Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1027695pxb; Thu, 28 Jan 2021 06:29:52 -0800 (PST) X-Google-Smtp-Source: ABdhPJxjbbnfZFFJ0bystcArqcZ2i+JHdxwS53O5PqkSvvHlc3ex0bPvu7/kRLzuij6kzWlnhCgO X-Received: by 2002:a17:906:858f:: with SMTP id v15mr11208320ejx.238.1611844191886; Thu, 28 Jan 2021 06:29:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611844191; cv=none; d=google.com; s=arc-20160816; b=xYtz+AieGUtijXGX2+Vc/VSPDiN0fb4d8B/YOYlJc1BB+uYBF5LNK35pE92whMP0H8 WuGAtgY/JOchD2v67pGU529SyRIkX+vEJKkqsIWFGGRa5x/IzE1aerfXP/rt+BYkc/rz ibjxtlnXDa2G6khd1MAoXTN/aB4iAX2BJLdQtppF/GFoaIQxwDab81/Uai7KMzshAQ54 hVjKVFWAII8esLmPBXNAqliMdJFtgc8t9CrRdGNCUmzQODOdiQrJYqNMY1PxbaPuf279 NTMMaD4I9/7Jl9lWghXSzIwSlYGEHi2guWHHvigvnpajmYn5CiTQJLg8EzMDhxGFhhem X3NA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=E71Vg6+69BxrD5FZ5oqUB6cTYOEO3xZXvAAMROp5syw=; b=0dIO6NOitc5+vIOI9qxVV3NRtMctE4FfewycBvoXQeTOnGaE8TpYUuhKmlii61dWHl Zyh2cw9jA3rxjUiv0+N0EBWQ5H8ylv14+p+DcqaBa1Xo/hlfWd7SxFdunbjMSzItvPmq O69vAxSYm8LOmPJV4AeO+rsJ6UkHm0aWCLNEX0eqK1HzaeCTOiNaWe6ddy/qv9EHZDff jH3QKutSgxJDOqDbZQYmQJYT8B5YJeJKYSn1+GkEh9u2bUU/0aWZuliUY6gKuG876ind RBI1WkAO8CyGN/e82FgdhgdGZB1tO+JJMG0UxoYw4zInavrSy82M+1bifNzth85ttgju 1gcg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d11si2627069ejr.349.2021.01.28.06.29.27; Thu, 28 Jan 2021 06:29:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231664AbhA1O0v (ORCPT + 99 others); Thu, 28 Jan 2021 09:26:51 -0500 Received: from www262.sakura.ne.jp ([202.181.97.72]:56630 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231586AbhA1O0n (ORCPT ); Thu, 28 Jan 2021 09:26:43 -0500 Received: from fsav107.sakura.ne.jp (fsav107.sakura.ne.jp [27.133.134.234]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 10SEO2ih089405; Thu, 28 Jan 2021 23:24:02 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav107.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav107.sakura.ne.jp); Thu, 28 Jan 2021 23:24:02 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav107.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 10SEO2oI089396 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Thu, 28 Jan 2021 23:24:02 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions To: Sabyrzhan Tasbolatov Cc: andreyknvl@google.com, casey@schaufler-ca.com, jmorris@namei.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, mhocko@suse.com, serge@hallyn.com, syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com References: <5271074f-930a-46e9-8ece-2cc65d45dc19@i-love.sakura.ne.jp> <20210128132721.1111920-1-snovitoll@gmail.com> From: Tetsuo Handa Message-ID: <8d66b6fd-81d3-38bd-703f-522a2e2d6fca@i-love.sakura.ne.jp> Date: Thu, 28 Jan 2021 23:24:00 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: <20210128132721.1111920-1-snovitoll@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021/01/28 22:27, Sabyrzhan Tasbolatov wrote: >> Doesn't this change break legitimate requests like >> >> char buffer[20000]; >> >> memset(buffer, ' ', sizeof(buffer)); >> memcpy(buffer + sizeof(buffer) - 10, "foo", 3); >> write(fd, buffer, sizeof(buffer)); >> >> ? > > It does, in this case. Then I need to patch another version with > whitespace stripping before, after label. I just followed the same thing > that I see in security/selinux/selinuxfs.c sel_write_enforce() etc. > > It has the same memdup_user_nul() and count >= PAGE_SIZE check prior to that. Since sel_write_enforce() accepts string representation of an integer value, PAGE_SIZE is sufficient. But since smk_write_onlycap() and smk_write_relabel_self() accept list of space-delimited words, you need to prove why PAGE_SIZE does not break userspace in your patch. Also, due to the "too small to fail" memory-allocation rule, memdup_user_nul() for count < PAGE_SIZE * 8 bytes is "never fails with -ENOMEM unless SIGKILLed by the OOM killer". Also, memdup_user_nul() for count >= PAGE_SIZE * (1 << MAX_ORDER) - 1 bytes is "never succeeds". Thus, you can safely add if (count >= PAGE_SIZE * (1 << MAX_ORDER) - 1) return -EINVAL; // or -ENOMEM if you want compatibility to smackfs write functions. But it is a strange requirement that the caller of memdup_user_nul() has to be aware of upper limit in a way that we won't hit /* * There are several places where we assume that the order value is sane * so bail out early if the request is out of bound. */ if (unlikely(order >= MAX_ORDER)) { WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)); return NULL; } path. memdup_user_nul() side should do if (count >= PAGE_SIZE * (1 << MAX_ORDER) - 1) return -ENOMEM; check and return -ENOMEM if memdup_user_nul() does not want to use __GFP_NOWARN. I still believe that memdup_user_nul() side should be fixed.