| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241217182657.10080-2-leocstone@gmail.com> Date: Tue, 17 Dec 2024 10:26:57 -0800 From: Leo Stone <leocstone@...il.com> To: syzbot+4eb7a741b3216020043a@...kaller.appspotmail.com Cc: Leo Stone <leocstone@...il.com>, jmorris@...ei.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, mortonm@...omium.org, paul@...l-moore.com, serge@...lyn.com, syzkaller-bugs@...glegroups.com Subject: [PATCH v2] lsm: check size of writes syzbot attempts to write a buffer with a large size to a sysfs entry with writes handled by handle_policy_update(), triggering a warning in kmalloc. Check the size specified for write buffers before allocating. Reported-by: syzbot+4eb7a741b3216020043a@...kaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4eb7a741b3216020043a Signed-off-by: Leo Stone <leocstone@...il.com> --- v2: Make the check in handle_policy_update() to also cover safesetid_uid_file_write(). Thanks for your feedback. v1: https://lore.kernel.org/all/20241216030213.246804-2-leocstone@gmail.com/ --- security/safesetid/securityfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c index 25310468bcdd..8e1ffd70b18a 100644 --- a/security/safesetid/securityfs.c +++ b/security/safesetid/securityfs.c @@ -143,6 +143,9 @@ static ssize_t handle_policy_update(struct file *file, char *buf, *p, *end; int err; + if (len >= KMALLOC_MAX_SIZE) + return -EINVAL; + pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL); if (!pol) return -ENOMEM; -- 2.43.0
Powered by blists - more mailing lists