From: Andrew Perepechko <anserper@ya.ru>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-security-module@vger.kernel.org,
andrew.perepechko@seagate.com, selinux@tycho.nsa.gov
Subject: Re: [PATCH] selinux: export validatetrans decisions
Date: Tue, 27 Oct 2015 22:25:50 +0300 [thread overview]
Message-ID: <1906418.tuE4tFhnmG@panda-pc> (raw)
In-Reply-To: <562FC685.503@tycho.nsa.gov>
On Tuesday 27 Oct 2015 14:46:29 Stephen Smalley wrote:
> >> Why PAGE_SIZE-1?
> >
> > This is to avoid allocation of more than a single page.
>
> Yes, but you don't need PAGE_SIZE - 1 for that. The check can just be
>
> >= PAGE_SIZE, as used elsewhere in selinuxfs.c.
A sequence of bytes passed to a write handler may not be 0-terminated,
so it cannot be used directly as a scanf argument.
As far as I can see, compute_av and similar handlers use transaction ops,
which have more or less similar condition:
char *simple_transaction_get(struct file *file, const char __user *buf, size_t size)
{
struct simple_transaction_argresp *ar;
static DEFINE_SPINLOCK(simple_transaction_lock);
if (size > SIMPLE_TRANSACTION_LIMIT - 1)
return ERR_PTR(-EFBIG);
SIMPLE_TRANSACTION_LIMIT is PAGE_SIZE subtracted by sizeof(ssize_t).
Since the buffer is the result of get_zeroed_page(), it is guaranteed to
be 0-terminated: [ssize_t][SIMPLE_TRANSACTION_LIMIT-1][\0].
On the other hand, e.g. sel_write_checkreqprot() does not look correct, since
the only reason that it won't access beyond page boundary on incorrect
4096-byte input is if sscanf stops parsing a number after integer overflow
happens.
next prev parent reply other threads:[~2015-10-27 19:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-27 17:07 [PATCH] selinux: export validatetrans decisions Andrew Perepechko
2015-10-27 18:15 ` Stephen Smalley
2015-10-27 18:27 ` Andrew Perepechko
2015-10-27 18:46 ` Stephen Smalley
2015-10-27 19:25 ` Andrew Perepechko [this message]
2015-10-27 19:33 ` Andrew Perepechko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1906418.tuE4tFhnmG@panda-pc \
--to=anserper@ya.ru \
--cc=andrew.perepechko@seagate.com \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.