This is a note to let you know that I've just added the patch titled
selinux: check length properly in SCTP bind hook
to the 4.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
selinux-check-length-properly-in-sctp-bind-hook.patch
and it can be found in the queue-4.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From c138325fb8713472d5a0c3c7258b9131bab40725 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
Date: Tue, 13 Nov 2018 16:16:08 +0100
Subject: selinux: check length properly in SCTP bind hook
From: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
commit c138325fb8713472d5a0c3c7258b9131bab40725 upstream.
selinux_sctp_bind_connect() must verify if the address buffer has
sufficient length before accessing the 'sa_family' field. See
__sctp_connect() for a similar check.
The length of the whole address ('len') is already checked in the
callees.
Reported-by: Qian Cai <cai@xxxxxx>
Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Cc: <stable@xxxxxxxxxxxxxxx> # 4.17+
Cc: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
Tested-by: Qian Cai <cai@xxxxxx>
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
security/selinux/hooks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5318,6 +5318,9 @@ static int selinux_sctp_bind_connect(str
addr_buf = address;
while (walk_size < addrlen) {
+ if (walk_size + sizeof(sa_family_t) > addrlen)
+ return -EINVAL;
+
addr = addr_buf;
switch (addr->sa_family) {
case AF_UNSPEC:
Patches currently in stable-queue which might be from omosnace@xxxxxxxxxx are
queue-4.19/selinux-check-length-properly-in-sctp-bind-hook.patch
