Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp1964586ybc; Wed, 20 Nov 2019 06:55:13 -0800 (PST) X-Google-Smtp-Source: APXvYqzA6x8uWVi9fZb39nivSKkzPHSlgM4TKPxa/P8IdnFNYMfdIqS3Tp5xG1nkRB8dbqvVeJJ3 X-Received: by 2002:a17:906:c293:: with SMTP id r19mr5898762ejz.69.1574261713273; Wed, 20 Nov 2019 06:55:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574261713; cv=none; d=google.com; s=arc-20160816; b=X34iY3ubsXX/KhJYXsYsbgvLMZlcYOw3ATSjU9XBB0+9Fan2CWWa+MAVzSFqs7xnei c/xcgPlwJSdAW7HRdY+s0SbkemW5psYG1cPFUzvwMxQsJXlduIAZu190JAwDRgaw6DIm 11m4XWq9Qm4hmLy6IJ4sHMS7/lc+ELaTo/a9fj/7jX0XXgCzPdDFnCTPEYJ75Y7Yt2/b 5E8ilITOJEOHixtL7GYtUxzzS1BtclJZJ06g8kqkr1VQSOqrn9SqS0KE1+DwLA5TjqX3 cGHB4GC4kB02+LazayKfUZn2nSNcSGhLPxXwWn5kpCIL1v/5fiH69r1Zq7uhGgZTMvlD i6OA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:content-transfer-encoding:mime-version :message-id:date:subject:cc:from; bh=LdZZamBZOTXJ+H49jpFbHd4kFB5olOuJEEXYQ+Tq3NY=; b=dCUcVh4jqj3rSkJEh0QJptonHGvF7nB2kHffvJB1bupDJjcLgSV76Pzr2oZEthPpFB uEgpEqNmOH3wPl9qZdM47D+SJTwsIwOnqpEwn6cORSSW0OrsdzZP4W4Tu/nLOvmVS2Es /NGBWKle6uEOiWIz9yZGOOLxbPTFD40qYbi+JUDJeUIxuO8h5UkaoCiqLe9zr+kQ4FEK Z5w6uE05V0PL79OwzircfUcZuSwdOU6Dx3EvBg5sM7IvaKbTl3jX+sSNO87GpMuYToR5 4cMCWkI6TV0vyCLWZ/Lu7bcXQwhbEFRhaxC4sKleg3H9Sc+tAH98CO8MDNG8ctndedD8 xMoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k26si16158303eja.58.2019.11.20.06.54.48; Wed, 20 Nov 2019 06:55:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731868AbfKTOvv (ORCPT + 99 others); Wed, 20 Nov 2019 09:51:51 -0500 Received: from mail-ed1-f66.google.com ([209.85.208.66]:33396 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731836AbfKTOvu (ORCPT ); Wed, 20 Nov 2019 09:51:50 -0500 Received: by mail-ed1-f66.google.com with SMTP id a24so20481644edt.0; Wed, 20 Nov 2019 06:51:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LdZZamBZOTXJ+H49jpFbHd4kFB5olOuJEEXYQ+Tq3NY=; b=dgZEIp0JWrBkNmGhY1hotc/HfrYrsv061gkPNzjqZ+nDs5m/8jP2Sv9F3N6Bpp6+o2 QFdwjJ1R4/CGyMPpkH7xAVjffMLKBy/CrnCOEHURxLjG7A3otnYfV89ihKbCYRg68kEz 4ovkIlw6TBugxwmyl+Bc50gyX3QdXnp4HV/6z0f1a+ytSOdIwH3sok1vvend7wRX4pj5 1HKdewXuetw/yj7ektzucVP6VksturXb7yrGa6mjCyROLtltrQRldPA3vnLBXD+iKU8M kChAaryOf5RZ7gqAm04Tijcq01q14HImTxhbnNka3/cW0CFK7lc/52/QvO17hqkk+MLQ GXBQ== X-Gm-Message-State: APjAAAUqTbBPGl+flcfDdipMo5HxO0ApCixTUtjB95V1r/if5DSUnvzZ sI/Q7Hfg0bKKdkGAV450nq4= X-Received: by 2002:a17:906:f108:: with SMTP id gv8mr6110283ejb.180.1574261508945; Wed, 20 Nov 2019 06:51:48 -0800 (PST) Received: from green.intra.ispras.ru (bran.ispras.ru. [83.149.199.196]) by smtp.googlemail.com with ESMTPSA id r3sm1457572eds.64.2019.11.20.06.51.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Nov 2019 06:51:48 -0800 (PST) From: Denis Efremov Cc: Denis Efremov , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Casey Schaufler , James Morris , "Serge E. Hallyn" , stable@vger.kernel.org Subject: [PATCH] Smack: check length in smk_set_cipso() Date: Wed, 20 Nov 2019 17:51:18 +0300 Message-Id: <20191120145118.30402-1-efremov@linux.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org It's possible to trigger out-of-bounds read in smk_set_cipso(). For example (from root): $ echo "test 1" > /sys/fs/smackfs/cipso2 BUG: KASAN: slab-out-of-bounds in vsscanf+0x2203/0x2990 Read of size 1 at addr ffff888061b023c9 by task bash/5578 The patch adds length checks for SMK_LONG_FMT format. The bug was found by syzkaller. Cc: Casey Schaufler Cc: James Morris Cc: "Serge E. Hallyn" Cc: Signed-off-by: Denis Efremov --- security/smack/smackfs.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index e3e05c04dbd1..fad50a5a807b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -878,6 +878,9 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, else rule += strlen(skp->smk_known) + 1; + if (rule - data + 2 * SMK_DIGITLEN - 1 >= count) + goto out; + ret = sscanf(rule, "%d", &maplevel); if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) goto out; @@ -887,15 +890,19 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) goto out; - if (format == SMK_FIXED24_FMT && - count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN)) + rule += SMK_DIGITLEN; + + if ((format == SMK_FIXED24_FMT && + count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN)) || + (format == SMK_LONG_FMT && + count != (rule - data + catlen * SMK_DIGITLEN))) goto out; memset(mapcatset, 0, sizeof(mapcatset)); for (i = 0; i < catlen; i++) { - rule += SMK_DIGITLEN; ret = sscanf(rule, "%u", &cat); + rule += SMK_DIGITLEN; if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) goto out; -- 2.21.0