Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp3044484rwo; Thu, 3 Aug 2023 21:01:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHRE/1lb09y0WUNgpYjJwFp/FoYEqV+6cbOxJMZAKPFfXrIoS138S52qaNyxeWdo07ZSziX X-Received: by 2002:a17:903:487:b0:1bc:4adb:ed with SMTP id jj7-20020a170903048700b001bc4adb00edmr505891plb.38.1691121687143; Thu, 03 Aug 2023 21:01:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691121687; cv=none; d=google.com; s=arc-20160816; b=SojW6Y5lcFEQgZkOGo7paoKFvGD2iab0NZoDSj4h6vskXgeESvu57/Kk5BeAF3O9+t UtN1q3sRw0IZ0iw31jM5DXUUnmECwIXJgQOnxNtmFJeC/EWTCygaKN0QV66fGlkkcsLd 8fOHN6aU38ljjWpYHuk3MlEbJq+Rn7s+aryKq4P/WnRlAZ4V+6ORhFVjQ7crVv4eOSkl PmSsIGhn5z320X+R4i8xWgRfuh8UJI8LxEXm3td1Ykudtm3Mmul3dM+ZpgdmGRMXCzWp aHElRwjJJ7kUC4V1eaN38HfK+VLi15V+KsC14VjkCgSYrZ7rJ9H0zQ1lcHZ4mxZLHeQ4 eCjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:subject:cc:to:from :message-id:date:dkim-signature; bh=3CiDLiIYuKt4IHdnArrSJWZx+SaU1Z4GPh2PvCAAp1E=; fh=3VkAnw2GFeyY/u4dOw3KMhkgjRPAQ49pERzDlOh6PQo=; b=BMqyIXYswl3tdQLZGL5/zs222KdU9SpY11s1FxvBCmUUZxbpFTzlZPk+ibLqHYfFrC 8hdqpsUOPK4rJnDL39zQOZ11noyvKY2LD/hklKl1zOviXwdKOMFwE4+ltXUvJnQvBBZ5 wLYO5jrrOKa7EXn9ZYeaSy8P7YwpsRaftmBAvKMHFP20Z76SKb1VjP12zMVqZYeRCHST NhTbpgZgVNySYuPMNlOYWg9k6NdCFgCgIfpVYrexboOkPPQWrwL3c45nFea3vLgttbdA 2bLT85E9My9VVe7HQl3wv+cFVJdA7Zqze9cY8IXw4nqF+0XGmAcpLMwk6wktz92ohH5o yWXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=fKS0rYEk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r2-20020a170902c60200b001b8698d619asi973696plr.602.2023.08.03.21.01.03; Thu, 03 Aug 2023 21:01:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=fKS0rYEk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233470AbjHDCUt (ORCPT + 99 others); Thu, 3 Aug 2023 22:20:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232785AbjHDCU2 (ORCPT ); Thu, 3 Aug 2023 22:20:28 -0400 Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 054CC3C16 for ; Thu, 3 Aug 2023 19:20:25 -0700 (PDT) Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-765a7768f1dso133980785a.0 for ; Thu, 03 Aug 2023 19:20:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1691115624; x=1691720424; h=in-reply-to:references:subject:cc:to:from:message-id:date:from:to :cc:subject:date:message-id:reply-to; bh=3CiDLiIYuKt4IHdnArrSJWZx+SaU1Z4GPh2PvCAAp1E=; b=fKS0rYEk9NlvW47yAvHt1dG5cAoxtqxukDoF8osImugxbpqjo9pYx/WzpKTUMQLbvF 5dKXeheRXgbWE+DvzxRHKDY0ElI2ZIryb8wVwUa/rt1SnueKIwE5ZlplQatRnNcPs6DQ eKPMvD6IW45J8Hu/UcVIDZry/a8VBAgQ+cRb5LbEu9Nkdk+zXBOq2aWC7klEZ8VYT1ps gnUdIp+RxfmBEtO1ckxfSgRiREu5Z78vD6AlIEn0PVp51TOJWPbfvAdq9tc0DPnKkm4D VCYVJuGdwG/IuhofDSMhcra5kj5YC/FE6f2a/MfSWvP3L7jiEL//Esy5X40dxiseylow 4VMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691115624; x=1691720424; h=in-reply-to:references:subject:cc:to:from:message-id:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3CiDLiIYuKt4IHdnArrSJWZx+SaU1Z4GPh2PvCAAp1E=; b=KYR3FU+8wBYyBijYJz3/hBfirOrGVS3D79jL3DlK6oX+/pt1+bMy+6tNnoeU0gQh4M 64dn/1eEObd3XbON+daccKoESWeFQ2HaDx9So74fzIiTYvvxiD65M8skReBBE+nv26gS 8IluULfLFeBAJWvQMJ/vTCamXDePqWU42TfU+fH7xsEujbGnzgLU9IKPLRw4qXGHBgTE 2S+Hu3nCf8eVJk8hMdjt8icXG6dDveKDiHP41G7YEzqBu4+Rkc0ZGr/Qq5zdU9j0oLQu SgenG6tBBfLvI9rBxGcGLXttUSap3xRf9krdWg/NAmCgCab9OJY1DRI2hVjRuJBqgwaU NMhg== X-Gm-Message-State: AOJu0Ywjo/HkELbOkifvwRthaiaekrG93HTI6z9dS/iEGR+T63bxN3zg tTDmvksvoIO3Zre/XIveA2iyR1GZVkNnQXRYzNex X-Received: by 2002:a05:620a:4493:b0:765:6e86:c7a9 with SMTP id x19-20020a05620a449300b007656e86c7a9mr849378qkp.34.1691115623719; Thu, 03 Aug 2023 19:20:23 -0700 (PDT) Received: from localhost ([70.22.175.108]) by smtp.gmail.com with ESMTPSA id w10-20020a0cb54a000000b0063d47a29e6fsm335191qvd.55.2023.08.03.19.20.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 19:20:23 -0700 (PDT) Date: Thu, 03 Aug 2023 22:20:22 -0400 Message-ID: From: Paul Moore To: =?UTF-8?q?Christian=20G=C3=B6ttsche?