selinux: fix overflow and 0 length allocations Throughout the SELinux LSM, values taken from sepolicy are used in places where length == 0 or length == <saturated> matter, find and fix these. Signed-off-by: William Roberts <william.c.roberts@intel.com> Signed-off-by: Paul Moore <paul@paul-moore.com>

commit: 7c686af071ade663d0995aa30b262495a6c68c88 [log] [tgz]
author: William Roberts <william.c.roberts@intel.com> Tue Aug 30 09:28:11 2016 -0700
committer: Paul Moore <paul@paul-moore.com> Tue Aug 30 15:45:50 2016 -0400
tree: dc9d17f0b475edc7c371475a33fa8683eb3802cd
parent: 3bc7bcf69bbe763359454b2c40efcba22730e181 [diff]
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 456e1a9..34afead 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c

@@ -242,6 +242,8 @@
 		goto err;
 
 	len = le32_to_cpu(buf[2]);
+	if (((len == 0) || (len == (u32)-1)))
+		goto err;
 
 	rc = -ENOMEM;
 	key = kmalloc(len + 1, GFP_KERNEL);

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 4b24385..8c661f0 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c

@@ -1094,6 +1094,9 @@
 	int rc;
 	char *str;
 
+	if ((len == 0) || (len == (u32)-1))
+		return -EINVAL;
+
 	str = kmalloc(len + 1, flags);
 	if (!str)
 		return -ENOMEM;
commit	7c686af071ade663d0995aa30b262495a6c68c88	[log] [tgz]
author	William Roberts <william.c.roberts@intel.com>	Tue Aug 30 09:28:11 2016 -0700
committer	Paul Moore <paul@paul-moore.com>	Tue Aug 30 15:45:50 2016 -0400
tree	dc9d17f0b475edc7c371475a33fa8683eb3802cd
parent	3bc7bcf69bbe763359454b2c40efcba22730e181 [diff]