Re: [PATCH] libsepol: add missing ibendport port validity check

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Tue, 23 Oct 2018 08:54:30 +0200

On Mon, Oct 22, 2018 at 4:49 PM William Roberts
<bill.c.roberts@xxxxxxxxx> wrote:
> On Mon, Oct 22, 2018 at 1:18 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > The kernel checks if the port is in the range 1-255 when loading an
> > ibenportcon rule. Add the same check to libsepol.
> >
> > Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling")
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> >  libsepol/src/policydb.c | 11 +++++++++--
> >  1 file changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> > index db6765ba..e2808b2d 100644
> > --- a/libsepol/src/policydb.c
> > +++ b/libsepol/src/policydb.c
> > @@ -2854,7 +2854,9 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
> >                                         return -1;
> >                                 break;
> >                         }
> > -                       case OCON_IBENDPORT:
> > +                       case OCON_IBENDPORT: {
> > +                               uint32_t port;
> > +
> >                                 rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
> >                                 if (rc < 0)
> >                                         return -1;
> > @@ -2862,6 +2864,10 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
> >                                 if (len == 0 || len > IB_DEVICE_NAME_MAX - 1)
> >                                         return -1;
> >
> > +                               port = le32_to_cpu(buf[1]);
> > +                               if (port > 0xff || port == 0)
> > +                                       return -1;
>
> You switched the other code to using UINT16_MAX, should probably use
> UINT8_MAX here.

Good point. I'll need to update the kernel patch as well.

Thanks,

>
> > +
> >                                 c->u.ibendport.dev_name = malloc(len + 1);
> >                                 if (!c->u.ibendport.dev_name)
> >                                         return -1;
> > @@ -2869,11 +2875,12 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
> >                                 if (rc < 0)
> >                                         return -1;
> >                                 c->u.ibendport.dev_name[len] = 0;
> > -                               c->u.ibendport.port = le32_to_cpu(buf[1]);
> > +                               c->u.ibendport.port = port;
> >                                 if (context_read_and_validate
> >                                     (&c->context[0], p, fp))
> >                                         return -1;
> >                                 break;
> > +                       }
> >                         case OCON_PORT:
> >                                 rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
> >                                 if (rc < 0)
> > --
> > 2.17.2
> >

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.