhVQjHZrPkbMQm0nXX5+o X-Received: by 2002:a17:906:abce:: with SMTP id kq14mr16149152ejb.187.1589845544095; Mon, 18 May 2020 16:45:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589845544; cv=none; d=google.com; s=arc-20160816; b=u1FkGj6oqJJiJ8v1epJdx222wplN6UlOzRUYOQLHi/4DGYywLyCoBVRhpiwKAO5Pmi sTDglsvwqMHG1CTQfQ9jH3ruZaJzR9j6eU9O8kKO+iWN6nPTvizABs8ya7c63Tay2Hup N3RV44e6XJO2vNIViCHUnrKtxAlcBXMbvIwIfd9gm3sGzCQhIzgSRyIq54VzTg3B2Sh0 yYB6AvLWYjt2WhcvBuEJuZT8kdrPexHr4vvKlYy/ICiUOxLb3zzucDvjsyZhXMvimrg3 OREaab8CJv1VkgKL65DigiTkZhtE9sBVn5cF+XTOBewHjwBfjmqoK7cWxmlyKxiz3eij q/gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=bmTaXr5Az43gp7mDoMfnM5QSkVl/U05jvUD8Gt6IlEw=; b=z3wfwxkwpYHVS1RfeE3ELwW6srMgl4sYcyxYVa+Wb0lB97ph5L7+0QpefjhN1mQlzo By+nHtcHrQxGe9J7nYztYRCANVzClUXbVxxGmgbE4Pcb/jwYAkcetynS4tzsjodGpM7n M8gdGpcGMlFjKCD4AlEA4hdggOmxzh/h/6NPxW8jXL772RBX2GI/7QG3VEqpL/ZkhSST 9hObQ4GzZh6bmys4dWBAJAQ7cicLQf0lg9ZjTMk7e7Y4DHOtV4EcOTiYCa5lK0rLBj6J gsZaoHyLo4CXv+xuIcx3cV8uRxV1O2Y2PUWEBJj1YOnWb2ryFBDNYDR6ohfP8FcywaxA z8gA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yucnuTgu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t2si4271474eds.9.2020.05.18.16.45.20; Mon, 18 May 2020 16:45:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yucnuTgu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730995AbgERSBG (ORCPT + 99 others); Mon, 18 May 2020 14:01:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:43116 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731150AbgERSBF (ORCPT ); Mon, 18 May 2020 14:01:05 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CB269207C4; Mon, 18 May 2020 18:01:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589824864; bh=vJwxjENKjponhZzinjr7aum5pc/rXKXOdzUWMBC5U60=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yucnuTgu2D6LEY2dsVHLkBKWO1vmWb0nM+Kltaww81eafMi/aKNt3Okp3XW4OgKC1 NofwQoP4d4osHihWGI5Bz0PaCjwSJNknFjhoKg/HqPfBFzwwsK9vjAI/ihgN6Fq/0U CIDKrNAppfJKt+zoInk3JRivBWvnni4xTUwLetVo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Matthew Sheets , Paolo Abeni , Paul Moore , "David S. Miller" Subject: [PATCH 5.6 033/194] netlabel: cope with NULL catmap Date: Mon, 18 May 2020 19:35:23 +0200 Message-Id: <20200518173534.346207764@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200518173531.455604187@linuxfoundation.org> References: <20200518173531.455604187@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Abeni [ Upstream commit eead1c2ea2509fd754c6da893a94f0e69e83ebe4 ] The cipso and calipso code can set the MLS_CAT attribute on successful parsing, even if the corresponding catmap has not been allocated, as per current configuration and external input. Later, selinux code tries to access the catmap if the MLS_CAT flag is present via netlbl_catmap_getlong(). That may cause null ptr dereference while processing incoming network traffic. Address the issue setting the MLS_CAT flag only if the catmap is really allocated. Additionally let netlbl_catmap_getlong() cope with NULL catmap. Reported-by: Matthew Sheets Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions") Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") Signed-off-by: Paolo Abeni Acked-by: Paul Moore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/cipso_ipv4.c | 6 ++++-- net/ipv6/calipso.c | 3 ++- net/netlabel/netlabel_kapi.c | 6 ++++++ 3 files changed, 12 insertions(+), 3 deletions(-) --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -1258,7 +1258,8 @@ static int cipso_v4_parsetag_rbm(const s return ret_val; } - secattr->flags |= NETLBL_SECATTR_MLS_CAT; + if (secattr->attr.mls.cat) + secattr->flags |= NETLBL_SECATTR_MLS_CAT; } return 0; @@ -1439,7 +1440,8 @@ static int cipso_v4_parsetag_rng(const s return ret_val; } - secattr->flags |= NETLBL_SECATTR_MLS_CAT; + if (secattr->attr.mls.cat) + secattr->flags |= NETLBL_SECATTR_MLS_CAT; } return 0; --- a/net/ipv6/calipso.c +++ b/net/ipv6/calipso.c @@ -1047,7 +1047,8 @@ static int calipso_opt_getattr(const uns goto getattr_return; } - secattr->flags |= NETLBL_SECATTR_MLS_CAT; + if (secattr->attr.mls.cat) + secattr->flags |= NETLBL_SECATTR_MLS_CAT; } secattr->type = NETLBL_NLTYPE_CALIPSO; --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c @@ -734,6 +734,12 @@ int netlbl_catmap_getlong(struct netlbl_ if ((off & (BITS_PER_LONG - 1)) != 0) return -EINVAL; + /* a null catmap is equivalent to an empty one */ + if (!catmap) { + *offset = (u32)-1; + return 0; + } + if (off < catmap->startbit) { off = catmap->startbit; *offset = off;