lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250506031833.6107-1-caixinchen1@huawei.com>
Date: Tue, 6 May 2025 03:18:33 +0000
From: Cai Xinchen <caixinchen1@...wei.com>
To: <linux-kernel@...r.kernel.org>, <selinux@...r.kernel.org>
CC: <paul@...l-moore.com>, <stephen.smalley.work@...il.com>,
	<omosnace@...hat.com>, <ericsu@...ux.microsoft.com>, <caixinchen1@...wei.com>
Subject: [PATCH] SELinux: Add check for the user data passed to kcalloc in hashtab_init

When the user writes some data to the file /sys/fs/selinux/policy,
there is no check for the user buf passed to kcalloc. Syzkaller shows
 this warning:
WARNING: CPU: 1 PID: 6642 at mm/page_alloc.c

__alloc_pages_noprof
___kmalloc_large_node
__kmalloc_large_node_noprof
__kmalloc_noprof
hashtab_init
common_read
policydb_read
security_load_policy
sel_write_load
vfs_write
ksys_write
do_syscall_64

This warning can be reproduced by writing this content to
/sys/fs/selinux/policy
8cff7cf9 08000000 5345204c 696e7578 15000000 e0ff962a 08000000 07000000
4cf523cd 7eec2688 6d70a6b7 c78b496f 1a0a192c ea34ff41 70581a74 3ff0cfb9
7ea0f0d1 70d1fe14 41c2f7c8 ea1c78dd 17a19249 35210081 a83c30ec 4171450b
fc1de12c fe1ff342 a887

Add check to prevent the size passed to kcalloc larger than MAX_PAGE_ORDER
after get_order.

Signed-off-by: Cai Xinchen <caixinchen1@...wei.com>
---
 security/selinux/ss/hashtab.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index 383fd2d70878..18bcf3978c9e 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -30,6 +30,21 @@ static u32 hashtab_compute_size(u32 nel)
 	return nel == 0 ? 0 : roundup_pow_of_two(nel);
 }
 
+static bool is_order_out_of_range(u32 size, struct hashtab *h)
+{
+	size_t bytes;
+	u32 order;
+
+	if (unlikely(check_mul_overflow(size, sizeof(*h->htable), &bytes)))
+		return true;
+
+	order = get_order(bytes);
+	if (order > MAX_PAGE_ORDER)
+		return true;
+
+	return false;
+}
+
 int hashtab_init(struct hashtab *h, u32 nel_hint)
 {
 	u32 size = hashtab_compute_size(nel_hint);
@@ -40,6 +55,9 @@ int hashtab_init(struct hashtab *h, u32 nel_hint)
 	h->htable = NULL;
 
 	if (size) {
+		if (is_order_out_of_range(size, h))
+			return -ENOMEM;
+
 		h->htable = kcalloc(size, sizeof(*h->htable), GFP_KERNEL);
 		if (!h->htable)
 			return -ENOMEM;
-- 
2.34.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