Re: [PATCH v3 11/14] selinux: more strict bounds check

Next message: Akhil P Oommen: "[PATCH v2 2/4] dt-bindings: arm-smmu: Update the description for Glymur GPU SMMU"
Previous message: Akhil P Oommen: "[PATCH v2 1/4] dt-bindings: display/msm: gpu: Document Adreno X2-185"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stephen Smalley

Date: Fri May 01 2026 - 13:15:37 EST

On Sun, May 11, 2025 at 1:31 PM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Validate the types used in bounds checks.
> Replace the usage of BUG(), to avoid halting the system on malformed
> polices.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> security/selinux/ss/policydb.c | 29 +++++++++++++++++++++++++++--
> security/selinux/ss/policydb.h | 1 +
> security/selinux/ss/services.c | 3 +++
> 3 files changed, 31 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 4559c8918134..7774f6da2ebe 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -1020,6 +1020,15 @@ bool policydb_class_isvalid(const struct policydb *p, u16 class)
> return true;
> }
>
> +bool policydb_user_isvalid(const struct policydb *p, u32 user)
> +{
> + if (!user || user > p->p_roles.nprim)
> + return false;

s/p_roles/p_users/