diff options
| author | Konstantin Khlebnikov <k.khlebnikov@samsung.com> | 2014-08-07 12:52:43 -0400 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2014-08-08 17:51:07 -0400 |
| commit | b862e561bad6372872f5bf98d95f4131d265b110 (patch) | |
| tree | 86df1aa1baae0401ede16a22748bef65ca345ea3 /security | |
| parent | fd5c9d230d2ac8a2594dfd15f0cca678fd7a64c7 (diff) | |
Smack: handle zero-length security labels without panic
Zero-length security labels are invalid but kernel should handle them.
This patch fixes kernel panic after setting zero-length security labels:
# attr -S -s "SMACK64" -V "" file
And after writing zero-length string into smackfs files syslog and onlycp:
# python -c 'import os; os.write(1, "")' > /smack/syslog
The problem is caused by brain-damaged logic in function smk_parse_smack()
which takes pointer to buffer and its length but if length below or equal zero
it thinks that the buffer is zero-terminated. Unfortunately callers of this
function are widely used and proper fix requires serious refactoring.
Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/smack/smack_lsm.c | 2 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index b11ab23b328b..afa5ad0e7f72 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -923,7 +923,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, | |||
| 923 | rc = -EPERM; | 923 | rc = -EPERM; |
| 924 | 924 | ||
| 925 | if (rc == 0 && check_import) { | 925 | if (rc == 0 && check_import) { |
| 926 | skp = smk_import_entry(value, size); | 926 | skp = size ? smk_import_entry(value, size) : NULL; |
| 927 | if (skp == NULL || (check_star && | 927 | if (skp == NULL || (check_star && |
| 928 | (skp == &smack_known_star || skp == &smack_known_web))) | 928 | (skp == &smack_known_star || skp == &smack_known_web))) |
| 929 | rc = -EINVAL; | 929 | rc = -EINVAL; |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 3c720ff10591..56a1439786a9 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -1677,7 +1677,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, | |||
| 1677 | if (smack_onlycap != NULL && smack_onlycap != skp) | 1677 | if (smack_onlycap != NULL && smack_onlycap != skp) |
| 1678 | return -EPERM; | 1678 | return -EPERM; |
| 1679 | 1679 | ||
| 1680 | data = kzalloc(count, GFP_KERNEL); | 1680 | data = kzalloc(count + 1, GFP_KERNEL); |
| 1681 | if (data == NULL) | 1681 | if (data == NULL) |
| 1682 | return -ENOMEM; | 1682 | return -ENOMEM; |
| 1683 | 1683 | ||
| @@ -2228,7 +2228,7 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf, | |||
| 2228 | if (!smack_privileged(CAP_MAC_ADMIN)) | 2228 | if (!smack_privileged(CAP_MAC_ADMIN)) |
| 2229 | return -EPERM; | 2229 | return -EPERM; |
| 2230 | 2230 | ||
| 2231 | data = kzalloc(count, GFP_KERNEL); | 2231 | data = kzalloc(count + 1, GFP_KERNEL); |
| 2232 | if (data == NULL) | 2232 | if (data == NULL) |
| 2233 | return -ENOMEM; | 2233 | return -ENOMEM; |
| 2234 | 2234 | ||