selinux: Add boundary check in put_entry()

Xiu Jianfeng · pcmoore · commit 15ec76fb29be · 2022-06-14T21:52:37.000-04:00
Just like next_entry(), boundary check is necessary to prevent memory
out-of-bound access.

Signed-off-by: Xiu Jianfeng &lt;xiujianfeng@huawei.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
@@ -370,6 +370,8 @@ static inline int put_entry(const void *buf, size_t bytes, int num, struct polic
 {
 	size_t len = bytes * num;
 
+	if (len > fp->len)
+		return -EINVAL;
 	memcpy(fp->data, buf, len);
 	fp->data += len;
 	fp->len -= len;

Original file line number	Diff line number	Diff line change
`@@ -370,6 +370,8 @@ static inline int put_entry(const void *buf, size_t bytes, int num, struct polic`
`370`	`370`	`{`
`371`	`371`	`size_t len = bytes * num;`
`372`	`372`
	`373`	`+ if (len > fp->len)`
	`374`	`+ return -EINVAL;`
`373`	`375`	`memcpy(fp->data, buf, len);`
`374`	`376`	`fp->data += len;`
`375`	`377`	`fp->len -= len;`