Skip to content

Commit

Permalink
Merge tag 'Smack-for-v5.12' of git://github.com/cschaufler/smack-next
Browse files Browse the repository at this point in the history 
Pull smack updates from Casey Schaufler:
 "Bounds checking for writes to smackfs interfaces"

* tag 'Smack-for-v5.12' of git://github.com/cschaufler/smack-next:
  smackfs: restrict bytes count in smackfs write functions
  • Loading branch information
@torvalds
torvalds committed Feb 22, 2021
2 parents d643a99 + 7ef4c19 commit 92ae63c
Showing 1 changed file with 19 additions and 2 deletions.
21 changes: 19 additions & 2 deletions security/smack/smackfs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1167,7 +1167,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
return -EPERM;
if (*ppos != 0)
return -EINVAL;
if (count < SMK_NETLBLADDRMIN)
if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
return -EINVAL;

data = memdup_user_nul(buf, count);
Expand Down Expand Up @@ -1427,7 +1427,7 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
return -EPERM;
if (*ppos != 0)
return -EINVAL;
if (count < SMK_NETLBLADDRMIN)
if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
return -EINVAL;

data = memdup_user_nul(buf, count);
Expand Down Expand Up @@ -1834,6 +1834,10 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;

/* Enough data must be present */
if (count == 0 || count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
Expand Down Expand Up @@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;

if (count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
Expand Down Expand Up @@ -2092,6 +2099,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;

if (count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
Expand Down Expand Up @@ -2648,6 +2658,10 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;

/* Enough data must be present */
if (count == 0 || count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
Expand Down Expand Up @@ -2740,10 +2754,13 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
return -EPERM;

/*
* No partial write.
* Enough data must be present.
*/
if (*ppos != 0)
return -EINVAL;
if (count == 0 || count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
Expand Down

0 comments on commit 92ae63c

Please sign in to comment.