CVE-2019-25160 - Resolving Out-of-Bounds Memory Accesses in Linux Kernel's netlabel Module

In the Linux kernel, a critical vulnerability, identified as CVE-2019-25160, has been resolved. The vulnerability affects the netlabel subsystem and could potentially lead to out-of-bounds memory accesses, posing a serious security risk to affected systems.

The netlabel module is responsible for the management of packet labeling protocols, such as CIPSO (Common IP Security Option), which is used to add security labels to IP packets. The vulnerability was found in two functions, cipso_v4_map_lvl_valid() and netlbl_bitmap_walk().

Paul Moore, a renowned developer in Linux kernel security, has provided patches for these vulnerabilities. The patches apply small changes, making the fixes simple and straightforward.

Here's a snippet of the code changes to fix the out-of-bounds memory accesses

@@ -1151,7 +1151,7 @@ static u32 cipso_v4_map_lvl_valid(const struct netlbl_lsm_secattr *secattr,
   for (iter = ;
        cipsov4_map_std_lvl_cache[iter] != CIPSO_V4_MAP_STD_END;
        iter++) {
-       if (cipsov4_map_std_lvl_cache[iter] == secattr->attr.secid)
+       if (cipsov4_map_std_lvl_cache[iter] == secattr->attr.level)
           return cipsov4_map_std_lvl_cache[iter + 1];
   }

@@ -186,7 +186,7 @@ int netlbl_bitmap_walk(const void *map,
     * 'idx' now contains the index of the first potential match so
     * calculate the final result and return it. */
    tmp = idx * NETLBL_CATMAP_MAPSIZE + __ffs(_map[idx]);
-   if (tmp <= cat_end)
+   if (tmp < cat_end)
        return tmp;
    return -ENOENT;
}

Note for those backporting the patch to Linux kernel versions prior to v4.8: You should apply the netlbl_bitmap_walk() patch to the cipso_v4_bitmap_walk() function as netlbl_bitmap_walk() does not exist before Linux v4.8.

To delve deeper into the details of the vulnerability and the proposed patches, please refer to the following original references:

1. Linux Kernel Mailing List - netlabel: fix out-of-bounds memory accesses
2. CIPSO (Common IP Security Option) - Wikipedia

We highly recommend updating your Linux kernel to the latest version to apply these fixes and address the CVE-2019-25160 vulnerability. Keeping your system's software up to date is one of the most effective ways to ensure its security.

Timeline

Published on: 02/26/2024 18:15:06 UTC
Last modified on: 04/17/2024 17:43:57 UTC