Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2287314pxp; Mon, 21 Mar 2022 15:57:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzp0CSpiZSFg/qP1vLnPZ/TH4AwElriR4/T5Uys0w3BVB8zXFBvdwJCPO0JNMBms9IoIv6l X-Received: by 2002:a17:902:d506:b0:154:377b:a38c with SMTP id b6-20020a170902d50600b00154377ba38cmr11956702plg.100.1647903473558; Mon, 21 Mar 2022 15:57:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647903473; cv=none; d=google.com; s=arc-20160816; b=S+5ScmXMnuA8qpnQLDhpqF+3Zx8yBg25TrliIEaMea8njxrUAk4oml211PNTZMvfG9 HkinhzM/QFDv5kdK5+4SlunkOHmOx1XgLG78ufvZyHxgoxb9a7oGQjBtQSt8iMBfEIXk oNUCiUx+w05FgIFTVt4RWabcSEHTLXR0myRQ3BQTyOe+/NeHUFWjGNEUOGDh0cxKVkVq hWAqFhL/2JyHiXoLxFO5RoizC0BR0hJSm2geA1MYJ7syAazl1jROFBgIs2E1/hc3Yhuk QqisYpW49KOLByp1Zmplt4ZLcpEOuxVrK67sPiZDBh4PPCvQrCLADDHECm1gBmX3dY4G JgEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=hLKx8CAJntsK0yBMQmBZFOxm4LBOx6McrSplLJdiGGU=; b=f+zN1+hvB7Pp3lAWfhqED4oTw4ZccKtX3fwMhjHQGAwf1X9xynSAGwsPeW4BQrKR3v hQmog/3bB/2pXhzmcuOg47KOmp6vf6x8314JudIyg2O0tDxtvLl+zJfC7Lp6sanW7sL5 B2Y/0OYW2BXFpvxFCja4zWi4MGcWOBAeZv1rdXsZCAADEGtgodbZgWKuQALXPADcprNJ z2X65zZujyv3MNBPLjZ8ClQyQq/nXnvGSyaZJl3mmVHYmbvMC78i9g34uwpgJy/yLe0C ut4GkEf/apJbT79TIzIKkL4qNL1Xh2X3QmENBSzNgH9NxD08eNkbiG8k274a+Xe9ErTF uvuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=mt8PQVn2; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id b35-20020a631b23000000b003822f3c78cfsi10665091pgb.683.2022.03.21.15.57.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Mar 2022 15:57:53 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=mt8PQVn2; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id DC2DC36404F; Mon, 21 Mar 2022 15:10:05 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343762AbiCTV4s (ORCPT + 99 others); Sun, 20 Mar 2022 17:56:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34670 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343792AbiCTV4p (ORCPT ); Sun, 20 Mar 2022 17:56:45 -0400 Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD6F42F00F for ; Sun, 20 Mar 2022 14:55:15 -0700 (PDT) Received: by mail-ej1-x62d.google.com with SMTP id d10so26467340eje.10 for ; Sun, 20 Mar 2022 14:55:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hLKx8CAJntsK0yBMQmBZFOxm4LBOx6McrSplLJdiGGU=; b=mt8PQVn28lw9ZHmv9OluD/+rddZETi2CpFWyYRqwb8NOFOEKEPefD2ZeOSIqiomg+U 42GPEuyszn5IR7qcqzUSgYnLuzC4lypVbf1Rp1HWkSaE94p5exbSQZHDPV8lEQ5/cwoc uf+h0LihV/ns0Ho0ApGkeA/oPr417gvK/KGfPxBYQQpMDQgFnqnRjUd3oQj24HEiqqoF fev9lCRq3YFc6EnxRHEVmOzFvxUvosjPhrykYOEaSX3L8Qh3Awd0cg+rydCMCX5jyKvL SJmXvjkqMFD/ev084ruGBMZTJdfCaSO+sIpIk89gcc85G2l8rs+78eDerkDLe5DyAnwk Eciw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hLKx8CAJntsK0yBMQmBZFOxm4LBOx6McrSplLJdiGGU=; b=h5wK14wS7Q0eQaq8BR6wibqwVT9R400B0j6AbIG0FjYT1j6BKUbm+vMkPNNS2wGDoD jA5RwvnkJRMsqDdJaB9YPv2DJLPjNrU2zfM7y02NdbUYD+nduJ1AptSTvykRi6anUs83 