[PATCH] selinux_sb_copy_data should not require a whole page

[Eric Paris]

Currently selinux_sb_copy_data requires an entire page be allocated to
*orig when the function is called.  This "requirement" is based on the
fact that we call copy_page(in_save, nosec_save) and in_save = orig when
the data is not FS_BINARY_MOUNTDATA.  This means that if a caller were
to call do_kern_mount with only about 10 bytes of options, they would
get passed here and then we would corrupt PAGE_SIZE - 10 bytes of memory
(with all zeros.)  

Currently it appears all in kernel FS's use one page of data so this has
not been a problem.  An out of kernel FS did just what is described
above and it would almost always panic shortly after they tried to
mount.  From looking else where in the kernel it is obvious that this
string of data must always be null terminated.  (See example in do_mount
where it always zeros the last byte.)  Thus I suggest we use strcpy in
place of copy_page.  In this way we make sure the amount we copy is
always less than or equal to the amount we received and since do_mount
is zeroing the last byte this should be safe for all.

-Eric

Signed-off-by: Eric Paris <eparis@xxxxxxxxxxxxxx>

--- linux-2.6.12.1/security/selinux/hooks.c.eric	2005-06-29 14:48:54.000000000 -0400
+++ linux-2.6.12.1/security/selinux/hooks.c	2005-06-29 14:50:38.000000000 -0400
@@ -68,6 +68,7 @@
 #include <linux/personality.h>
 #include <linux/sysctl.h>
 #include <linux/audit.h>
+#include <linux/string.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -1943,7 +1944,7 @@ static int selinux_sb_copy_data(struct f
 		}
 	} while (*in_end++);
 
-	copy_page(in_save, nosec_save);
+	strcpy(in_save, nosec_save);
 	free_page((unsigned long)nosec_save);
 out:
 	return rc;


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/