[PATCH 0/2] A bugfix patchset for NetLabel

[PATCH 0/2] A bugfix patchset for NetLabel

[paul.moore]

This patch set fixes two bugs that were found recently when adding new CIPSOv4
DOI definitions.  These patches are pretty small and have been tested by a few
different people on several different platforms.

Please apply these for 2.6.20 and they should probably be pushed to the 2.6.19
stable tree as well; is there anything special I need to do for that?

--
paul moore
linux security @ hp

[PATCH 1/2] NetLabel: perform input validation earlier on CIPSOv4 DOI add ops

[paul.moore]

[-- Attachment #1: netlabel-cipso_input_fix --]
[-- Type: text/plain, Size: 3736 bytes --]

From: Paul Moore <paul.moore@hp.com>

There are a couple of cases where the user input for a CIPSOv4 DOI add
operation was not being done soon enough; the result was unexpected behavior
which was resulting in oops/panics/lockups on some platforms.  This patch moves
the existing input validation code earlier in the code path to protect against
bogus user input.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 net/netlabel/netlabel_cipso_v4.c |   28 +++++++++++++++++-----------
 1 files changed, 17 insertions(+), 11 deletions(-)

Index: net-2.6.20_bugfix/net/netlabel/netlabel_cipso_v4.c
===================================================================
--- net-2.6.20_bugfix.orig/net/netlabel/netlabel_cipso_v4.c
+++ net-2.6.20_bugfix/net/netlabel/netlabel_cipso_v4.c
@@ -185,20 +185,31 @@ static int netlbl_cipsov4_add_std(struct
 	ret_val = netlbl_cipsov4_add_common(info, doi_def);
 	if (ret_val != 0)
 		goto add_std_failure;
+	ret_val = -EINVAL;
 
 	nla_for_each_nested(nla_a,
 			    info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
 			    nla_a_rem)
 		if (nla_a->nla_type == NLBL_CIPSOV4_A_MLSLVL) {
+			if (nla_validate_nested(nla_a,
+					    NLBL_CIPSOV4_A_MAX,
+					    netlbl_cipsov4_genl_policy) != 0)
+					goto add_std_failure;
 			nla_for_each_nested(nla_b, nla_a, nla_b_rem)
 				switch (nla_b->nla_type) {
 				case NLBL_CIPSOV4_A_MLSLVLLOC:
+					if (nla_get_u32(nla_b) >
+					    CIPSO_V4_MAX_LOC_LVLS)
+						goto add_std_failure;
 					if (nla_get_u32(nla_b) >=
 					    doi_def->map.std->lvl.local_size)
 					     doi_def->map.std->lvl.local_size =
 						     nla_get_u32(nla_b) + 1;
 					break;
 				case NLBL_CIPSOV4_A_MLSLVLREM:
+					if (nla_get_u32(nla_b) >
+					    CIPSO_V4_MAX_REM_LVLS)
+						goto add_std_failure;
 					if (nla_get_u32(nla_b) >=
 					    doi_def->map.std->lvl.cipso_size)
 					     doi_def->map.std->lvl.cipso_size =
@@ -206,9 +217,6 @@ static int netlbl_cipsov4_add_std(struct
 					break;
 				}
 		}
-	if (doi_def->map.std->lvl.local_size > CIPSO_V4_MAX_LOC_LVLS ||
-	    doi_def->map.std->lvl.cipso_size > CIPSO_V4_MAX_REM_LVLS)
-		goto add_std_failure;
 	doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size,
 					      sizeof(u32),
 					      GFP_KERNEL);
@@ -230,11 +238,6 @@ static int netlbl_cipsov4_add_std(struct
 			struct nlattr *lvl_loc;
 			struct nlattr *lvl_rem;
 
-			if (nla_validate_nested(nla_a,
-					      NLBL_CIPSOV4_A_MAX,
-					      netlbl_cipsov4_genl_policy) != 0)
-				goto add_std_failure;
-
 			lvl_loc = nla_find_nested(nla_a,
 						  NLBL_CIPSOV4_A_MLSLVLLOC);
 			lvl_rem = nla_find_nested(nla_a,
@@ -264,12 +267,18 @@ static int netlbl_cipsov4_add_std(struct
 				nla_for_each_nested(nla_b, nla_a, nla_b_rem)
 					switch (nla_b->nla_type) {
 					case NLBL_CIPSOV4_A_MLSCATLOC:
+						if (nla_get_u32(nla_b) >
+						    CIPSO_V4_MAX_LOC_CATS)
+							goto add_std_failure;
 						if (nla_get_u32(nla_b) >=
 					      doi_def->map.std->cat.local_size)
 					     doi_def->map.std->cat.local_size =
 						     nla_get_u32(nla_b) + 1;
 						break;
 					case NLBL_CIPSOV4_A_MLSCATREM:
+						if (nla_get_u32(nla_b) >
+						    CIPSO_V4_MAX_REM_CATS)
+							goto add_std_failure;
 						if (nla_get_u32(nla_b) >=
 					      doi_def->map.std->cat.cipso_size)
 					     doi_def->map.std->cat.cipso_size =
@@ -277,9 +286,6 @@ static int netlbl_cipsov4_add_std(struct
 						break;
 					}
 			}
-		if (doi_def->map.std->cat.local_size > CIPSO_V4_MAX_LOC_CATS ||
-		    doi_def->map.std->cat.cipso_size > CIPSO_V4_MAX_REM_CATS)
-			goto add_std_failure;
 		doi_def->map.std->cat.local = kcalloc(
 			                      doi_def->map.std->cat.local_size,
 					      sizeof(u32),

