diff --git a/debian/changelog b/debian/changelog index f6b86fee4..b3b67d37b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,7 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium (CVE-2020-12768) * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770) * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143) + * netlabel: cope with NULL catmap (CVE-2020-10711) -- Salvatore Bonaccorso Thu, 28 May 2020 23:02:30 +0200 diff --git a/debian/patches/bugfix/all/netlabel-cope-with-NULL-catmap.patch b/debian/patches/bugfix/all/netlabel-cope-with-NULL-catmap.patch new file mode 100644 index 000000000..8aa633a1a --- /dev/null +++ b/debian/patches/bugfix/all/netlabel-cope-with-NULL-catmap.patch @@ -0,0 +1,92 @@ +From: Paolo Abeni +Date: Tue, 12 May 2020 14:43:14 +0200 +Subject: netlabel: cope with NULL catmap +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=caf6c20c6421ca687751d27b96c8021c655e56e6 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-10711 + +[ Upstream commit eead1c2ea2509fd754c6da893a94f0e69e83ebe4 ] + +The cipso and calipso code can set the MLS_CAT attribute on +successful parsing, even if the corresponding catmap has +not been allocated, as per current configuration and external +input. + +Later, selinux code tries to access the catmap if the MLS_CAT flag +is present via netlbl_catmap_getlong(). That may cause null ptr +dereference while processing incoming network traffic. + +Address the issue setting the MLS_CAT flag only if the catmap is +really allocated. Additionally let netlbl_catmap_getlong() cope +with NULL catmap. + +Reported-by: Matthew Sheets +Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions") +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Signed-off-by: Paolo Abeni +Acked-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/cipso_ipv4.c | 6 ++++-- + net/ipv6/calipso.c | 3 ++- + net/netlabel/netlabel_kapi.c | 6 ++++++ + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c +index 1c21dc5d6dd4..5535b722f66d 100644 +--- a/net/ipv4/cipso_ipv4.c ++++ b/net/ipv4/cipso_ipv4.c +@@ -1272,7 +1272,8 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def, + return ret_val; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + return 0; +@@ -1453,7 +1454,8 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def, + return ret_val; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + return 0; +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index 1c0bb9fb76e6..70611784c071 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1061,7 +1061,8 @@ static int calipso_opt_getattr(const unsigned char *calipso, + goto getattr_return; + } + +- secattr->flags |= NETLBL_SECATTR_MLS_CAT; ++ if (secattr->attr.mls.cat) ++ secattr->flags |= NETLBL_SECATTR_MLS_CAT; + } + + secattr->type = NETLBL_NLTYPE_CALIPSO; +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c +index ee3e5b6471a6..15fe2120b310 100644 +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -748,6 +748,12 @@ int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap, + if ((off & (BITS_PER_LONG - 1)) != 0) + return -EINVAL; + ++ /* a null catmap is equivalent to an empty one */ ++ if (!catmap) { ++ *offset = (u32)-1; ++ return 0; ++ } ++ + if (off < catmap->startbit) { + off = catmap->startbit; + *offset = off; +-- +2.27.0.rc0 + diff --git a/debian/patches/series b/debian/patches/series index 0968e27e7..a7b82e3b0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -306,5 +306,6 @@ bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch +bugfix/all/netlabel-cope-with-NULL-catmap.patch # ABI maintenance