| From 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 Mon Sep 17 00:00:00 2001 |
| From: Sabyrzhan Tasbolatov <snovitoll@gmail.com> |
| Date: Thu, 28 Jan 2021 17:58:01 +0600 |
| Subject: smackfs: restrict bytes count in smackfs write functions |
| |
| From: Sabyrzhan Tasbolatov <snovitoll@gmail.com> |
| |
| commit 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 upstream. |
| |
| syzbot found WARNINGs in several smackfs write operations where |
| bytes count is passed to memdup_user_nul which exceeds |
| GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE. |
| |
| Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO, |
| smk_write_net6addr accepts any label or -DELETE. I couldn't find |
| any general rule for other label lengths except SMK_LABELLEN, |
| SMK_LONGLABEL, SMK_CIPSOMAX which are documented. |
| |
| Let's constrain, in general, smackfs label lengths for PAGE_SIZE. |
| Although fuzzer crashes write to smackfs/netlabel on 0x400000 length. |
| |
| Here is a quick way to reproduce the WARNING: |
| python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel |
| |
| Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com |
| Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com> |
| Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| security/smack/smackfs.c | 21 +++++++++++++++++++-- |
| 1 file changed, 19 insertions(+), 2 deletions(-) |
| |
| --- a/security/smack/smackfs.c |
| +++ b/security/smack/smackfs.c |
| @@ -1167,7 +1167,7 @@ static ssize_t smk_write_net4addr(struct |
| return -EPERM; |
| if (*ppos != 0) |
| return -EINVAL; |
| - if (count < SMK_NETLBLADDRMIN) |
| + if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) |
| return -EINVAL; |
| |
| data = memdup_user_nul(buf, count); |
| @@ -1427,7 +1427,7 @@ static ssize_t smk_write_net6addr(struct |
| return -EPERM; |
| if (*ppos != 0) |
| return -EINVAL; |
| - if (count < SMK_NETLBLADDRMIN) |
| + if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) |
| return -EINVAL; |
| |
| data = memdup_user_nul(buf, count); |
| @@ -1834,6 +1834,10 @@ static ssize_t smk_write_ambient(struct |
| if (!smack_privileged(CAP_MAC_ADMIN)) |
| return -EPERM; |
| |
| + /* Enough data must be present */ |
| + if (count == 0 || count > PAGE_SIZE) |
| + return -EINVAL; |
| + |
| data = memdup_user_nul(buf, count); |
| if (IS_ERR(data)) |
| return PTR_ERR(data); |
| @@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct |
| if (!smack_privileged(CAP_MAC_ADMIN)) |
| return -EPERM; |
| |
| + if (count > PAGE_SIZE) |
| + return -EINVAL; |
| + |
| data = memdup_user_nul(buf, count); |
| if (IS_ERR(data)) |
| return PTR_ERR(data); |
| @@ -2092,6 +2099,9 @@ static ssize_t smk_write_unconfined(stru |
| if (!smack_privileged(CAP_MAC_ADMIN)) |
| return -EPERM; |
| |
| + if (count > PAGE_SIZE) |
| + return -EINVAL; |
| + |
| data = memdup_user_nul(buf, count); |
| if (IS_ERR(data)) |
| return PTR_ERR(data); |
| @@ -2648,6 +2658,10 @@ static ssize_t smk_write_syslog(struct f |
| if (!smack_privileged(CAP_MAC_ADMIN)) |
| return -EPERM; |
| |
| + /* Enough data must be present */ |
| + if (count == 0 || count > PAGE_SIZE) |
| + return -EINVAL; |
| + |
| data = memdup_user_nul(buf, count); |
| if (IS_ERR(data)) |
| return PTR_ERR(data); |
| @@ -2740,10 +2754,13 @@ static ssize_t smk_write_relabel_self(st |
| return -EPERM; |
| |
| /* |
| + * No partial write. |
| * Enough data must be present. |
| */ |
| if (*ppos != 0) |
| return -EINVAL; |
| + if (count == 0 || count > PAGE_SIZE) |
| + return -EINVAL; |
| |
| data = memdup_user_nul(buf, count); |
| if (IS_ERR(data)) |