From 5cd9a1b23bbbec24f24fc08fb3d84de6846db72b Mon Sep 17 00:00:00 2001
From: "Justin M. Forbes" <jforbes@fedoraproject.org>
Date: Tue, 12 May 2020 17:29:14 -0500
Subject: Fix CVE-2020-10711 (rhbz 1825116 1834778)

Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
---
 kernel.spec                              |  6 ++
 net-netlabel-cope-with-NULL-catmap.patch | 95 ++++++++++++++++++++++++++++++++
 2 files changed, 101 insertions(+)
 create mode 100644 net-netlabel-cope-with-NULL-catmap.patch

diff --git a/kernel.spec b/kernel.spec
index a987805c2..a89cbc5ab 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -906,6 +906,9 @@ Patch511: e1000e-bump-up-timeout-to-wait-when-ME-un-configure-ULP-mode.patch
 
 Patch512: drm-dp_mst-Fix-drm_dp_send_dpcd_write-return-code.patch
 
+# CVE-2020-10711 rhbz 1825116 1834778
+Patch513: net-netlabel-cope-with-NULL-catmap.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -3002,6 +3005,9 @@ fi
 #
 #
 %changelog
+* Tue May 12 2020 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2020-10711 (rhbz 1825116 1834778)
+
 * Mon May 11 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.12-300
 - Linux v5.6.12
 
diff --git a/net-netlabel-cope-with-NULL-catmap.patch b/net-netlabel-cope-with-NULL-catmap.patch
new file mode 100644
index 000000000..06a915121
--- /dev/null
+++ b/net-netlabel-cope-with-NULL-catmap.patch
@@ -0,0 +1,95 @@
+From MAILER-DAEMON Tue May 12 19:31:23 2020
+From: Paolo Abeni <pabeni@redhat.com>
+To: netdev@vger.kernel.org
+Cc: "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, linux-security-module@vger.kernel.org, Paul Moore <paul@paul-moore.com>, ppandit@redhat.com, Matthew Sheets <matthew.sheets@gd-ms.com>
+Subject: [PATCH net] netlabel: cope with NULL catmap
+Date: Tue, 12 May 2020 14:43:14 +0200
+Message-Id: <07d99ae197bfdb2964931201db67b6cd0b38db5b.1589276729.git.pabeni@redhat.com>
+Sender: owner-linux-security-module@vger.kernel.org
+List-ID: <linux-security-module.vger.kernel.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+
+The cipso and calipso code can set the MLS_CAT attribute on
+successful parsing, even if the corresponding catmap has
+not been allocated, as per current configuration and external
+input.
+
+Later, selinux code tries to access the catmap if the MLS_CAT flag
+is present via netlbl_catmap_getlong(). That may cause null ptr
+dereference while processing incoming network traffic.
+
+Address the issue setting the MLS_CAT flag only if the catmap is
+really allocated. Additionally let netlbl_catmap_getlong() cope
+with NULL catmap.
+
+Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
+Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions")
+Reported-by: Matthew Sheets <matthew.sheets@gd-ms.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+---
+ net/ipv4/cipso_ipv4.c        | 6 ++++--
+ net/ipv6/calipso.c           | 3 ++-
+ net/netlabel/netlabel_kapi.c | 6 ++++++
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 0bd10a1f477f..a23094b050f8 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1258,7 +1258,8 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
+ 			return ret_val;
+ 		}
+ 
+-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
++		if (secattr->attr.mls.cat)
++			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+ 	}
+ 
+ 	return 0;
+@@ -1439,7 +1440,8 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
+ 			return ret_val;
+ 		}
+ 
+-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
++		if (secattr->attr.mls.cat)
++			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+ 	}
+ 
+ 	return 0;
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index 221c81f85cbf..8d3f66c310db 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1047,7 +1047,8 @@ static int calipso_opt_getattr(const unsigned char *calipso,
+ 			goto getattr_return;
+ 		}
+ 
+-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
++		if (secattr->attr.mls.cat)
++			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+ 	}
+ 
+ 	secattr->type = NETLBL_NLTYPE_CALIPSO;
+diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
+index 409a3ae47ce2..5e1239cef000 100644
+--- a/net/netlabel/netlabel_kapi.c
++++ b/net/netlabel/netlabel_kapi.c
+@@ -734,6 +734,12 @@ int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
+ 	if ((off & (BITS_PER_LONG - 1)) != 0)
+ 		return -EINVAL;
+ 
++	/* a null catmap is equivalent to an empty one */
++	if (!catmap) {
++		*offset = (u32)-1;
++		return 0;
++	}
++
+ 	if (off < catmap->startbit) {
+ 		off = catmap->startbit;
+ 		*offset = off;
+-- 
+2.21.3
+
+
-- 
cgit