selinux: fix overflow and 0 length allocations

Throughout the SELinux LSM, values taken from sepolicy are used in places where length == 0 or length == <saturated> matter, find and fix these. Signed-off-by: N William Roberts <william.c.roberts@intel.com> Signed-off-by: N Paul Moore <paul@paul-moore.com>

selinux: fix overflow and 0 length allocations
Throughout the SELinux LSM, values taken from sepolicy are used in places where length == 0 or length == <saturated> matter, find and fix these. Signed-off-by: N William Roberts <william.c.roberts@intel.com> Signed-off-by: N Paul Moore <paul@paul-moore.com>
7c686af0 · William Roberts · Paul Moore · 3bc7bcf6 · 7c686af0 · 7c686af0
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

security/selinux/ss/conditional.c security/selinux/ss/conditional.c +2 -0

security/selinux/ss/policydb.c security/selinux/ss/policydb.c +3 -0

未找到文件。
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -242,6 +242,8 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
 		goto err;

 	len = le32_to_cpu(buf[2]);
+	if (((len == 0) || (len == (u32)-1)))
+		goto err;

 	rc = -ENOMEM;
 	key = kmalloc(len + 1, GFP_KERNEL);

--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -1094,6 +1094,9 @@ static int str_read(char **strp, gfp_t flags, void *fp, u32 len)
 	int rc;
 	char *str;

+	if ((len == 0) || (len == (u32)-1))
+		return -EINVAL;
+
 	str = kmalloc(len + 1, flags);
 	if (!str)
 		return -ENOMEM;