Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1793146imm;
        Tue, 10 Jul 2018 08:01:52 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfP6W2ryuu1bIDbsdyOAdbfqPprAxm8ycJ1DoPLpA06lRNcRgPH/cT+/wqcuv6X8rrd88Rf
X-Received: by 2002:a17:902:8:: with SMTP id 8-v6mr25606269pla.287.1531234911970;
        Tue, 10 Jul 2018 08:01:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531234911; cv=none;
        d=google.com; s=arc-20160816;
        b=TrupJL2vY+C7iJaH4xpcndfMINJ/hnYjh7NfuL620hEPnxxW6c+d/2rdWZ1Ko3MReN
         Bc9Jw7wTQfS9kbwcR0PwJXectPyQjbuG9Dx2wENiTofhFv1hzVSweyj++kD3QNoapgCu
         wjRkd+pDuCAjWsgcGGnaaSs6EPONUWJLWgRPMb3+pJQJxUg6CYSXntiyIKS6CyaV+YPJ
         8F1DMWOpjUnKK0zkmjQMBnQq7MfnO5U5o64/bXuTIgNfMndgomXqixpywlRtYz3VOWAp
         XZgS9iWJZmWFp7/92kVpEiITPhZ5CXzvshtLB297FuM8r4ID8DAd8x6qKaH9lMIYNdEv
         hJ0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=uELY9vCfgt/lAFAHT7Un9LwUucZ4OJYHbOvISMQAhXA=;
        b=d8AoB3CgWplZSvSWtQBubmltunImfJScaH/HAwkJVwcVZNRBUF72X4OsNTvIhrjjmW
         +8E9pe2VeoM/3Ox0RmCMk6XVDm/K4fYzhk1/uqAehnhLZFa7jrLgwSZc0JSF7dVbtQyA
         JJZygGRkFPwd1Po9heM84GB93loOGs8YhPtSNEnZT2vtZVcGfsS2iuXQJtOu+5Tj4Yyo
         DpONb6XkorXdu9q+k8gqkJyvAo4vvCpsMClDkI+sNLFVJkeTLtrU2ZQXh2WgAWTpsnhz
         xGk4KCCsPDpcBFRgMtJe2b6caxacjPsL5JRD4aURRe6m8DogtEBmM9DsT3XKSZwV8BFE
         cAJw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q124-v6si19298290pfc.93.2018.07.10.08.01.24;
        Tue, 10 Jul 2018 08:01:51 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933740AbeGJPAO (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Tue, 10 Jul 2018 11:00:14 -0400
Received: from h2.hallyn.com ([78.46.35.8]:59638 "EHLO mail.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S933383AbeGJPAN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Jul 2018 11:00:13 -0400
Received: by mail.hallyn.com (Postfix, from userid 1001)
        id 38E23120D23; Tue, 10 Jul 2018 10:00:12 -0500 (CDT)
Date:   Tue, 10 Jul 2018 10:00:12 -0500
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Tyler Hicks <tyhicks@canonical.com>
Cc:     John Johansen <john.johansen@canonical.com>,
        James Morris <jmorris@namei.org>,
        Serge Hallyn <serge@hallyn.com>,
        Seth Arnold <seth.arnold@canonical.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] apparmor: Check buffer bounds when mapping
 permissions mask
Message-ID: <20180710150012.GC1661@mail.hallyn.com>
References: <1530854701-7348-1-git-send-email-tyhicks@canonical.com>
 <1530854701-7348-2-git-send-email-tyhicks@canonical.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1530854701-7348-2-git-send-email-tyhicks@canonical.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Tyler Hicks (tyhicks@canonical.com):
> Don't read past the end of the buffer containing permissions
> characters or write past the end of the destination string.
> 
> Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")
> 
> Fixes: e53cfe6c7caa ("apparmor: rework perm mapping to a slightly broader set")
> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

Acked-by: Serge Hallyn <serge@hallyn.com>

> ---
>  security/apparmor/file.c          |  3 ++-
>  security/apparmor/include/perms.h |  3 ++-
>  security/apparmor/lib.c           | 17 +++++++++++++----
>  3 files changed, 17 insertions(+), 6 deletions(-)
> 
> diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> index 224b2fef93ca..4285943f7260 100644
> --- a/security/apparmor/file.c
> +++ b/security/apparmor/file.c
> @@ -47,7 +47,8 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask)
>  {
>  	char str[10];
>  
> -	aa_perm_mask_to_str(str, aa_file_perm_chrs, map_mask_to_chr_mask(mask));
> +	aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
> +			    map_mask_to_chr_mask(mask));
>  	audit_log_string(ab, str);
>  }
>  
> diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
> index 38aa6247d00f..b94ec114d1a4 100644
> --- a/security/apparmor/include/perms.h
> +++ b/security/apparmor/include/perms.h
> @@ -137,7 +137,8 @@ extern struct aa_perms allperms;
>  	xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
>  
>  
> -void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
> +void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs,
> +			 u32 mask);
>  void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
>  			 u32 mask);
>  void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index a7b3f681b80e..7ab368c3789b 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -198,15 +198,24 @@ const char *aa_file_perm_names[] = {
>  /**
>   * aa_perm_mask_to_str - convert a perm mask to its short string
>   * @str: character buffer to store string in (at least 10 characters)
> + * @str_size: size of the @str buffer
> + * @chrs: NUL-terminated character buffer of permission characters
>   * @mask: permission mask to convert
>   */
> -void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask)
> +void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs, u32 mask)
>  {
>  	unsigned int i, perm = 1;
> +	size_t num_chrs = strlen(chrs);
> +
> +	for (i = 0; i < num_chrs; perm <<= 1, i++) {
> +		if (mask & perm) {
> +			/* Ensure that one byte is left for NUL-termination */
> +			if (WARN_ON_ONCE(str_size <= 1))
> +				continue;
>  
> -	for (i = 0; i < 32; perm <<= 1, i++) {
> -		if (mask & perm)
>  			*str++ = chrs[i];
> +			str_size--;
> +		}
>  	}
>  	*str = '\0';
>  }
> @@ -236,7 +245,7 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
>  
>  	audit_log_format(ab, "\"");
>  	if ((mask & chrsmask) && chrs) {
> -		aa_perm_mask_to_str(str, chrs, mask & chrsmask);
> +		aa_perm_mask_to_str(str, sizeof(str), chrs, mask & chrsmask);
>  		mask &= ~chrsmask;
>  		audit_log_format(ab, "%s", str);
>  		if (mask & namesmask)
> -- 
> 2.7.4