[PATCH v2] smackfs: restrict bytes count in smackfs write functions

Sabyrzhan Tasbolatov snovitoll at gmail.com
Thu Jan 28 13:27:21 UTC 2021


> >  	/*
> > +	 * No partial write.
> >  	 * Enough data must be present.
> >  	 */
> >  	if (*ppos != 0)
> >  		return -EINVAL;
> > +	if (count == 0 || count > PAGE_SIZE)
> > +		return -EINVAL;
> >  
> >  	data = memdup_user_nul(buf, count);
> >  	if (IS_ERR(data))
> > 
> 
> Doesn't this change break legitimate requests like
> 
>   char buffer[20000];
> 
>   memset(buffer, ' ', sizeof(buffer));
>   memcpy(buffer + sizeof(buffer) - 10, "foo", 3);
>   write(fd, buffer, sizeof(buffer));
> 
> ?

It does, in this case. Then I need to patch another version with
whitespace stripping before, after label. I just followed the same thing
that I see in security/selinux/selinuxfs.c sel_write_enforce() etc.

It has the same memdup_user_nul() and count >= PAGE_SIZE check prior to that.



More information about the Linux-security-module-archive mailing list