Skip to content

Commit

Permalink
smackfs: restrict bytes count in smackfs write functions
Browse files Browse the repository at this point in the history
syzbot found WARNINGs in several smackfs write operations where
bytes count is passed to memdup_user_nul which exceeds
GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE.

Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO,
smk_write_net6addr accepts any label or -DELETE. I couldn't find
any general rule for other label lengths except SMK_LABELLEN,
SMK_LONGLABEL, SMK_CIPSOMAX which are documented.

Let's constrain, in general, smackfs label lengths for PAGE_SIZE.
Although fuzzer crashes write to smackfs/netlabel on 0x400000 length.

Here is a quick way to reproduce the WARNING:
python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel

Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
  • Loading branch information
novitoll authored and cschaufler committed Feb 3, 2021
1 parent 1048ba8 commit 7ef4c19
Showing 1 changed file with 19 additions and 2 deletions.
21 changes: 19 additions & 2 deletions security/smack/smackfs.c
Original file line number Diff line number Diff line change
Expand Up @@ -1167,7 +1167,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
return -EPERM;
if (*ppos != 0)
return -EINVAL;
if (count < SMK_NETLBLADDRMIN)
if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
return -EINVAL;

data = memdup_user_nul(buf, count);
Expand Down Expand Up @@ -1427,7 +1427,7 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
return -EPERM;
if (*ppos != 0)
return -EINVAL;
if (count < SMK_NETLBLADDRMIN)
if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
return -EINVAL;

data = memdup_user_nul(buf, count);
Expand Down Expand Up @@ -1834,6 +1834,10 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;

/* Enough data must be present */
if (count == 0 || count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
Expand Down Expand Up @@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;

if (count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
Expand Down Expand Up @@ -2092,6 +2099,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;

if (count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
Expand Down Expand Up @@ -2648,6 +2658,10 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;

/* Enough data must be present */
if (count == 0 || count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
Expand Down Expand Up @@ -2740,10 +2754,13 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
return -EPERM;

/*
* No partial write.
* Enough data must be present.
*/
if (*ppos != 0)
return -EINVAL;
if (count == 0 || count > PAGE_SIZE)
return -EINVAL;

data = memdup_user_nul(buf, count);
if (IS_ERR(data))
Expand Down

0 comments on commit 7ef4c19

Please sign in to comment.