From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sabyrzhan Tasbolatov <snovitoll@gmail.com>,
syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com,
Casey Schaufler <casey@schaufler-ca.com>,
Sasha Levin <sashal@kernel.org>,
linux-security-module@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 14/16] smackfs: restrict bytes count in smackfs write functions
Date: Wed, 24 Feb 2021 07:55:11 -0500 [thread overview]
Message-ID: <20210224125514.483935-14-sashal@kernel.org> (raw)
In-Reply-To: <20210224125514.483935-1-sashal@kernel.org>
From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
[ Upstream commit 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 ]
syzbot found WARNINGs in several smackfs write operations where
bytes count is passed to memdup_user_nul which exceeds
GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE.
Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO,
smk_write_net6addr accepts any label or -DELETE. I couldn't find
any general rule for other label lengths except SMK_LABELLEN,
SMK_LONGLABEL, SMK_CIPSOMAX which are documented.
Let's constrain, in general, smackfs label lengths for PAGE_SIZE.
Although fuzzer crashes write to smackfs/netlabel on 0x400000 length.
Here is a quick way to reproduce the WARNING:
python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel
Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/smack/smackfs.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index accd3846f1e3e..4f8c1a272df07 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -1191,7 +1191,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
return -EPERM;
if (*ppos != 0)
return -EINVAL;
- if (count < SMK_NETLBLADDRMIN)
+ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
return -EINVAL;
data = memdup_user_nul(buf, count);
@@ -1451,7 +1451,7 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
return -EPERM;
if (*ppos != 0)
return -EINVAL;
- if (count < SMK_NETLBLADDRMIN)
+ if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
return -EINVAL;
data = memdup_user_nul(buf, count);
@@ -1858,6 +1858,10 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
+ /* Enough data must be present */
+ if (count == 0 || count > PAGE_SIZE)
+ return -EINVAL;
+
data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
@@ -2029,6 +2033,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
+ if (count > PAGE_SIZE)
+ return -EINVAL;
+
data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
@@ -2116,6 +2123,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
+ if (count > PAGE_SIZE)
+ return -EINVAL;
+
data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
@@ -2669,6 +2679,10 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
+ /* Enough data must be present */
+ if (count == 0 || count > PAGE_SIZE)
+ return -EINVAL;
+
data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
@@ -2761,10 +2775,13 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
return -EPERM;
/*
+ * No partial write.
* Enough data must be present.
*/
if (*ppos != 0)
return -EINVAL;
+ if (count == 0 || count > PAGE_SIZE)
+ return -EINVAL;
data = memdup_user_nul(buf, count);
if (IS_ERR(data))
--
2.27.0
next prev parent reply other threads:[~2021-02-24 14:17 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-24 12:54 [PATCH AUTOSEL 4.14 01/16] staging: fwserial: Fix error handling in fwserial_create Sasha Levin
2021-02-24 12:54 ` Sasha Levin
2021-02-24 12:54 ` [PATCH AUTOSEL 4.14 02/16] x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 03/16] vt/consolemap: do font sum unsigned Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 04/16] wlcore: Fix command execute failure 19 for wl12xx Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 05/16] pktgen: fix misuse of BUG_ON() in pktgen_thread_worker() Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 06/16] ath10k: fix wmi mgmt tx queue full due to race condition Sasha Levin
2021-02-24 12:55 ` Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 07/16] x86/build: Treat R_386_PLT32 relocation as R_386_PC32 Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 08/16] Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 09/16] staging: most: sound: add sanity check for function argument Sasha Levin
2021-02-24 12:55 ` Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 10/16] media: mceusb: sanity check for prescaler value Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 11/16] media: uvcvideo: Allow entities with no pads Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 12/16] f2fs: handle unallocated section and zone on pinned/atgc Sasha Levin
2021-02-24 12:55 ` [f2fs-dev] " Sasha Levin
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 13/16] tomoyo: ignore data race while checking quota Sasha Levin
2021-02-24 12:55 ` Sasha Levin [this message]
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 15/16] Drivers: hv: vmbus: Resolve race condition in vmbus_onoffer_rescind() Sasha Levin
2021-02-24 13:22 ` Andrea Parri
2021-02-24 12:55 ` [PATCH AUTOSEL 4.14 16/16] parisc: Bump 64-bit IRQ stack size to 64 KB Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210224125514.483935-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=snovitoll@gmail.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.