On 2/2/2021 11:13 AM, Sabyrzhan Tasbolatov wrote:
>> if PAGE_SIZE >= SMK_LOADSIZE all legitimate requests can be made
>> using PAGE_SIZE as a limit. Your example with 19990 spaces before
>> the data demonstrates that the interface is inadequately documented.
>> Tizen and Automotive Grade Linux are
> if PAGE_SIZE >= SMK_LOADSIZE all legitimate requests can be made
> using PAGE_SIZE as a limit. Your example with 19990 spaces before
> the data demonstrates that the interface is inadequately documented.
> Tizen and Automotive Grade Linux are going to be fine with a PAGE_SIZE
> limit. The best
On 1/28/2021 6:24 AM, Tetsuo Handa wrote:
> On 2021/01/28 22:27, Sabyrzhan Tasbolatov wrote:
>>> Doesn't this change break legitimate requests like
>>>
>>> char buffer[2];
>>>
>>> memset(buffer, ' ', sizeof(buffer));
>>> memcpy(buffer + sizeof(buffer) - 10, "foo", 3);
>>> write(fd,
On 2021/01/28 22:27, Sabyrzhan Tasbolatov wrote:
>> Doesn't this change break legitimate requests like
>>
>> char buffer[2];
>>
>> memset(buffer, ' ', sizeof(buffer));
>> memcpy(buffer + sizeof(buffer) - 10, "foo", 3);
>> write(fd, buffer, sizeof(buffer));
>>
>> ?
>
> It does, in this
> > /*
> > +* No partial write.
> > * Enough data must be present.
> > */
> > if (*ppos != 0)
> > return -EINVAL;
> > + if (count == 0 || count > PAGE_SIZE)
> > + return -EINVAL;
> >
> > data = memdup_user_nul(buf, count);
> > if
On 2021/01/28 20:58, Sabyrzhan Tasbolatov wrote:
> @@ -2005,6 +2009,9 @@ static ssize_t smk_write_onlycap(struct file *file,
> const char __user *buf,
> if (!smack_privileged(CAP_MAC_ADMIN))
> return -EPERM;
>
> + if (count > PAGE_SIZE)
> + return -EINVAL;
>
syzbot found WARNINGs in several smackfs write operations where
bytes count is passed to memdup_user_nul which exceeds
GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE.
Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO,
smk_write_net6addr accepts any label or -DELETE. I
7 matches
Mail list logo
