From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
John Johansen <john.johansen@canonical.com>,
James Morris <james.l.morris@oracle.com>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 3.18 30/68] apparmor: Make path_max parameter readonly
Date: Mon, 19 Mar 2018 19:06:08 +0100 [thread overview]
Message-ID: <20180319171832.014048042@linuxfoundation.org> (raw)
In-Reply-To: <20180319171827.899658615@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
[ Upstream commit 622f6e3265707ebf02ba776ac6e68003bcc31213 ]
The path_max parameter determines the max size of buffers allocated
but it should not be setable at run time. If can be used to cause an
oops
root@ubuntu:~# echo 16777216 > /sys/module/apparmor/parameters/path_max
root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max
Killed
[ 122.141911] BUG: unable to handle kernel paging request at ffff880080945fff
[ 122.143497] IP: [<ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.144742] PGD 220c067 PUD 0
[ 122.145453] Oops: 0002 [#1] SMP
[ 122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect
[ 122.163365] ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes
[ 122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu
[ 122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 122.168611] task: ffff88003496aa00 ti: ffff880076474000 task.ti: ffff880076474000
[ 122.170018] RIP: 0010:[<ffffffff81228844>] [<ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.171525] RSP: 0018:ffff880076477b90 EFLAGS: 00010206
[ 122.172462] RAX: ffff880080945fff RBX: 0000000000000000 RCX: 0000000001000000
[ 122.173709] RDX: 0000000000ffffff RSI: ffff880080946000 RDI: ffff8800348a1010
[ 122.174978] RBP: ffff880076477bb8 R08: ffff880076477c80 R09: 0000000000000000
[ 122.176227] R10: 00007ffffffff000 R11: ffff88007f946000 R12: ffff88007f946000
[ 122.177496] R13: ffff880076477c80 R14: ffff8800348a1010 R15: ffff8800348a2400
[ 122.178745] FS: 00007fd459eb4700(0000) GS:ffff88007b6c0000(0000) knlGS:0000000000000000
[ 122.180176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 122.181186] CR2: ffff880080945fff CR3: 0000000073422000 CR4: 00000000001406e0
[ 122.182469] Stack:
[ 122.182843] 00ffffff00000001 ffff880080946000 0000000000000000 0000000000000000
[ 122.184409] 00000000570f789c ffff880076477c30 ffffffff81385671 ffff88007a2e7a58
[ 122.185810] 0000000000000000 ffff880076477c88 01000000008a1000 0000000000000000
[ 122.187231] Call Trace:
[ 122.187680] [<ffffffff81385671>] aa_path_name+0x81/0x370
[ 122.188637] [<ffffffff813875dd>] profile_transition+0xbd/0xb80
[ 122.190181] [<ffffffff811af9bc>] ? zone_statistics+0x7c/0xa0
[ 122.191674] [<ffffffff81389b20>] apparmor_bprm_set_creds+0x9b0/0xac0
[ 122.193288] [<ffffffff812e1971>] ? ext4_xattr_get+0x81/0x220
[ 122.194793] [<ffffffff812e800c>] ? ext4_xattr_security_get+0x1c/0x30
[ 122.196392] [<ffffffff813449b9>] ? get_vfs_caps_from_disk+0x69/0x110
[ 122.198004] [<ffffffff81232d4f>] ? mnt_may_suid+0x3f/0x50
[ 122.199737] [<ffffffff81344b03>] ? cap_bprm_set_creds+0xa3/0x600
[ 122.201377] [<ffffffff81346e53>] security_bprm_set_creds+0x33/0x50
[ 122.203024] [<ffffffff81214ce5>] prepare_binprm+0x85/0x190
[ 122.204515] [<ffffffff81216545>] do_execveat_common.isra.33+0x485/0x710
[ 122.206200] [<ffffffff81216a6a>] SyS_execve+0x3a/0x50
[ 122.207615] [<ffffffff81838795>] stub_execve+0x5/0x5
[ 122.208978] [<ffffffff818384f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff <c6> 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8
[ 122.217320] RIP [<ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.218860] RSP <ffff880076477b90>
[ 122.219919] CR2: ffff880080945fff
[ 122.220936] ---[ end trace 506cdbd85eb6c55e ]---
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -735,7 +735,7 @@ module_param_named(logsyscall, aa_g_logs
/* Maximum pathname length before accesses will start getting rejected */
unsigned int aa_g_path_max = 2 * PATH_MAX;
-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
+module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
/* Determines how paranoid loading of policy is and how much verification
* on the loaded policy is done.
