PWN-Hunter/android_kernel_xiaomi_sdm845
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5f15c0dd7d
android_kernel_xiaomi_sdm845/security
History
Sabyrzhan Tasbolatov db89bac638 smackfs: restrict bytes count in smackfs write functions 
commit 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 upstream.

syzbot found WARNINGs in several smackfs write operations where
bytes count is passed to memdup_user_nul which exceeds
GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE.

Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO,
smk_write_net6addr accepts any label or -DELETE. I couldn't find
any general rule for other label lengths except SMK_LABELLEN,
SMK_LONGLABEL, SMK_CIPSOMAX which are documented.

Let's constrain, in general, smackfs label lengths for PAGE_SIZE.
Although fuzzer crashes write to smackfs/netlabel on 0x400000 length.

Here is a quick way to reproduce the WARNING:
python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel

Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-03-07 11:25:56 +01:00
..
apparmor apparmor: enforce nullbyte at end of tag string 2019-07-10 09:55:29 +02:00
integrity ima: Don't ignore errors from crypto_shash_update() 2020-10-29 09:05:32 +01:00
keys KEYS: trusted: Fix migratable=1 failing 2021-03-03 17:44:42 +01:00
loadpin
selinux selinux: sel_avc_get_stat_idx should increase position index 2020-10-01 20:40:07 +02:00
smack smackfs: restrict bytes count in smackfs write functions 2021-03-07 11:25:56 +01:00
tomoyo mm: replace get_user_pages_remote() write/force parameters with gup_flags 2016-10-19 08:12:02 -07:00
yama Yama: Check for pid death before checking ancestry 2019-01-23 08:10:54 +01:00
commoncap.c exec: Always set cap_ambient in cap_bprm_set_creds 2020-06-03 08:16:41 +02:00
device_cgroup.c device_cgroup: fix RCU imbalance in error case 2019-04-27 09:34:46 +02:00
inode.c
Kconfig KPTI: Rename to PAGE_TABLE_ISOLATION 2018-01-05 15:46:35 +01:00
lsm_audit.c dump_common_audit_data(): fix racy accesses to ->d_name 2021-01-23 15:38:17 +01:00
Makefile
min_addr.c
security.c LSM: Check for NULL cred-security on free 2019-01-23 08:10:55 +01:00