Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] Smack: check length in smk_set_cipso()
@ 2019-11-20 14:51 Denis Efremov
  0 siblings, 0 replies; only message in thread
From: Denis Efremov @ 2019-11-20 14:51 UTC (permalink / raw)
  To: unlisted-recipients:; (no To-header on input)
  Cc: Denis Efremov, linux-security-module, linux-kernel,
	Casey Schaufler, James Morris, Serge E. Hallyn, stable

It's possible to trigger out-of-bounds read in smk_set_cipso().
For example (from root):
$ echo "test 1" > /sys/fs/smackfs/cipso2
BUG: KASAN: slab-out-of-bounds in vsscanf+0x2203/0x2990
Read of size 1 at addr ffff888061b023c9 by task bash/5578

The patch adds length checks for SMK_LONG_FMT format.

The bug was found by syzkaller.

Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Denis Efremov <efremov@linux.com>
---
 security/smack/smackfs.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index e3e05c04dbd1..fad50a5a807b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -878,6 +878,9 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 	else
 		rule += strlen(skp->smk_known) + 1;
 
+	if (rule - data + 2 * SMK_DIGITLEN - 1 >= count)
+		goto out;
+
 	ret = sscanf(rule, "%d", &maplevel);
 	if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
 		goto out;
@@ -887,15 +890,19 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 	if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
 		goto out;
 
-	if (format == SMK_FIXED24_FMT &&
-	    count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN))
+	rule += SMK_DIGITLEN;
+
+	if ((format == SMK_FIXED24_FMT &&
+	     count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN)) ||
+	    (format == SMK_LONG_FMT &&
+	     count != (rule - data + catlen * SMK_DIGITLEN)))
 		goto out;
 
 	memset(mapcatset, 0, sizeof(mapcatset));
 
 	for (i = 0; i < catlen; i++) {
-		rule += SMK_DIGITLEN;
 		ret = sscanf(rule, "%u", &cat);
+		rule += SMK_DIGITLEN;
 		if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
 			goto out;
 
-- 
2.21.0


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-20 14:51 [PATCH] Smack: check length in smk_set_cipso() Denis Efremov

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git