Re: [PATCH] smackfs: restrict bytes count in smackfs write functions
From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2021-01-25 18:09:43
Also in:
lkml
On 1/24/2021 6:36 AM, Sabyrzhan Tasbolatov wrote:
syzbot found WARNINGs in several smackfs write operations where bytes count is passed to memdup_user_nul which exceeds GFP MAX_ORDER. Check count size if bigger SMK_LONGLABEL, for smk_write_syslog if bigger than PAGE_SIZE - 1. Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov <redacted>
Thank you for the patch. Unfortunately, SMK_LONGLABEL isn't the right value in some of these cases.
quoted hunk ↗ jump to hunk
--- security/smack/smackfs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 5d44b7d258ef..88678c6f1b8c 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c@@ -1167,7 +1167,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, return -EPERM; if (*ppos != 0) return -EINVAL; - if (count < SMK_NETLBLADDRMIN) + if (count < SMK_NETLBLADDRMIN || count > SMK_LONGLABEL) return -EINVAL; data = memdup_user_nul(buf, count);@@ -1427,7 +1427,7 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf, return -EPERM; if (*ppos != 0) return -EINVAL; - if (count < SMK_NETLBLADDRMIN) + if (count < SMK_NETLBLADDRMIN || count > SMK_LONGLABEL) return -EINVAL; data = memdup_user_nul(buf, count);@@ -2647,6 +2647,8 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf, if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (count > PAGE_SIZE - 1) + return -EINVAL; data = memdup_user_nul(buf, count); if (IS_ERR(data))@@ -2744,6 +2746,8 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, */ if (*ppos != 0) return -EINVAL; + if (count > SMK_LONGLABEL) + return -EINVAL; data = memdup_user_nul(buf, count); if (IS_ERR(data))