= , selinux@vger.kernel.org Cc: Stephen Smalley , Eric Paris , Ondrej Mosnacek , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 8/9] selinux: policydb: implicit conversions References: <20230728155501.39632-7-cgzones@googlemail.com> In-Reply-To: <20230728155501.39632-7-cgzones@googlemail.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,PP_MIME_FAKE_ASCII_TEXT, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Jul 28, 2023 =?UTF-8?q?Christian=20G=C3=B6ttsche?= wrote: > > Use the identical type for local variables, e.g. loop counters. > > Declare members of struct policydb_compat_info unsigned to consistently > use unsigned iterators. They hold read-only non-negative numbers in the > global variable policydb_compat. > > Signed-off-by: Christian Göttsche > --- > v2: > - avoid declarations in init-clauses of for loops > - declare members of struct policydb_compat_info unsigned > --- > security/selinux/ss/policydb.c | 93 +++++++++++++++++++++------------- > 1 file changed, 58 insertions(+), 35 deletions(-) > > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c > index dc66868ff62c..aa2371a422af 100644 > --- a/security/selinux/ss/policydb.c > +++ b/security/selinux/ss/policydb.c > @@ -55,9 +55,9 @@ static const char *const symtab_name[SYM_NUM] = { > #endif > > struct policydb_compat_info { > - int version; > - int sym_num; > - int ocon_num; > + unsigned int version; > + unsigned int sym_num; > + unsigned int ocon_num; > }; > > /* These need to be updated if SYM_NUM or OCON_NUM changes */ > @@ -159,9 +159,9 @@ static const struct policydb_compat_info policydb_compat[] = { > }, > }; > > -static const struct policydb_compat_info *policydb_lookup_compat(int version) > +static const struct policydb_compat_info *policydb_lookup_compat(unsigned int version) > { > - int i; > + u32 i; Another question of 'why u32'? I can understand making the iterator unsigned, but why explicitly make it 32-bits? Why not just an unsigned int? > for (i = 0; i < ARRAY_SIZE(policydb_compat); i++) { > if (policydb_compat[i].version == version) > @@ -359,7 +359,7 @@ static int role_tr_destroy(void *key, void *datum, void *p) > return 0; > } > > -static void ocontext_destroy(struct ocontext *c, int i) > +static void ocontext_destroy(struct ocontext *c, u32 i) Yes, this should be unsigned, but why not an unsigned it? > { > if (!c) > return; > @@ -781,7 +781,7 @@ void policydb_destroy(struct policydb *p) > { > struct ocontext *c, *ctmp; > struct genfs *g, *gtmp; > - int i; > + u32 i; Same. > struct role_allow *ra, *lra = NULL; > > for (i = 0; i < SYM_NUM; i++) { > @@ -2237,8 +2240,9 @@ static int genfs_read(struct policydb *p, void *fp) > static int ocontext_read(struct policydb *p, const struct policydb_compat_info *info, > void *fp) > { > - int i, j, rc; > - u32 nel, len; > + int rc; > + unsigned int i; > + u32 j, nel, len, val; > __be64 prefixbuf[1]; > __le32 buf[3]; > struct ocontext *l, *c; > @@ -2299,9 +2303,27 @@ static int ocontext_read(struct policydb *p, const struct policydb_compat_info * > rc = next_entry(buf, fp, sizeof(u32)*3); > if (rc) > goto out; > - c->u.port.protocol = le32_to_cpu(buf[0]); > - c->u.port.low_port = le32_to_cpu(buf[1]); > - c->u.port.high_port = le32_to_cpu(buf[2]); > + > + rc = -EINVAL; > + > + val = le32_to_cpu(buf[0]); > + if (val > U8_MAX) > + goto out; > + c->u.port.protocol = val; > + > + val = le32_to_cpu(buf[1]); > + if (val > U16_MAX) > + goto out; > + c->u.port.low_port = val; > + > + val = le32_to_cpu(buf[2]); > + if (val > U16_MAX) > + goto out; > + c->u.port.high_port = val; > + > + if (c->u.port.low_port > c->u.port.high_port) > + goto out; > + > rc = context_read_and_validate(&c->context[0], p, fp); > if (rc) > goto out; This entire block of bounds checking for protocols and ports should be pulled out into its own patch, especially since it isn't mentioned in the commit description. -- paul-moore.com