| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Nov 2018 17:28:50 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Qian Cai <cai@....us>,
Richard Haines <richard_c_haines@...nternet.com>,
Ondrej Mosnacek <omosnace@...hat.com>,
Paul Moore <paul@...l-moore.com>
Subject: [PATCH 4.18 134/171] selinux: check length properly in SCTP bind hook
4.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@...hat.com>
commit c138325fb8713472d5a0c3c7258b9131bab40725 upstream.
selinux_sctp_bind_connect() must verify if the address buffer has
sufficient length before accessing the 'sa_family' field. See
__sctp_connect() for a similar check.
The length of the whole address ('len') is already checked in the
callees.
Reported-by: Qian Cai <cai@....us>
Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Cc: <stable@...r.kernel.org> # 4.17+
Cc: Richard Haines <richard_c_haines@...nternet.com>
Signed-off-by: Ondrej Mosnacek <omosnace@...hat.com>
Tested-by: Qian Cai <cai@....us>
Signed-off-by: Paul Moore <paul@...l-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
security/selinux/hooks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5306,6 +5306,9 @@ static int selinux_sctp_bind_connect(str
addr_buf = address;
while (walk_size < addrlen) {
+ if (walk_size + sizeof(sa_family_t) > addrlen)
+ return -EINVAL;
+
addr = addr_buf;
switch (addr->sa_family) {
case AF_UNSPEC:
Powered by blists - more mailing lists