diff options
author | William Roberts <william.c.roberts@intel.com> | 2016-08-30 09:28:11 -0700 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2016-08-30 15:45:50 -0400 |
commit | 7c686af071ade663d0995aa30b262495a6c68c88 (patch) | |
tree | dc9d17f0b475edc7c371475a33fa8683eb3802cd /security | |
parent | 3bc7bcf69bbe763359454b2c40efcba22730e181 (diff) | |
download | linux-7c686af071ade663d0995aa30b262495a6c68c88.tar.gz linux-7c686af071ade663d0995aa30b262495a6c68c88.tar.bz2 linux-7c686af071ade663d0995aa30b262495a6c68c88.zip |
selinux: fix overflow and 0 length allocations
Throughout the SELinux LSM, values taken from sepolicy are
used in places where length == 0 or length == <saturated>
matter, find and fix these.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/ss/conditional.c | 2 | ||||
-rw-r--r-- | security/selinux/ss/policydb.c | 3 |
2 files changed, 5 insertions, 0 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 456e1a9bcfde..34afeadd9e73 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -242,6 +242,8 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp) goto err; len = le32_to_cpu(buf[2]); + if (((len == 0) || (len == (u32)-1))) + goto err; rc = -ENOMEM; key = kmalloc(len + 1, GFP_KERNEL); diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 4b243855ed7b..8c661f0451ec 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1094,6 +1094,9 @@ static int str_read(char **strp, gfp_t flags, void *fp, u32 len) int rc; char *str; + if ((len == 0) || (len == (u32)-1)) + return -EINVAL; + str = kmalloc(len + 1, flags); if (!str) return -ENOMEM; |