From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
To: casey@schaufler-ca.com
Cc: jmorris@namei.org, serge@hallyn.com, andreyknvl@google.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
Subject: [PATCH] smackfs: restrict bytes count in smackfs write functions
Date: Sun, 24 Jan 2021 20:36:27 +0600 [thread overview]
Message-ID: <20210124143627.582115-1-snovitoll@gmail.com> (raw)
syzbot found WARNINGs in several smackfs write operations where
bytes count is passed to memdup_user_nul which exceeds
GFP MAX_ORDER. Check count size if bigger SMK_LONGLABEL,
for smk_write_syslog if bigger than PAGE_SIZE - 1.
Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
---
security/smack/smackfs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 5d44b7d258ef..88678c6f1b8c 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -1167,7 +1167,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
return -EPERM;
if (*ppos != 0)
return -EINVAL;
- if (count < SMK_NETLBLADDRMIN)
+ if (count < SMK_NETLBLADDRMIN || count > SMK_LONGLABEL)
return -EINVAL;
data = memdup_user_nul(buf, count);
@@ -1427,7 +1427,7 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
return -EPERM;
if (*ppos != 0)
return -EINVAL;
- if (count < SMK_NETLBLADDRMIN)
+ if (count < SMK_NETLBLADDRMIN || count > SMK_LONGLABEL)
return -EINVAL;
data = memdup_user_nul(buf, count);
@@ -2647,6 +2647,8 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
+ if (count > PAGE_SIZE - 1)
+ return -EINVAL;
data = memdup_user_nul(buf, count);
if (IS_ERR(data))
@@ -2744,6 +2746,8 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
*/
if (*ppos != 0)
return -EINVAL;
+ if (count > SMK_LONGLABEL)
+ return -EINVAL;
data = memdup_user_nul(buf, count);
if (IS_ERR(data))
--
2.25.1
next reply other threads:[~2021-01-24 14:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-24 14:36 Sabyrzhan Tasbolatov [this message]
2021-01-25 18:08 ` [PATCH] smackfs: restrict bytes count in smackfs write functions Casey Schaufler
2021-01-25 22:42 ` Tetsuo Handa
2021-01-28 11:58 ` [PATCH v2] " Sabyrzhan Tasbolatov
2021-01-28 12:59 ` Tetsuo Handa
2021-01-28 13:27 ` Sabyrzhan Tasbolatov
2021-01-28 14:24 ` Tetsuo Handa
2021-01-29 2:10 ` Casey Schaufler
2021-02-02 19:13 ` Sabyrzhan Tasbolatov
2021-02-02 19:33 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210124143627.582115-1-snovitoll@gmail.com \
--to=snovitoll@gmail.com \
--cc=andreyknvl@google.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.