diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2020-08-06 11:02:23 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2020-08-06 11:02:23 -0700 |
| commit | bfdd5aaa54b0a44d9df550fe4c9db7e1470a11b8 (patch) | |
| tree | ee2c8428f65b2b0589211dc52638753f2c6f7b69 /security | |
| parent | b62e419707ce082845c34161fe684d0c743b7953 (diff) | |
| parent | 42a2df3e829f3c5562090391b33714b2e2e5ad4a (diff) | |
| download | linux-bfdd5aaa54b0a44d9df550fe4c9db7e1470a11b8.tar.bz2 | |
Merge tag 'Smack-for-5.9' of git://github.com/cschaufler/smack-next
Pull smack updates from Casey Schaufler:
"Minor fixes to Smack for the v5.9 release.
All were found by automated checkers and have straightforward
resolution"
* tag 'Smack-for-5.9' of git://github.com/cschaufler/smack-next:
Smack: prevent underflow in smk_set_cipso()
Smack: fix another vsscanf out of bounds
Smack: fix use-after-free in smk_write_relabel_self()
Diffstat (limited to 'security')
| -rw-r--r-- | security/smack/smackfs.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index c21b656b3263..9c4308077574 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -884,7 +884,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, } ret = sscanf(rule, "%d", &maplevel); - if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) + if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL) goto out; rule += SMK_DIGITLEN; @@ -905,6 +905,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, for (i = 0; i < catlen; i++) { rule += SMK_DIGITLEN; + if (rule > data + count) { + rc = -EOVERFLOW; + goto out; + } ret = sscanf(rule, "%u", &cat); if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) goto out; @@ -2720,7 +2724,6 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file) static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = smack_cred(current_cred()); char *data; int rc; LIST_HEAD(list_tmp); @@ -2745,11 +2748,21 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, kfree(data); if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { + struct cred *new; + struct task_smack *tsp; + + new = prepare_creds(); + if (!new) { + rc = -ENOMEM; + goto out; + } + tsp = smack_cred(new); smk_destroy_label_list(&tsp->smk_relabel); list_splice(&list_tmp, &tsp->smk_relabel); + commit_creds(new); return count; } - +out: smk_destroy_label_list(&list_tmp); return rc; } |