selinux: harden MLS context string generation against overflows

cgzones · cgzones · commit a065bde7f6dc · 2025-05-11T18:10:32.000+02:00
Check the length accumulator for the MLS component of security contexts
does not overflow in mls_compute_context_len() resulting in
out-of-buffer writes in mls_sid_to_context().

Signed-off-by: Christian Göttsche &lt;cgzones@googlemail.com&gt;
---
v3: add patch
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
@@ -42,7 +42,8 @@ int mls_compute_context_len(struct policydb *p, struct context *context)
 	len = 1; /* for the beginning ":" */
 	for (l = 0; l < 2; l++) {
 		u32 index_sens = context->range.level[l].sens;
-		len += strlen(sym_name(p, SYM_LEVELS, index_sens - 1));
+		if (check_add_overflow(len, strlen(sym_name(p, SYM_LEVELS, index_sens - 1)), &len))
+			return -EOVERFLOW;
 
 		/* categories */
 		head = -2;
@@ -54,24 +55,29 @@ int mls_compute_context_len(struct policydb *p, struct context *context)
 				/* one or more negative bits are skipped */
 				if (head != prev) {
 					nm = sym_name(p, SYM_CATS, prev);
-					len += strlen(nm) + 1;
+					if (check_add_overflow(len, strlen(nm) + 1, &len))
+						return -EOVERFLOW;
 				}
 				nm = sym_name(p, SYM_CATS, i);
-				len += strlen(nm) + 1;
+				if (check_add_overflow(len, strlen(nm) + 1, &len))
+					return -EOVERFLOW;
 				head = i;
 			}
 			prev = i;
 		}
 		if (prev != head) {
 			nm = sym_name(p, SYM_CATS, prev);
-			len += strlen(nm) + 1;
+			if (check_add_overflow(len, strlen(nm) + 1, &len))
+				return -EOVERFLOW;
 		}
 		if (l == 0) {
 			if (mls_level_eq(&context->range.level[0],
 					 &context->range.level[1]))
 				break;
-			else
-				len++;
+			else {
+				if (check_add_overflow(len, 1, &len))
+					return -EOVERFLOW;
+			}
 		}
 	}
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
@@ -1247,6 +1247,7 @@ static int context_struct_to_string(struct policydb *p,
 				    char **scontext, u32 *scontext_len)
 {
 	char *scontextp;
+	int mls_len;
 
 	if (scontext)
 		*scontext = NULL;
@@ -1266,11 +1267,33 @@ static int context_struct_to_string(struct policydb *p,
 	*scontext_len += strlen(sym_name(p, SYM_USERS, context->user - 1)) + 1;
 	*scontext_len += strlen(sym_name(p, SYM_ROLES, context->role - 1)) + 1;
 	*scontext_len += strlen(sym_name(p, SYM_TYPES, context->type - 1)) + 1;
-	*scontext_len += mls_compute_context_len(p, context);
+
+	mls_len = mls_compute_context_len(p, context);
+	if (unlikely(mls_len < 0)) {
+		pr_warn_ratelimited("SELinux: %s:  MLS security context component too large ([%d:%d]-[%d:%d])",
+				    __func__,
+				    context->range.level[0].sens,
+				    ebitmap_length(&context->range.level[0].cat),
+				    context->range.level[1].sens,
+				    ebitmap_length(&context->range.level[1].cat));
+		return -EOVERFLOW;
+	}
+	*scontext_len += mls_len;
 
 	if (!scontext)
 		return 0;
 
+	if (unlikely(*scontext_len > CONTEXT_MAXLENGTH)) {
+		pr_warn_ratelimited("SELinux: %s:  security context string of length %d too large (%d:%d:%d:[%d:%d]-[%d:%d])",
+				    __func__, *scontext_len,
+				    context->user, context->role, context->type,
+				    context->range.level[0].sens,
+				    ebitmap_length(&context->range.level[0].cat),
+				    context->range.level[1].sens,
+				    ebitmap_length(&context->range.level[1].cat));
+		return -EOVERFLOW;
+	}
+
 	/* Allocate space for the context; caller must free this space. */
 	scontextp = kmalloc(*scontext_len, GFP_ATOMIC);
 	if (!scontextp)
