selinux: reject invalid ebitmaps

Reject ebitmaps with a node containing an empty map or with an incorrect
highbit.  Both checks are already performed by userspace, the former
since 2008 (patch 13cd4c896068 ("initial import from svn trunk revision
2950")), the latter since v2.7 in 2017 (patch 75b14a5de10a ("libsepol:
ebitmap: reject loading bitmaps with incorrect high bit")).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 67c1a73cd5eef2a62e82cfc3d6af3e880a38cbe0..f1ba333f127dc47fab650a6b3e9ee03f184f8c15 100644 (file)
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -448,6 +448,10 @@ int ebitmap_read(struct ebitmap *e, void *fp)
                        goto bad;
                }
                map = le64_to_cpu(mapbits);
+               if (!map) {
+                       pr_err("SELinux: ebitmap: empty map\n");
+                       goto bad;
+               }
 
                index = (startbit - n->startbit) / EBITMAP_UNIT_SIZE;
                while (map) {
@@ -455,6 +459,13 @@ int ebitmap_read(struct ebitmap *e, void *fp)
                        map = EBITMAP_SHIFT_UNIT_SIZE(map);
                }
        }
+
+       if (n && n->startbit + EBITMAP_SIZE != e->highbit) {
+               pr_err("SELinux: ebitmap: high bit %d is not equal to the expected value %ld\n",
+                      e->highbit, n->startbit + EBITMAP_SIZE);
+               goto bad;
+       }
+
 ok:
        rc = 0;
 out: