Skip to content

Commit 7ef4c19

Browse files
novitollcschaufler
novitoll
authored and
cschaufler
committed
smackfs: restrict bytes count in smackfs write functions
syzbot found WARNINGs in several smackfs write operations where bytes count is passed to memdup_user_nul which exceeds GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE. Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO, smk_write_net6addr accepts any label or -DELETE. I couldn't find any general rule for other label lengths except SMK_LABELLEN, SMK_LONGLABEL, SMK_CIPSOMAX which are documented. Let's constrain, in general, smackfs label lengths for PAGE_SIZE. Although fuzzer crashes write to smackfs/netlabel on 0x400000 length. Here is a quick way to reproduce the WARNING: python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel Reported-by: [email protected] Signed-off-by: Sabyrzhan Tasbolatov <[email protected]> Signed-off-by: Casey Schaufler <[email protected]>
1 parent 1048ba8 commit 7ef4c19

1 file changed

Lines changed: 19 additions & 2 deletions

File tree

security/smack/smackfs.c

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1167,7 +1167,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
11671167
return -EPERM;
11681168
if (*ppos != 0)
11691169
return -EINVAL;
1170-
if (count < SMK_NETLBLADDRMIN)
1170+
if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
11711171
return -EINVAL;
11721172

11731173
data = memdup_user_nul(buf, count);
@@ -1427,7 +1427,7 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
14271427
return -EPERM;
14281428
if (*ppos != 0)
14291429
return -EINVAL;
1430-
if (count < SMK_NETLBLADDRMIN)
1430+
if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
14311431
return -EINVAL;
14321432

14331433
data = memdup_user_nul(buf, count);
@@ -1834,6 +1834,10 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
18341834
if (!smack_privileged(CAP_MAC_ADMIN))
18351835
return -EPERM;
18361836

1837+
/* Enough data must be present */
1838+
if (count == 0 || count > PAGE_SIZE)
1839+
return -EINVAL;
1840+
18371841
data = memdup_user_nul(buf, count);
18381842
if (IS_ERR(data))
18391843
return PTR_ERR(data);
@@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
20052009
if (!smack_privileged(CAP_MAC_ADMIN))
20062010
return -EPERM;
20072011

2012+
if (count > PAGE_SIZE)
2013+
return -EINVAL;
2014+
20082015
data = memdup_user_nul(buf, count);
20092016
if (IS_ERR(data))
20102017
return PTR_ERR(data);
@@ -2092,6 +2099,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
20922099
if (!smack_privileged(CAP_MAC_ADMIN))
20932100
return -EPERM;
20942101

2102+
if (count > PAGE_SIZE)
2103+
return -EINVAL;
2104+
20952105
data = memdup_user_nul(buf, count);
20962106
if (IS_ERR(data))
20972107
return PTR_ERR(data);
@@ -2648,6 +2658,10 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
26482658
if (!smack_privileged(CAP_MAC_ADMIN))
26492659
return -EPERM;
26502660

2661+
/* Enough data must be present */
2662+
if (count == 0 || count > PAGE_SIZE)
2663+
return -EINVAL;
2664+
26512665
data = memdup_user_nul(buf, count);
26522666
if (IS_ERR(data))
26532667
return PTR_ERR(data);
@@ -2740,10 +2754,13 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
27402754
return -EPERM;
27412755

27422756
/*
2757+
* No partial write.
27432758
* Enough data must be present.
27442759
*/
27452760
if (*ppos != 0)
27462761
return -EINVAL;
2762+
if (count == 0 || count > PAGE_SIZE)
2763+
return -EINVAL;
27472764

27482765
data = memdup_user_nul(buf, count);
27492766
if (IS_ERR(data))

0 commit comments

Comments
 (0)