--
paul moore
linux security @ hp

[PATCH 2/2] NetLabel: correctly fill in unused CIPSOv4 level and category mappings

[paul.moore]

[-- Attachment #1: netlabel-cipso_add_std_fix --]
[-- Type: text/plain, Size: 2019 bytes --]

From: Paul Moore <paul.moore@hp.com>

Back when the original NetLabel patches were being changed to use Netlink
attributes correctly some code was accidentially dropped which set all of the
undefined CIPSOv4 level and category mappings to a sentinel value.  The result
is the mappings data in the kernel contains bogus mappings which always map to
zero.  This patch restores the old/correct behavior by initializing the mapping
data to the correct sentinel value.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 net/netlabel/netlabel_cipso_v4.c |    9 +++++++++
 1 files changed, 9 insertions(+)

Index: net-2.6.20_bugfix/net/netlabel/netlabel_cipso_v4.c
===================================================================
--- net-2.6.20_bugfix.orig/net/netlabel/netlabel_cipso_v4.c
+++ net-2.6.20_bugfix/net/netlabel/netlabel_cipso_v4.c
@@ -162,6 +162,7 @@ static int netlbl_cipsov4_add_std(struct
 	struct nlattr *nla_b;
 	int nla_a_rem;
 	int nla_b_rem;
+	u32 iter;
 
 	if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
 	    !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
@@ -231,6 +232,10 @@ static int netlbl_cipsov4_add_std(struct
 		ret_val = -ENOMEM;
 		goto add_std_failure;
 	}
+	for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
+		doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
+	for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
+		doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
 	nla_for_each_nested(nla_a,
 			    info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
 			    nla_a_rem)
@@ -302,6 +307,10 @@ static int netlbl_cipsov4_add_std(struct
 			ret_val = -ENOMEM;
 			goto add_std_failure;
 		}
+		for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
+			doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
+		for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
+			doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
 		nla_for_each_nested(nla_a,
 				    info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
 				    nla_a_rem)

--
paul moore
linux security @ hp

Re: [PATCH 0/2] A bugfix patchset for NetLabel

[James Morris]

On Fri, 15 Dec 2006, paul.moore@hp.com wrote:

> This patch set fixes two bugs that were found recently when adding new CIPSOv4
> DOI definitions.  These patches are pretty small and have been tested by a few
> different people on several different platforms.

Applied to git://git.infradead.org/~jmorris/selinux-2.6#fixes

> Please apply these for 2.6.20 and they should probably be pushed to the 2.6.19
> stable tree as well; is there anything special I need to do for that?

I'm not sure that they qualify.

The first is a privileged operation, right?

For the second, what are the implications of mapping to zero?


Also review Documentation/stable_kernel_rules.txt.





-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 0/2] A bugfix patchset for NetLabel

[David Miller]

From: James Morris <jmorris@namei.org>
Date: Fri, 15 Dec 2006 20:19:56 -0500 (EST)

> On Fri, 15 Dec 2006, paul.moore@hp.com wrote:
> 
> > This patch set fixes two bugs that were found recently when adding new CIPSOv4
> > DOI definitions.  These patches are pretty small and have been tested by a few
> > different people on several different platforms.
> 
> Applied to git://git.infradead.org/~jmorris/selinux-2.6#fixes

James, let me know when you want me to pull some stuff in.

Thanks.

Re: [PATCH 0/2] A bugfix patchset for NetLabel

[Paul Moore]

James Morris wrote:
> On Fri, 15 Dec 2006, paul.moore@hp.com wrote:
>  
>>This patch set fixes two bugs that were found recently when adding new CIPSOv4
>>DOI definitions.  These patches are pretty small and have been tested by a few
>>different people on several different platforms.
> 
> Applied to git://git.infradead.org/~jmorris/selinux-2.6#fixes

Thanks.

>>Please apply these for 2.6.20 and they should probably be pushed to the 2.6.19
>>stable tree as well; is there anything special I need to do for that?
> 
> I'm not sure that they qualify.
> 
> The first is a privileged operation, right?

Yes it is, you need CAP_NET_ADMIN.  I guess this probably isn't that important
for 2.6.19 then ...

> For the second, what are the implications of mapping to zero?
> 
> Also review Documentation/stable_kernel_rules.txt.

[Thanks for the pointer, didn't know that file was there]

... however, I still think this might qualify for the 2.6.19 stable kernel.
When a MLS sensitivity level or category maps to zero then whenever the NetLabel
subsystem is called to resolve the security attributes of a packet it will, in
certain configurations, return security attributes/contexts which are incorrect.

Please let me know if you think that has merit for the stable tree and I'll send
the patch to the stable mailing list.

-- 
paul moore
linux security @ hp