Patch "netlabel: fix out-of-bounds memory accesses" has been added to the 5.16-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 9 Apr 2022 22:22:31 -0400

This is a note to let you know that I've just added the patch titled

    netlabel: fix out-of-bounds memory accesses

to the 5.16-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netlabel-fix-out-of-bounds-memory-accesses.patch
and it can be found in the queue-5.16 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1f9f559e3b4713c3e7d4af0128edeef050e44694
Author: Wang Yufen <wangyufen@xxxxxxxxxx>
Date:   Fri Mar 18 14:35:08 2022 +0800

    netlabel: fix out-of-bounds memory accesses
    
    [ Upstream commit f22881de730ebd472e15bcc2c0d1d46e36a87b9c ]
    
    In calipso_map_cat_ntoh(), in the for loop, if the return value of
    netlbl_bitmap_walk() is equal to (net_clen_bits - 1), when
    netlbl_bitmap_walk() is called next time, out-of-bounds memory accesses
    of bitmap[byte_offset] occurs.
    
    The bug was found during fuzzing. The following is the fuzzing report
     BUG: KASAN: slab-out-of-bounds in netlbl_bitmap_walk+0x3c/0xd0
     Read of size 1 at addr ffffff8107bf6f70 by task err_OH/252
    
     CPU: 7 PID: 252 Comm: err_OH Not tainted 5.17.0-rc7+ #17
     Hardware name: linux,dummy-virt (DT)
     Call trace:
      dump_backtrace+0x21c/0x230
      show_stack+0x1c/0x60
      dump_stack_lvl+0x64/0x7c
      print_address_description.constprop.0+0x70/0x2d0
      __kasan_report+0x158/0x16c
      kasan_report+0x74/0x120
      __asan_load1+0x80/0xa0
      netlbl_bitmap_walk+0x3c/0xd0
      calipso_opt_getattr+0x1a8/0x230
      calipso_sock_getattr+0x218/0x340
      calipso_sock_getattr+0x44/0x60
      netlbl_sock_getattr+0x44/0x80
      selinux_netlbl_socket_setsockopt+0x138/0x170
      selinux_socket_setsockopt+0x4c/0x60
      security_socket_setsockopt+0x4c/0x90
      __sys_setsockopt+0xbc/0x2b0
      __arm64_sys_setsockopt+0x6c/0x84
      invoke_syscall+0x64/0x190
      el0_svc_common.constprop.0+0x88/0x200
      do_el0_svc+0x88/0xa0
      el0_svc+0x128/0x1b0
      el0t_64_sync_handler+0x9c/0x120
      el0t_64_sync+0x16c/0x170
    
    Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
    Signed-off-by: Wang Yufen <wangyufen@xxxxxxxxxx>
    Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index beb0e573266d..54c083003947 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -885,6 +885,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
 	unsigned char bitmask;
 	unsigned char byte;
 
+	if (offset >= bitmap_len)
+		return -1;
 	byte_offset = offset / 8;
 	byte = bitmap[byte_offset];
 	bit_spot = offset;






