summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2020-08-06 20:02:23 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2020-08-06 20:02:23 +0200
commitbfdd5aaa54b0a44d9df550fe4c9db7e1470a11b8 (patch)
treeee2c8428f65b2b0589211dc52638753f2c6f7b69 /security
parentMerge tag 'mips_5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux (diff)
parentSmack: prevent underflow in smk_set_cipso() (diff)
downloadlinux-bfdd5aaa54b0a44d9df550fe4c9db7e1470a11b8.tar.xz
linux-bfdd5aaa54b0a44d9df550fe4c9db7e1470a11b8.zip
Merge tag 'Smack-for-5.9' of git://github.com/cschaufler/smack-next
Pull smack updates from Casey Schaufler: "Minor fixes to Smack for the v5.9 release. All were found by automated checkers and have straightforward resolution" * tag 'Smack-for-5.9' of git://github.com/cschaufler/smack-next: Smack: prevent underflow in smk_set_cipso() Smack: fix another vsscanf out of bounds Smack: fix use-after-free in smk_write_relabel_self()
Diffstat (limited to 'security')
-rw-r--r--security/smack/smackfs.c19
1 files changed, 16 insertions, 3 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index c21b656b3263..9c4308077574 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -884,7 +884,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
}
ret = sscanf(rule, "%d", &maplevel);
- if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
+ if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL)
goto out;
rule += SMK_DIGITLEN;
@@ -905,6 +905,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
for (i = 0; i < catlen; i++) {
rule += SMK_DIGITLEN;
+ if (rule > data + count) {
+ rc = -EOVERFLOW;
+ goto out;
+ }
ret = sscanf(rule, "%u", &cat);
if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
goto out;
@@ -2720,7 +2724,6 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file)
static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = smack_cred(current_cred());
char *data;
int rc;
LIST_HEAD(list_tmp);
@@ -2745,11 +2748,21 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
kfree(data);
if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
+ struct cred *new;
+ struct task_smack *tsp;
+
+ new = prepare_creds();
+ if (!new) {
+ rc = -ENOMEM;
+ goto out;
+ }
+ tsp = smack_cred(new);
smk_destroy_label_list(&tsp->smk_relabel);
list_splice(&list_tmp, &tsp->smk_relabel);
+ commit_creds(new);
return count;
}
-
+out:
smk_destroy_label_list(&list_tmp);
return rc;
}