[PATCH AUTOSEL 5.10 3/3] safesetid: check size of policy writes

From: Sasha Levin
Date: Sun Jan 26 2025 - 10:21:50 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 5.4 1/2] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX"
Previous message: Sasha Levin: "[PATCH AUTOSEL 6.1 9/9] safesetid: check size of policy writes"
In reply to: Sasha Levin: "[PATCH AUTOSEL 5.10 2/3] drm/sti: hdmi: use eld_mutex to protect access to connector->eld"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leo Stone <leocstone@xxxxxxxxx>

[ Upstream commit f09ff307c7299392f1c88f763299e24bc99811c7 ]

syzbot attempts to write a buffer with a large size to a sysfs entry
with writes handled by handle_policy_update(), triggering a warning
in kmalloc.

Check the size specified for write buffers before allocating.

Reported-by: syzbot+4eb7a741b3216020043a@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=4eb7a741b3216020043a
Signed-off-by: Leo Stone <leocstone@xxxxxxxxx>
[PM: subject tweak]
Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
security/safesetid/securityfs.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
index 25310468bcddf..8e1ffd70b18ab 100644
--- a/security/safesetid/securityfs.c
+++ b/security/safesetid/securityfs.c
@@ -143,6 +143,9 @@ static ssize_t handle_policy_update(struct file *file,
char *buf, *p, *end;
int err;

+ if (len >= KMALLOC_MAX_SIZE)
+ return -EINVAL;
+
pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL);
if (!pol)
return -ENOMEM;
--
2.39.5

Next message: Sasha Levin: "[PATCH AUTOSEL 5.4 1/2] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX"
Previous message: Sasha Levin: "[PATCH AUTOSEL 6.1 9/9] safesetid: check size of policy writes"
In reply to: Sasha Levin: "[PATCH AUTOSEL 5.10 2/3] drm/sti: hdmi: use eld_mutex to protect access to connector->eld"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]