|
Message-ID: <CAFqZXNtSVvE9XiMSFei7+PD6v-urELi=UjdOtWW8KPdM8e=Q5Q@mail.gmail.com> Date: Tue, 23 Jul 2019 08:48:12 +0200 From: Ondrej Mosnacek <omosnace@...hat.com> To: William Roberts <bill.c.roberts@...il.com> Cc: SElinux list <selinux@...r.kernel.org>, Paul Moore <paul@...l-moore.com>, NitinGote <nitin.r.gote@...el.com>, kernel-hardening@...ts.openwall.com, Kees Cook <keescook@...omium.org> Subject: Re: [PATCH] selinux: check sidtab limit before adding a new entry On Mon, Jul 22, 2019 at 4:17 PM William Roberts <bill.c.roberts@...il.com> wrote: > On Mon, Jul 22, 2019 at 8:34 AM Ondrej Mosnacek <omosnace@...hat.com> wrote: > > > > We need to error out when trying to add an entry above SIDTAB_MAX in > > sidtab_reverse_lookup() to avoid overflow on the odd chance that this > > happens. > > > > Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") > > Signed-off-by: Ondrej Mosnacek <omosnace@...hat.com> > > --- > > security/selinux/ss/sidtab.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c > > index e63a90ff2728..54c1ba1e79ab 100644 > > --- a/security/selinux/ss/sidtab.c > > +++ b/security/selinux/ss/sidtab.c > > @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context, > > ++count; > > } > > > > + /* bail out if we already reached max entries */ > > + rc = -ENOMEM; > > Wouldn't -EOVERFLOW be better? Good point. Will change it in v2. > > > + if (count == SIDTAB_MAX) > > + goto out_unlock; > > + > > /* insert context into new entry */ > > rc = -ENOMEM; > > dst = sidtab_do_lookup(s, count, 1); > > -- > > 2.21.0 > > Thanks, -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.