diff options
author | John Johansen <john.johansen@canonical.com> | 2010-10-09 09:47:53 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-10-21 01:12:46 +0200 |
commit | 3ed02ada2a5e695e2fbb5e4a0008cfcb0f50feaa (patch) | |
tree | 8b01e83cfa6b18fe8b83b342733931d5f98bc1b2 | |
parent | TOMOYO: Print URL information before panic(). (diff) | |
download | linux-3ed02ada2a5e695e2fbb5e4a0008cfcb0f50feaa.tar.xz linux-3ed02ada2a5e695e2fbb5e4a0008cfcb0f50feaa.zip |
AppArmor: Ensure the size of the copy is < the buffer allocated to hold it
Actually I think in this case the appropriate thing to do is to BUG as there
is currently a case (remove) where the alloc_size needs to be larger than
the copy_size, and if copy_size is ever greater than alloc_size there is
a mistake in the caller code.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/apparmor/apparmorfs.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 7320331b44ab..544ff5837cb6 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -29,7 +29,7 @@ * aa_simple_write_to_buffer - common routine for getting policy from user * @op: operation doing the user buffer copy * @userbuf: user buffer to copy data from (NOT NULL) - * @alloc_size: size of user buffer + * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) * @copy_size: size of data to copy from user buffer * @pos: position write is at in the file (NOT NULL) * @@ -42,6 +42,8 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf, { char *data; + BUG_ON(copy_size > alloc_size); + if (*pos != 0) /* only writes from pos 0, that is complete writes */ return ERR_PTR(-ESPIPE); |