On Tuesday 27 Oct 2015 14:46:29 Stephen Smalley wrote:
> >> Why PAGE_SIZE-1?
> >
> > This is to avoid allocation of more than a single page.
>
> Yes, but you don't need PAGE_SIZE - 1 for that. The check can just be
>
> >= PAGE_SIZE, as used elsewhere in selinuxfs.c.
A sequence of bytes passed to a write handler may not be 0-terminated,
so it cannot be used directly as a scanf argument.
As far as I can see, compute_av and similar handlers use transaction ops,
which have more or less similar condition:
char *simple_transaction_get(struct file *file, const char __user *buf, size_t
size)
{
struct simple_transaction_argresp *ar;
static DEFINE_SPINLOCK(simple_transaction_lock);
if (size > SIMPLE_TRANSACTION_LIMIT - 1)
return ERR_PTR(-EFBIG);
SIMPLE_TRANSACTION_LIMIT is PAGE_SIZE subtracted by sizeof(ssize_t).
Since the buffer is the result of get_zeroed_page(), it is guaranteed to
be 0-terminated: [ssize_t][SIMPLE_TRANSACTION_LIMIT-1][\0].
On the other hand, e.g. sel_write_checkreqprot() does not look correct, since
the only reason that it won't access beyond page boundary on incorrect
4096-byte input is if sscanf stops parsing a number after integer overflow
happens.
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
