From: "Serge E. Hallyn" <serge@hallyn.com>
To: Tyler Hicks <tyhicks@canonical.com>
Cc: John Johansen <john.johansen@canonical.com>,
James Morris <jmorris@namei.org>, Serge Hallyn <serge@hallyn.com>,
Seth Arnold <seth.arnold@canonical.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] apparmor: Check buffer bounds when mapping permissions mask
Date: Tue, 10 Jul 2018 10:00:12 -0500 [thread overview]
Message-ID: <20180710150012.GC1661@mail.hallyn.com> (raw)
In-Reply-To: <1530854701-7348-2-git-send-email-tyhicks@canonical.com>
Quoting Tyler Hicks (tyhicks@canonical.com):
> Don't read past the end of the buffer containing permissions
> characters or write past the end of the destination string.
>
> Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")
>
> Fixes: e53cfe6c7caa ("apparmor: rework perm mapping to a slightly broader set")
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
> ---
> security/apparmor/file.c | 3 ++-
> security/apparmor/include/perms.h | 3 ++-
> security/apparmor/lib.c | 17 +++++++++++++----
> 3 files changed, 17 insertions(+), 6 deletions(-)
>
> diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> index 224b2fef93ca..4285943f7260 100644
> --- a/security/apparmor/file.c
> +++ b/security/apparmor/file.c
> @@ -47,7 +47,8 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask)
> {
> char str[10];
>
> - aa_perm_mask_to_str(str, aa_file_perm_chrs, map_mask_to_chr_mask(mask));
> + aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
> + map_mask_to_chr_mask(mask));
> audit_log_string(ab, str);
> }
>
> diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
> index 38aa6247d00f..b94ec114d1a4 100644
> --- a/security/apparmor/include/perms.h
> +++ b/security/apparmor/include/perms.h
> @@ -137,7 +137,8 @@ extern struct aa_perms allperms;
> xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
>
>
> -void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
> +void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs,
> + u32 mask);
> void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
> u32 mask);
> void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index a7b3f681b80e..7ab368c3789b 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -198,15 +198,24 @@ const char *aa_file_perm_names[] = {
> /**
> * aa_perm_mask_to_str - convert a perm mask to its short string
> * @str: character buffer to store string in (at least 10 characters)
> + * @str_size: size of the @str buffer
> + * @chrs: NUL-terminated character buffer of permission characters
> * @mask: permission mask to convert
> */
> -void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask)
> +void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs, u32 mask)
> {
> unsigned int i, perm = 1;
> + size_t num_chrs = strlen(chrs);
> +
> + for (i = 0; i < num_chrs; perm <<= 1, i++) {
> + if (mask & perm) {
> + /* Ensure that one byte is left for NUL-termination */
> + if (WARN_ON_ONCE(str_size <= 1))
> + continue;
>
> - for (i = 0; i < 32; perm <<= 1, i++) {
> - if (mask & perm)
> *str++ = chrs[i];
> + str_size--;
> + }
> }
> *str = '\0';
> }
> @@ -236,7 +245,7 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
>
> audit_log_format(ab, "\"");
> if ((mask & chrsmask) && chrs) {
> - aa_perm_mask_to_str(str, chrs, mask & chrsmask);
> + aa_perm_mask_to_str(str, sizeof(str), chrs, mask & chrsmask);
> mask &= ~chrsmask;
> audit_log_format(ab, "%s", str);
> if (mask & namesmask)
> --
> 2.7.4
next prev parent reply other threads:[~2018-07-10 15:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-06 5:24 [PATCH 0/2] Fix AppArmor issues found through static analysis Tyler Hicks
2018-07-06 5:25 ` [PATCH 1/2] apparmor: Check buffer bounds when mapping permissions mask Tyler Hicks
2018-07-10 15:00 ` Serge E. Hallyn [this message]
2018-07-19 23:28 ` John Johansen
2018-07-06 5:25 ` [PATCH 2/2] apparmor: Fully initialize aa_perms struct when answering userspace query Tyler Hicks
2018-07-10 15:03 ` Serge E. Hallyn
2018-07-19 23:28 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180710150012.GC1661@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=seth.arnold@canonical.com \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).