From: Rafael Aquini <aquini@redhat.com>
To: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
mcgrof@kernel.org
Cc: keescook@chromium.org, akpm@linux-foundation.org,
yzaikin@google.com, tytso@mit.edu
Subject: [PATCH] kernel: sysctl: ignore out-of-range taint bits introduced via kernel.tainted
Date: Tue, 12 May 2020 13:46:53 -0400 [thread overview]
Message-ID: <20200512174653.770506-1-aquini@redhat.com> (raw)
The sysctl knob allows users with SYS_ADMIN capability to
taint the kernel with any arbitrary value, but this might
produce an invalid flags bitset being committed to tainted_mask.
This patch introduces a simple way for proc_taint() to ignore
any eventual invalid bit coming from the user input before
committing those bits to the kernel tainted_mask.
Signed-off-by: Rafael Aquini <aquini@redhat.com>
---
include/linux/kernel.h | 2 ++
kernel/sysctl.c | 14 +++++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 9b7a8d74a9d6..e8c22a9bbc95 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -597,6 +597,8 @@ extern enum system_states {
#define TAINT_RANDSTRUCT 17
#define TAINT_FLAGS_COUNT 18
+#define TAINT_FLAGS_MAX ((1UL << TAINT_FLAGS_COUNT) - 1)
+
struct taint_flag {
char c_true; /* character printed when tainted */
char c_false; /* character printed when not tainted */
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 8a176d8727a3..fb2d693fc08c 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2623,11 +2623,23 @@ static int proc_taint(struct ctl_table *table, int write,
return err;
if (write) {
+ int i;
+
+ /*
+ * Ignore user input that would cause the loop below
+ * to commit arbitrary and out of valid range TAINT flags.
+ */
+ if (tmptaint > TAINT_FLAGS_MAX) {
+ tmptaint &= TAINT_FLAGS_MAX;
+ pr_warn_once("%s: out-of-range taint input ignored."
+ " tainted_mask adjusted to 0x%lx\n",
+ __func__, tmptaint);
+ }
+
/*
* Poor man's atomic or. Not worth adding a primitive
* to everyone's atomic.h for this
*/
- int i;
for (i = 0; i < BITS_PER_LONG && tmptaint >> i; i++) {
if ((tmptaint >> i) & 1)
add_taint(i, LOCKDEP_STILL_OK);
--
2.25.4
next reply other threads:[~2020-05-12 17:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-12 17:46 Rafael Aquini [this message]
2020-05-12 20:53 ` [PATCH] kernel: sysctl: ignore out-of-range taint bits introduced via kernel.tainted Andrew Morton
2020-05-12 21:13 ` Rafael Aquini
2020-05-12 22:31 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200512174653.770506-1-aquini@redhat.com \
--to=aquini@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=tytso@mit.edu \
--cc=yzaikin@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.