[PATCH v2] smackfs: restrict bytes count in smackfs write functions
Sabyrzhan Tasbolatov
snovitoll at gmail.com
Thu Jan 28 13:27:21 UTC 2021
> > /*
> > + * No partial write.
> > * Enough data must be present.
> > */
> > if (*ppos != 0)
> > return -EINVAL;
> > + if (count == 0 || count > PAGE_SIZE)
> > + return -EINVAL;
> >
> > data = memdup_user_nul(buf, count);
> > if (IS_ERR(data))
> >
>
> Doesn't this change break legitimate requests like
>
> char buffer[20000];
>
> memset(buffer, ' ', sizeof(buffer));
> memcpy(buffer + sizeof(buffer) - 10, "foo", 3);
> write(fd, buffer, sizeof(buffer));
>
> ?
It does, in this case. Then I need to patch another version with
whitespace stripping before, after label. I just followed the same thing
that I see in security/selinux/selinuxfs.c sel_write_enforce() etc.
It has the same memdup_user_nul() and count >= PAGE_SIZE check prior to that.
More information about the Linux-security-module-archive
mailing list