From: Eric Paris <eparis@redhat.com> Subject: [RHEL5 PATCH] NetLabel: 219393: Invalid user input cases kernel oops Date: Fri, 22 Dec 2006 12:00:32 -0500 Bugzilla: 219393 Message-Id: <1166806832.23016.61.camel@localhost.localdomain> Changelog: NetLabel: stricter configuration checking BZ 219393 IBM discovered in their testing that an invalid netlabel configuration from the admin can cause a kernel oops. This is fixed by checking validity before using the information. The second part to this bug is that back when the original NetLabel patches were being changed to use Netlink attributes correctly some code was accidentially dropped which set all of the undefined CIPSOv4 level and category mappings to a sentinel value. The result is the mappings data in the kernel contains bogus mappings which always map to zero. This patch restores the old/correct behavior by initializing the mapping data to the correct sentinel value. Which means that when the NetLabel subsystem is called to resolve the security attributes of a packet it will, in certain configurations, return security attributes/contexts which are incorrect. Part one of this patch I was easy able to reproduce and resolve. Part 2 was tested by HP as part of the LSPP effort. These patches were submitted for 2.6.20 but have not yet hit linus's tree. They can be found at: http://www.mail-archive.com/netdev@vger.kernel.org/msg28367.html http://www.mail-archive.com/netdev@vger.kernel.org/msg28365.html -Eric diff -Naupr linux-2.6.18.i686.pre.netlabel/net/netlabel/netlabel_cipso_v4.c linux-2.6.18.i686/net/netlabel/netlabel_cipso_v4.c --- linux-2.6.18.i686.pre.netlabel/net/netlabel/netlabel_cipso_v4.c +++ linux-2.6.18.i686/net/netlabel/netlabel_cipso_v4.c @@ -162,6 +162,7 @@ static int netlbl_cipsov4_add_std(struct struct nlattr *nla_b; int nla_a_rem; int nla_b_rem; + u32 iter; if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] || !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST]) @@ -185,20 +186,31 @@ static int netlbl_cipsov4_add_std(struct ret_val = netlbl_cipsov4_add_common(info, doi_def); if (ret_val != 0) goto add_std_failure; + ret_val = -EINVAL; nla_for_each_nested(nla_a, info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], nla_a_rem) if (nla_a->nla_type == NLBL_CIPSOV4_A_MLSLVL) { + if (nla_validate_nested(nla_a, + NLBL_CIPSOV4_A_MAX, + netlbl_cipsov4_genl_policy) != 0) + goto add_std_failure; nla_for_each_nested(nla_b, nla_a, nla_b_rem) switch (nla_b->nla_type) { case NLBL_CIPSOV4_A_MLSLVLLOC: + if (nla_get_u32(nla_b) > + CIPSO_V4_MAX_LOC_LVLS) + goto add_std_failure; if (nla_get_u32(nla_b) >= doi_def->map.std->lvl.local_size) doi_def->map.std->lvl.local_size = nla_get_u32(nla_b) + 1; break; case NLBL_CIPSOV4_A_MLSLVLREM: + if (nla_get_u32(nla_b) > + CIPSO_V4_MAX_REM_LVLS) + goto add_std_failure; if (nla_get_u32(nla_b) >= doi_def->map.std->lvl.cipso_size) doi_def->map.std->lvl.cipso_size = @@ -206,9 +218,6 @@ static int netlbl_cipsov4_add_std(struct break; } } - if (doi_def->map.std->lvl.local_size > CIPSO_V4_MAX_LOC_LVLS || - doi_def->map.std->lvl.cipso_size > CIPSO_V4_MAX_REM_LVLS) - goto add_std_failure; doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size, sizeof(u32), GFP_KERNEL); @@ -223,6 +232,10 @@ static int netlbl_cipsov4_add_std(struct ret_val = -ENOMEM; goto add_std_failure; } + for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++) + doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL; + for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++) + doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL; nla_for_each_nested(nla_a, info->attrs[NLBL_CIPSOV4_A_MLSLVLLST], nla_a_rem) @@ -230,11 +243,6 @@ static int netlbl_cipsov4_add_std(struct struct nlattr *lvl_loc; struct nlattr *lvl_rem; - if (nla_validate_nested(nla_a, - NLBL_CIPSOV4_A_MAX, - netlbl_cipsov4_genl_policy) != 0) - goto add_std_failure; - lvl_loc = nla_find_nested(nla_a, NLBL_CIPSOV4_A_MLSLVLLOC); lvl_rem = nla_find_nested(nla_a, @@ -264,12 +272,18 @@ static int netlbl_cipsov4_add_std(struct nla_for_each_nested(nla_b, nla_a, nla_b_rem) switch (nla_b->nla_type) { case NLBL_CIPSOV4_A_MLSCATLOC: + if (nla_get_u32(nla_b) > + CIPSO_V4_MAX_LOC_CATS) + goto add_std_failure; if (nla_get_u32(nla_b) >= doi_def->map.std->cat.local_size) doi_def->map.std->cat.local_size = nla_get_u32(nla_b) + 1; break; case NLBL_CIPSOV4_A_MLSCATREM: + if (nla_get_u32(nla_b) > + CIPSO_V4_MAX_REM_CATS) + goto add_std_failure; if (nla_get_u32(nla_b) >= doi_def->map.std->cat.cipso_size) doi_def->map.std->cat.cipso_size = @@ -277,9 +291,6 @@ static int netlbl_cipsov4_add_std(struct break; } } - if (doi_def->map.std->cat.local_size > CIPSO_V4_MAX_LOC_CATS || - doi_def->map.std->cat.cipso_size > CIPSO_V4_MAX_REM_CATS) - goto add_std_failure; doi_def->map.std->cat.local = kcalloc( doi_def->map.std->cat.local_size, sizeof(u32), @@ -296,6 +307,10 @@ static int netlbl_cipsov4_add_std(struct ret_val = -ENOMEM; goto add_std_failure; } + for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++) + doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT; + for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++) + doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT; nla_for_each_nested(nla_a, info->attrs[NLBL_CIPSOV4_A_MLSCATLST], nla_a_rem)