From: Paul Moore <paul@paul-moore.com>
To: "Christian Göttsche" <cgoettsche@seltendoof.de>, selinux@vger.kernel.org
Cc: "Christian Göttsche" <cgzones@googlemail.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Ondrej Mosnacek" <omosnace@redhat.com>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nick Desaulniers" <ndesaulniers@google.com>,
"Bill Wendling" <morbo@google.com>,
"Justin Stitt" <justinstitt@google.com>,
"Thiébaud Weksteen" <tweek@google.com>,
"Bram Bonné" <brambonne@google.com>,
"Masahiro Yamada" <masahiroy@kernel.org>,
linux-kernel@vger.kernel.org, llvm@lists.linux.dev,
"Eric Suen" <ericsu@linux.microsoft.com>
Subject: Re: [PATCH RFC v2 12/22] selinux: check length fields in policies
Date: Tue, 07 Jan 2025 22:00:07 -0500 [thread overview]
Message-ID: <fdaab30bbed2fe6565fc78227d17cdfa@paul-moore.com> (raw)
In-Reply-To: <20241216164055.96267-12-cgoettsche@seltendoof.de>
On Dec 16, 2024 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgoettsche@seltendoof.de> wrote:
>
> In multiple places the binary policy announces how many items of some
> kind are to be expected next. Before reading them the kernel already
> allocates enough memory for that announced size. Validate that the
> remaining input size can actually fit the announced items, to avoid OOM
> issues on malformed binary policies.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> security/selinux/ss/avtab.c | 4 ++++
> security/selinux/ss/conditional.c | 14 ++++++++++++++
> security/selinux/ss/policydb.c | 23 +++++++++++++++++++++++
> security/selinux/ss/policydb.h | 13 +++++++++++++
> 4 files changed, 54 insertions(+)
>
> diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
> index 3bd949a200ef..a7bf0ceb45d4 100644
> --- a/security/selinux/ss/avtab.c
> +++ b/security/selinux/ss/avtab.c
> @@ -550,6 +550,10 @@ int avtab_read(struct avtab *a, struct policy_file *fp, struct policydb *pol)
> goto bad;
> }
>
> + rc = oom_check(2 * sizeof(u32), nel, fp);
> + if (rc)
> + goto bad;
> +
> rc = avtab_alloc(a, nel);
> if (rc)
> goto bad;
> diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> index 35442f4ceedf..de29948efb48 100644
> --- a/security/selinux/ss/conditional.c
> +++ b/security/selinux/ss/conditional.c
> @@ -12,6 +12,7 @@
>
> #include "security.h"
> #include "conditional.h"
> +#include "policydb.h"
> #include "services.h"
>
> /*
> @@ -329,6 +330,10 @@ static int cond_read_av_list(struct policydb *p, struct policy_file *fp,
> if (len == 0)
> return 0;
>
> + rc = oom_check(2 * sizeof(u32), len, fp);
> + if (rc)
> + return rc;
Magic number, we should make it obvious why '2' is being used, if we
can't do that we should add a comment.
This comment applies several other places in this patch, I'll refrain
from mentioning all of them.
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 1275fd7d9148..4bc1e225f2fe 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -1174,6 +1177,10 @@ static int common_read(struct policydb *p, struct symtab *s, struct policy_file
> if (nel > 32)
> goto bad;
>
> + rc = oom_check(/*guaranteed read by perm_read()*/2 * sizeof(u32), nel, fp);
> + if (rc)
> + goto bad;
Please don't add a comment *inside* code like that, it makes the code
awful to read.
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index 690dc4a00cf3..828fef98e340 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -352,6 +352,19 @@ struct policy_data {
> struct policy_file *fp;
> };
>
> +static inline int oom_check(size_t bytes, size_t num, const struct policy_file *fp)
> +{
> + size_t len;
> +
> + if (unlikely(check_mul_overflow(bytes, num, &len)))
> + return -EINVAL;
> +
> + if (unlikely(len > fp->len))
> + return -EINVAL;
> +
> + return 0;
> +}
I'd prefer if we could use a different name than "oom_check()", perhaps
"size_check()"?
--
paul-moore.com
next prev parent reply other threads:[~2025-01-08 3:00 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-16 16:39 [RFC PATCH v2 01/22] selinux: supply missing field initializers Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 02/22] selinux: avoid using types indicating user space interaction Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 2/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 03/22] selinux: align and constify functions Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 3/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 04/22] selinux: rework match_ipv6_addrmask() Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 4/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 05/22] selinux: avoid nontransitive comparison Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 5/22] " Paul Moore
2025-01-08 13:17 ` Christian Göttsche
2025-01-08 15:06 ` Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 06/22] selinux: rename comparison functions for clarity Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC v2 6/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 07/22] selinux: use known type instead of void pointer Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC v2 7/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 08/22] selinux: avoid unnecessary indirection in struct level_datum Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC v2 8/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 09/22] selinux: make use of str_read() Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC v2 9/22] " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 10/22] selinux: use u16 for security classes Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 11/22] selinux: more strict policy parsing Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC " Paul Moore
2025-01-08 15:49 ` Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 12/22] selinux: check length fields in policies Christian Göttsche
2025-01-08 3:00 ` Paul Moore [this message]
2024-12-16 16:40 ` [RFC PATCH v2 13/22] selinux: validate constraints Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 14/22] selinux: pre-validate conditional expressions Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 15/22] selinux: introduce ebitmap_highest_set_bit() Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC " Paul Moore
2024-12-16 16:40 ` [RFC PATCH v2 16/22] selinux: check type attr map overflows Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 17/22] selinux: reorder policydb_index() Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 18/22] selinux: beef up isvalid checks Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 19/22] selinux: validate symbols Christian Göttsche
2025-01-08 3:00 ` [PATCH RFC " Paul Moore
2025-01-08 17:02 ` Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 20/22] selinux: more strict bounds check Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 21/22] selinux: check for simple types Christian Göttsche
2024-12-16 16:40 ` [RFC PATCH v2 22/22] selinux: restrict policy strings Christian Göttsche
2025-01-03 20:12 ` Stephen Smalley
2025-01-05 23:26 ` Joe Nall
2025-01-07 14:04 ` Christian Göttsche
2025-01-07 16:09 ` Daniel Burgener
2025-01-07 16:32 ` James Carter
2024-12-16 16:40 ` [RFC PATCH v2 00/22] selinux: harden against malformed policies Christian Göttsche
2025-01-08 2:59 ` [PATCH RFC v2 1/22] selinux: supply missing field initializers Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fdaab30bbed2fe6565fc78227d17cdfa@paul-moore.com \
--to=paul@paul-moore.com \
--cc=brambonne@google.com \
--cc=cgoettsche@seltendoof.de \
--cc=cgzones@googlemail.com \
--cc=ericsu@linux.microsoft.com \
--cc=justinstitt@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tweek@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox