Smack: prevent underflow in smk_set_cipso()

Dan Carpenter · cschaufler · commit 42a2df3e829f · 2020-07-27T13:35:12.000-07:00
We have an upper bound on "maplevel" but forgot to check for negative values. Fixes: e114e47 ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
@@ -884,7 +884,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 	}
 
 	ret = sscanf(rule, "%d", &maplevel);
-	if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
+	if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL)
 		goto out;
 
 	rule += SMK_DIGITLEN;

Original file line number	Diff line number	Diff line change
`@@ -884,7 +884,7 @@ static ssize_t smk_set_cipso(struct file file, const char __user buf,`
`884`	`884`	`}`
`885`	`885`
`886`	`886`	`ret = sscanf(rule, "%d", &maplevel);`
`887`		`- if (ret != 1 \|\| maplevel > SMACK_CIPSO_MAXLEVEL)`
	`887`	`+ if (ret != 1 \|\| maplevel < 0 \|\| maplevel > SMACK_CIPSO_MAXLEVEL)`
`888`	`888`	`goto out;`
`889`	`889`
`890`	`890`	`rule += SMK_DIGITLEN;`