[PATCH v2] smackfs: restrict bytes count in smackfs write functions

Tetsuo Handa penguin-kernel at i-love.sakura.ne.jp
Thu Jan 28 12:59:33 UTC 2021


On 2021/01/28 20:58, Sabyrzhan Tasbolatov wrote:
> @@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
>  	if (!smack_privileged(CAP_MAC_ADMIN))
>  		return -EPERM;
>  
> +	if (count > PAGE_SIZE)
> +		return -EINVAL;
> +
>  	data = memdup_user_nul(buf, count);
>  	if (IS_ERR(data))
>  		return PTR_ERR(data);
> @@ -2740,10 +2754,13 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
>  		return -EPERM;
>  
>  	/*
> +	 * No partial write.
>  	 * Enough data must be present.
>  	 */
>  	if (*ppos != 0)
>  		return -EINVAL;
> +	if (count == 0 || count > PAGE_SIZE)
> +		return -EINVAL;
>  
>  	data = memdup_user_nul(buf, count);
>  	if (IS_ERR(data))
> 

Doesn't this change break legitimate requests like

  char buffer[20000];

  memset(buffer, ' ', sizeof(buffer));
  memcpy(buffer + sizeof(buffer) - 10, "foo", 3);
  write(fd, buffer, sizeof(buffer));

?



More information about the Linux-security-module-archive mailing list