diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2007-11-07 10:08:00 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-11-08 08:56:23 +1100 |
commit | 45e5421eb5bbcd9efa037d682dd357284e3ef982 (patch) | |
tree | ceb24143024fe335d08ac30fb4da9ca25fbeb6e6 /security/selinux/ss/policydb.c | |
parent | 6d2b685564ba417f4c6d80c3661f0dfee13fff85 (diff) | |
download | kernel-crypto-45e5421eb5bbcd9efa037d682dd357284e3ef982.tar.gz kernel-crypto-45e5421eb5bbcd9efa037d682dd357284e3ef982.tar.xz kernel-crypto-45e5421eb5bbcd9efa037d682dd357284e3ef982.zip |
SELinux: add more validity checks on policy load
Add more validity checks at policy load time to reject malformed
policies and prevent subsequent out-of-range indexing when in permissive
mode. Resolves the NULL pointer dereference reported in
https://bugzilla.redhat.com/show_bug.cgi?id=357541.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss/policydb.c')
-rw-r--r-- | security/selinux/ss/policydb.c | 45 |
1 files changed, 44 insertions, 1 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 539828b229b..b582aae3c62 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -713,6 +713,27 @@ out: return rc; } +int policydb_class_isvalid(struct policydb *p, unsigned int class) +{ + if (!class || class > p->p_classes.nprim) + return 0; + return 1; +} + +int policydb_role_isvalid(struct policydb *p, unsigned int role) +{ + if (!role || role > p->p_roles.nprim) + return 0; + return 1; +} + +int policydb_type_isvalid(struct policydb *p, unsigned int type) +{ + if (!type || type > p->p_types.nprim) + return 0; + return 1; +} + /* * Return 1 if the fields in the security context * structure `c' are valid. Return 0 otherwise. @@ -1260,6 +1281,7 @@ static int mls_read_level(struct mls_level *lp, void *fp) "categories\n"); goto bad; } + return 0; bad: @@ -1563,7 +1585,7 @@ int policydb_read(struct policydb *p, void *fp) p->symtab[i].nprim = nprim; } - rc = avtab_read(&p->te_avtab, fp, p->policyvers); + rc = avtab_read(&p->te_avtab, fp, p); if (rc) goto bad; @@ -1595,6 +1617,12 @@ int policydb_read(struct policydb *p, void *fp) tr->role = le32_to_cpu(buf[0]); tr->type = le32_to_cpu(buf[1]); tr->new_role = le32_to_cpu(buf[2]); + if (!policydb_role_isvalid(p, tr->role) || + !policydb_type_isvalid(p, tr->type) || + !policydb_role_isvalid(p, tr->new_role)) { + rc = -EINVAL; + goto bad; + } ltr = tr; } @@ -1619,6 +1647,11 @@ int policydb_read(struct policydb *p, void *fp) goto bad; ra->role = le32_to_cpu(buf[0]); ra->new_role = le32_to_cpu(buf[1]); + if (!policydb_role_isvalid(p, ra->role) || + !policydb_role_isvalid(p, ra->new_role)) { + rc = -EINVAL; + goto bad; + } lra = ra; } @@ -1872,9 +1905,19 @@ int policydb_read(struct policydb *p, void *fp) rt->target_class = le32_to_cpu(buf[0]); } else rt->target_class = SECCLASS_PROCESS; + if (!policydb_type_isvalid(p, rt->source_type) || + !policydb_type_isvalid(p, rt->target_type) || + !policydb_class_isvalid(p, rt->target_class)) { + rc = -EINVAL; + goto bad; + } rc = mls_read_range_helper(&rt->target_range, fp); if (rc) goto bad; + if (!mls_range_isvalid(p, &rt->target_range)) { + printk(KERN_WARNING "security: rangetrans: invalid range\n"); + goto bad; + } lrt = rt; } } |