4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Xin Long <lucien.xin@xxxxxxxxx> commit 292c997a1970f8d1e1dfa354ed770a22f7b5a434 upstream. As does in __sctp_connect(), when checking addrs in a while loop, after get the addr len according to sa_family, it's necessary to do the check walk_size + af->sockaddr_len > addrs_size to make sure it won't access an out-of-bounds addr. The same thing is needed in selinux_sctp_bind_connect(), otherwise an out-of-bounds issue can be triggered: [14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0 [14548.927083] Call Trace: [14548.938072] dump_stack+0x9a/0xe9 [14548.953015] print_address_description+0x65/0x22e [14548.996524] kasan_report.cold.6+0x92/0x1a6 [14549.015335] selinux_sctp_bind_connect+0x1aa/0x1f0 [14549.036947] security_sctp_bind_connect+0x58/0x90 [14549.058142] __sctp_setsockopt_connectx+0x5a/0x150 [sctp] [14549.081650] sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp] Cc: stable@xxxxxxxxxxxxxxx Fixes: d452930fd3b9 ("selinux: Add SCTP support") Reported-by: Chunyu Hu <chuhu@xxxxxxxxxx> Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- security/selinux/hooks.c | 3 +++ 1 file changed, 3 insertions(+) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5334,6 +5334,9 @@ static int selinux_sctp_bind_connect(str return -EINVAL; } + if (walk_size + len > addrlen) + return -EINVAL; + err = -EINVAL; switch (optname) { /* Bind checks */