M/sWNUcTAAjd6rKEqrGj3YygA4bMIDrOXPR/8coh2Iw2+Oo+2p4SlRI4lKdNIacGtUjO FS4cOFmH1iSlrt88kxbR0cW//6FoCNNQhDJvBADD7yii6DJtkmFpgVpkcLBJz7JsF/lg VJEYrKpcRTgvd8veIP8ofX6KnIq0yPlBgSS7GW6OTvEQ/mKm9Hw7l65vbmULf9lY+pri Bfqw== X-Gm-Message-State: AOAM533SJXq9akV399JkN/ZQXJMHQ8LBY/1zzhNe99zS2p9cwDTsGStk 8/iioS9wfWsiRxexotFXfQD9kR+RUgsngFyO5iD4 X-Received: by 2002:a17:907:1b09:b0:6d8:faa8:4a06 with SMTP id mp9-20020a1709071b0900b006d8faa84a06mr17885084ejc.701.1647813313849; Sun, 20 Mar 2022 14:55:13 -0700 (PDT) MIME-Version: 1.0 References: <20220318063508.1348148-1-wangyufen@huawei.com> In-Reply-To: <20220318063508.1348148-1-wangyufen@huawei.com> From: Paul Moore Date: Sun, 20 Mar 2022 17:55:02 -0400 Message-ID: Subject: Re: [PATCH net-next] netlabel: fix out-of-bounds memory accesses To: Wang Yufen Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 18, 2022 at 2:17 AM Wang Yufen wrote: > > In calipso_map_cat_ntoh(), in the for loop, if the return value of > netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when > netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses > of bitmap[byte_offset] occurs. > > The bug was found during fuzzing. The following is the fuzzing report > BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0 > Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252 > > CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17 > Hardware name: linux,dummy-virt (DT) > Call trace: > dump_backtrace+0x21c/0x230 > show_stack+0x1c/0x60 > dump_stack_lvl+0x64/0x7c > print_address_description.constprop.0+0x70/0x2d0 > __kasan_report+0x158/0x16c > kasan_report+0x74/0x120 > __asan_load1+0x80/0xa0 > netlbl_bitmap_walk+0x3c/0xd0 > calipso_opt_getattr+0x1a8/0x230 > calipso_sock_getattr+0x218/0x340 > calipso_sock_getattr+0x44/0x60 > netlbl_sock_getattr+0x44/0x80 > selinux_netlbl_socket_setsockopt+0x138/0x170 > selinux_socket_setsockopt+0x4c/0x60 > security_socket_setsockopt+0x4c/0x90 > __sys_setsockopt+0xbc/0x2b0 > __arm64_sys_setsockopt+0x6c/0x84 > invoke_syscall+0x64/0x190 > el0_svc_common.constprop.0+0x88/0x200 > do_el0_svc+0x88/0xa0 > el0_svc+0x128/0x1b0 > el0t_64_sync_handler+0x9c/0x120 > el0t_64_sync+0x16c/0x170 > > Reported-by: Hulk Robot > Signed-off-by: Wang Yufen > --- > net/netlabel/netlabel_kapi.c | 2 ++ > 1 file changed, 2 insertions(+) Looks good to me, thanks for catching this and submitting a fix. Acked-by: Paul Moore > diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c > index beb0e573266d..54c083003947 100644 > --- a/net/netlabel/netlabel_kapi.c > +++ b/net/netlabel/netlabel_kapi.c > @@ -885,6 +885,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len, > unsigned char bitmask; > unsigned char byte; > > + if (offset >= bitmap_len) > + return -1; > byte_offset = offset / 8; > byte = bitmap[byte_offset]; > bit_spot = offset; -- paul-moore.com