| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241216081953.3566217-1-lizhi.xu@windriver.com>
Date: Mon, 16 Dec 2024 16:19:53 +0800
From: Lizhi Xu <lizhi.xu@...driver.com>
To: <syzbot+7536f77535e5210a5c76@...kaller.appspotmail.com>
CC: <jmorris@...ei.org>, <linux-kernel@...r.kernel.org>,
<linux-security-module@...r.kernel.org>, <paul@...l-moore.com>,
<penguin-kernel@...ove.SAKURA.ne.jp>, <serge@...lyn.com>,
<syzkaller-bugs@...glegroups.com>, <takedakn@...data.co.jp>,
<tomoyo-dev-en@...ts.osdn.me>
Subject: [PATCH] tomoyo: prevent bad buffer size in tracing_cpumask_write
User input a too large buffer size 0xfffffdeful, although it is truncated to
MAX_RW_COUNT in vfs_write, its value is still too large, causing warning when
allocating memory in tomoyo_write_control.
Add a check for it to avoid this case.
Reported-by: syzbot+7536f77535e5210a5c76@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
Tested-by: syzbot+7536f77535e5210a5c76@...kaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@...driver.com>
---
security/tomoyo/common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 5c7b059a332a..f63388c2fffd 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2654,6 +2654,8 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
if (!head->write)
return -EINVAL;
+ if (avail_len > KMALLOC_MAX_SIZE)
+ return -EINVAL;
if (mutex_lock_interruptible(&head->io_sem))
return -EINTR;
cp0 = head->write_buf;
--
2.43.0
Powered by blists - more mailing lists