[PATCH] SELinux check behavior value

From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch fixes a bug in the SELinux module by adding a check of the
filesystem labeling behavior value obtained from the policy.

2 files changed, 11 insertions, 3 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6321894561e04a..9083e09b6b4e85 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -313,9 +313,15 @@ static int superblock_doinit(struct super_block *sb)
 
 	sbsec->initialized = 1;
 
-	printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
-	       sb->s_id, sb->s_type->name,
-	       labeling_behaviors[sbsec->behavior-1]);
+	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
+		printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
+		       sb->s_id, sb->s_type->name);
+	}
+	else {
+		printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
+		       sb->s_id, sb->s_type->name,
+		       labeling_behaviors[sbsec->behavior-1]);
+	}
 
 	/* Initialize the root inode. */
 	rc = inode_doinit_with_dentry(sb->s_root->d_inode, sb->s_root);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index ace257310fa3a1..d1ffecbbd117d7 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -1301,6 +1301,8 @@ int policydb_read(struct policydb *p, void *fp)
 				if (!buf)
 					goto bad;
 				c->v.behavior = le32_to_cpu(buf[0]);
+				if (c->v.behavior > SECURITY_FS_USE_NONE)
+					goto bad;
 				len = le32_to_cpu(buf[1]);
 				buf = next_entry(fp, len);
 				if (!buf)