selinux: Add boundary check in put_entry()

bmastbergen · bmastbergen · commit 7f5249aa9277 · 2025-08-29T14:28:09.000-04:00
jira VULN-70689 cve CVE-2022-50200 commit-author Xiu Jianfeng <xiujianfeng@huawei.com> commit 15ec76f Just like next_entry(), boundary check is necessary to prevent memory out-of-bound access. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com> (cherry picked from commit 15ec76f) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
@@ -370,6 +370,8 @@ static inline int put_entry(const void *buf, size_t bytes, int num, struct polic
 {
 	size_t len = bytes * num;
 
+	if (len > fp->len)
+		return -EINVAL;
 	memcpy(fp->data, buf, len);
 	fp->data += len;
 	fp->len -= len;

Original file line number	Diff line number	Diff line change
`@@ -370,6 +370,8 @@ static inline int put_entry(const void *buf, size_t bytes, int num, struct polic`
`370`	`370`	`{`
`371`	`371`	`size_t len = bytes * num;`
`372`	`372`
	`373`	`+ if (len > fp->len)`
	`374`	`+ return -EINVAL;`
`373`	`375`	`memcpy(fp->data, buf, len);`
`374`	`376`	`fp->data += len;`
`375`	`377`	`fp->len -= len;`