netlabel: cope with NULL catmap

Paolo Abeni · davem330 · commit eead1c2ea250 · 2020-05-12T18:12:40.000-07:00
The cipso and calipso code can set the MLS_CAT attribute on successful parsing, even if the corresponding catmap has not been allocated, as per current configuration and external input. Later, selinux code tries to access the catmap if the MLS_CAT flag is present via netlbl_catmap_getlong(). That may cause null ptr dereference while processing incoming network traffic. Address the issue setting the MLS_CAT flag only if the catmap is really allocated. Additionally let netlbl_catmap_getlong() cope with NULL catmap. Reported-by: Matthew Sheets <matthew.sheets@gd-ms.com> Fixes: 4b8feff ("netlabel: fix the horribly broken catmap functions") Fixes: ceba183 ("calipso: Set the calipso socket label to match the secattr.") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
@@ -1258,7 +1258,8 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
 			return ret_val;
 		}
 
-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+		if (secattr->attr.mls.cat)
+			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
 	}
 
 	return 0;
@@ -1439,7 +1440,8 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
 			return ret_val;
 		}
 
-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+		if (secattr->attr.mls.cat)
+			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
 	}
 
 	return 0;
diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
@@ -1047,7 +1047,8 @@ static int calipso_opt_getattr(const unsigned char *calipso,
 			goto getattr_return;
 		}
 
-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+		if (secattr->attr.mls.cat)
+			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
 	}
 
 	secattr->type = NETLBL_NLTYPE_CALIPSO;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
@@ -734,6 +734,12 @@ int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
 	if ((off & (BITS_PER_LONG - 1)) != 0)
 		return -EINVAL;
 
+	/* a null catmap is equivalent to an empty one */
+	if (!catmap) {
+		*offset = (u32)-1;
+		return 0;
+	}
+
 	if (off < catmap->startbit) {
 		off = catmap->startbit;
 		*offset = off;

Original file line number	Diff line number	Diff line change
`@@ -1258,7 +1258,8 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,`
`1258`	`1258`	`return ret_val;`
`1259`	`1259`	`}`
`1260`	`1260`
`1261`		`- secattr->flags \|= NETLBL_SECATTR_MLS_CAT;`
	`1261`	`+ if (secattr->attr.mls.cat)`
	`1262`	`+ secattr->flags \|= NETLBL_SECATTR_MLS_CAT;`
`1262`	`1263`	`}`
`1263`	`1264`
`1264`	`1265`	`return 0;`
`@@ -1439,7 +1440,8 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,`
`1439`	`1440`	`return ret_val;`
`1440`	`1441`	`}`
`1441`	`1442`
`1442`		`- secattr->flags \|= NETLBL_SECATTR_MLS_CAT;`
	`1443`	`+ if (secattr->attr.mls.cat)`
	`1444`	`+ secattr->flags \|= NETLBL_SECATTR_MLS_CAT;`
`1443`	`1445`	`}`
`1444`	`1446`
`1445`	`1447`	`return 0;`
Original file line number	Diff line number	Diff line change
`@@ -1047,7 +1047,8 @@ static int calipso_opt_getattr(const unsigned char *calipso,`
`1047`	`1047`	`goto getattr_return;`
`1048`	`1048`	`}`
`1049`	`1049`
`1050`		`- secattr->flags \|= NETLBL_SECATTR_MLS_CAT;`
	`1050`	`+ if (secattr->attr.mls.cat)`
	`1051`	`+ secattr->flags \|= NETLBL_SECATTR_MLS_CAT;`
`1051`	`1052`	`}`
`1052`	`1053`
`1053`	`1054`	`secattr->type = NETLBL_NLTYPE_CALIPSO;`