1. Patchew
  2. linux
  3. View series

[PATCH] selinux: reject invalid ebitmaps

Christian Göttsche posted 1 patch 2 years, 4 months ago
There is a newer version of this series
security/selinux/ss/ebitmap.c | 11 +++++++++++
1 file changed, 11 insertions(+)
[PATCH] selinux: reject invalid ebitmaps
Posted by Christian Göttsche 2 years, 4 months ago 
Reject ebitmaps with a node containing an empty map or with an incorrect
highbit.  Both checks are already performed by userspace, the former
since 2008 (patch 13cd4c896068 ("initial import from svn trunk revision
2950")), the latter since v2.7 in 2017 (patch 75b14a5de10a ("libsepol:
ebitmap: reject loading bitmaps with incorrect high bit")).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 security/selinux/ss/ebitmap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 77875ad355f7..ac9da819531d 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -450,6 +450,10 @@ int ebitmap_read(struct ebitmap *e, void *fp)
 			goto bad;
 		}
 		map = le64_to_cpu(mapbits);
+		if (!map) {
+			pr_err("SELinux: ebitmap: empty map\n");
+			goto bad;
+		}
 
 		index = (startbit - n->startbit) / EBITMAP_UNIT_SIZE;
 		while (map) {
@@ -457,6 +461,13 @@ int ebitmap_read(struct ebitmap *e, void *fp)
 			map = EBITMAP_SHIFT_UNIT_SIZE(map);
 		}
 	}
+
+	if (n && n->startbit + EBITMAP_SIZE != e->highbit) {
+		pr_err("SELinux: ebitmap: high bit %d has not the expected value %ld\n",
+		       e->highbit, n->startbit + EBITMAP_SIZE);
+		goto bad;
+	}
+
 ok:
 	rc = 0;
 out:
-- 
2.40.1
Re: [PATCH] selinux: reject invalid ebitmaps
Posted by Paul Moore 2 years, 3 months ago 
On Aug 18, 2023 Stephen Smalley <stephen.smalley.work@gmail.com> wrote:
> 
> Reject ebitmaps with a node containing an empty map or with an incorrect
> highbit.  Both checks are already performed by userspace, the former
> since 2008 (patch 13cd4c896068 ("initial import from svn trunk revision
> 2950")), the latter since v2.7 in 2017 (patch 75b14a5de10a ("libsepol:
> ebitmap: reject loading bitmaps with incorrect high bit")).
> 
> Signed-off-by: Christian G\ufffd\ufffdttsche <cgzones@googlemail.com>
> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  security/selinux/ss/ebitmap.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
> index 77875ad355f7..ac9da819531d 100644
> --- a/security/selinux/ss/ebitmap.c
> +++ b/security/selinux/ss/ebitmap.c

...

> @@ -457,6 +461,13 @@ int ebitmap_read(struct ebitmap *e, void *fp)
>  			map = EBITMAP_SHIFT_UNIT_SIZE(map);
>  		}
>  	}
> +
> +	if (n && n->startbit + EBITMAP_SIZE != e->highbit) {
> +		pr_err("SELinux: ebitmap: high bit %d has not the expected value %ld\n",

That reads a little awkward in English, how about "high bit %d is not
equal to the expected value %ld\n"?

> +		       e->highbit, n->startbit + EBITMAP_SIZE);
> +		goto bad;
> +	}
> +
>  ok:
>  	rc = 0;
>  out:
> -- 
> 2.40.1

--
paul-moore.com
Re: [PATCH] selinux: reject invalid ebitmaps
Posted by Stephen Smalley 2 years, 3 months ago 
On Fri, Aug 18, 2023 at 11:29 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Reject ebitmaps with a node containing an empty map or with an incorrect
> highbit.  Both checks are already performed by userspace, the former
> since 2008 (patch 13cd4c896068 ("initial import from svn trunk revision
> 2950")), the latter since v2.7 in 2017 (patch 75b14a5de10a ("libsepol:
> ebitmap: reject loading bitmaps with incorrect high bit")).
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.