This Linux kernel change "netlabel: fix out-of-bounds memory accesses" is included in the Linux 5.0 release. This change is authored by Paul Moore <paul [at]> on Mon Feb 25 19:06:06 2019 -0500. The commit for this change in Linux stable tree is 5578de4 (patch).

netlabel: fix out-of-bounds memory accesses

There are two array out-of-bounds memory accesses, one in
cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk().  Both
errors are embarassingly simple, and the fixes are straightforward.

As a FYI for anyone backporting this patch to kernels prior to v4.8,
you'll want to apply the netlbl_bitmap_walk() patch to
cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
Linux v4.8.

Reported-by: Jann Horn <[email protected]>
Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
Signed-off-by: Paul Moore <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

There are 6 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/ipv4/cipso_ipv4.c        | 3 ++-
 net/netlabel/netlabel_kapi.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index eff86a7..f0165c5 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def, u8 level)
    case CIPSO_V4_MAP_PASS:
        return 0;
    case CIPSO_V4_MAP_TRANS:
-       if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
+       if ((level < doi_def->map.std->lvl.cipso_size) &&
+           (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL))
            return 0;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index ea7c670..ee3e5b6 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned char *bitmap, u32 bitmap_len,
            (state == 0 && (byte & bitmask) == 0))
            return bit_spot;

-       bit_spot++;
+       if (++bit_spot >= bitmap_len)
+           return -1;
        bitmask >>= 1;
        if (bitmask == 0) {
            byte = bitmap[++byte_offset];

