[PATCH v2] smackfs: restrict bytes count in smackfs write functions
Tetsuo Handa
penguin-kernel at i-love.sakura.ne.jp
Thu Jan 28 12:59:33 UTC 2021
On 2021/01/28 20:58, Sabyrzhan Tasbolatov wrote:
> @@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
> if (!smack_privileged(CAP_MAC_ADMIN))
> return -EPERM;
>
> + if (count > PAGE_SIZE)
> + return -EINVAL;
> +
> data = memdup_user_nul(buf, count);
> if (IS_ERR(data))
> return PTR_ERR(data);
> @@ -2740,10 +2754,13 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
> return -EPERM;
>
> /*
> + * No partial write.
> * Enough data must be present.
> */
> if (*ppos != 0)
> return -EINVAL;
> + if (count == 0 || count > PAGE_SIZE)
> + return -EINVAL;
>
> data = memdup_user_nul(buf, count);
> if (IS_ERR(data))
>
Doesn't this change break legitimate requests like
char buffer[20000];
memset(buffer, ' ', sizeof(buffer));
memcpy(buffer + sizeof(buffer) - 10, "foo", 3);
write(fd, buffer, sizeof(buffer));
?
More information about the Linux-security-module-archive
mailing list