next prev parent reply other threads:[~2018-03-19 18:06 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-19 18:05 [PATCH 3.18 00/68] 3.18.101-stable review Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 01/68] Input: tsc2007 - check for presence and power down tsc2007 during probe Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 02/68] HID: reject input outside logical range only if null state is set Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 03/68] net: mvpp2: set dma mask and coherent dma mask on PPv2.2 Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 04/68] PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 05/68] selinux: check for address length in selinux_socket_bind() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 06/68] perf tools: Make perf_event__synthesize_mmap_events() scale Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 07/68] drivers: net: xgene: Fix hardware checksum setting Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 08/68] drm: Defer disabling the vblank IRQ until the next interrupt (for instant-off) Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 09/68] ath10k: disallow DFS simulation if DFS channel is not enabled Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 10/68] HID: clamp input to logical range if no null state Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 11/68] ARM: dts: Adjust moxart IRQ controller and flags Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 12/68] batman-adv: handle race condition for claims between gateways Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 13/68] of: fix of_device_get_modalias returned length when truncating buffers Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 14/68] scsi: ipr: Fix missed EH wakeup Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 15/68] [media] media: i2c/soc_camera: fix ov6650 sensor getting wrong clock Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 16/68] timers, sched_clock: Update timeout for clock wrap Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 17/68] sched: act_csum: dont mangle TCP and UDP GSO packets Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 18/68] spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 19/68] tcp: sysctl: Fix a race to avoid unexpected 0 window from space Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 20/68] mm: Fix false-positive VM_BUG_ON() in page_cache_{get, add}_speculative() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 20/68] mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 21/68] blk-throttle: make sure expire time isnt too big Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 22/68] ARM: DRA7: hwmod_data: Prevent wait_target_disable error for usb_otg_ss Greg Kroah-Hartman
2018-03-21 10:37 ` Roger Quadros
2018-03-21 11:02 ` Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 23/68] braille-console: Fix value returned by _braille_console_setup Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 24/68] ARM: dts: r8a7790: Correct parent of SSI[0-9] clocks Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 25/68] ARM: dts: r8a7791: " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 26/68] powerpc: Avoid taking a data miss on every userspace instruction miss Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 27/68] net/faraday: Add missing include of of.h Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 28/68] reiserfs: Make cancel_old_flush() reliable Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 29/68] fm10k: correctly check if interface is removed Greg Kroah-Hartman
2018-03-19 18:06 ` Greg Kroah-Hartman [this message]
2018-03-19 18:06 ` [PATCH 3.18 31/68] iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 32/68] video: ARM CLCD: fix dma allocation size Greg Kroah-Hartman
[not found] ` <20180319171827.899658615-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2018-03-19 18:06 ` [PATCH 3.18 33/68] drm/radeon: Fail fb creation from imported dma-bufs Greg Kroah-Hartman
2018-03-19 18:06 ` Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 34/68] MIPS: BPF: Quit clobbering callee saved registers in JIT code Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 35/68] regulator: isl9305: fix array size Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 36/68] usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 37/68] perf inject: Copy events when reordering events in pipe mode Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 38/68] perf session: Dont rely on evlist " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 39/68] scsi: sg: check for valid direction before starting the request Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 40/68] scsi: sg: close race condition in sg_remove_sfp_usercontext() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 41/68] kprobes/x86: Fix kprobe-booster not to boost far call instructions Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 42/68] kprobes/x86: Set kprobes pages read-only Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 43/68] wil6210: fix memory access violation in wil_memcpy_from/toio_32 Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 44/68] HID: elo: clear BTN_LEFT mapping Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 45/68] sched: Stop resched_cpu() from sending IPIs to offline CPUs Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 46/68] net: xfrm: allow clearing socket xfrm policies Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 47/68] mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 48/68] ARM: dts: am335x-pepper: Fix the audio CODECs reset pin Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 49/68] ARM: dts: omap3-n900: " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 50/68] mtd: nand: ifc: update bufnum mask for ver >= 2.0.0 Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 51/68] tools/usbip: fixes build with musl libc toolchain Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 52/68] spi: sun6i: disable/unprepare clocks on remove Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 53/68] scsi: devinfo: apply to HP XP the same flags as Hitachi VSP Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 54/68] media: cpia2: Fix a couple off by one bugs Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 55/68] veth: set peer GSO values Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 56/68] mac80211: remove BUG() when interface type is invalid Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 57/68] ASoC: nuc900: Fix a loop timeout test Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 58/68] rcutorture/configinit: Fix build directory error message Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 59/68] ima: relax requiring a file signature for new files with zero length Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 60/68] ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 61/68] ALSA: seq: Fix possible UAF in snd_seq_check_queue() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 62/68] ALSA: seq: Clear client entry before deleting else at closing Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 63/68] lock_parent() needs to recheck if dentry got __dentry_killed under it Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 64/68] fs/aio: Add explicit RCU grace period when freeing kioctx Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 65/68] fs/aio: Use RCU accessors for kioctx_table->table[] Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 66/68] scsi: sg: fix SG_DXFER_FROM_DEV transfers Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 67/68] scsi: sg: fix static checker warning in sg_is_valid_dxfer Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 68/68] scsi: sg: only check for dxfer_len greater than 256M Greg Kroah-Hartman
2018-03-19 22:00 ` [PATCH 3.18 00/68] 3.18.101-stable review kernelci.org bot
2018-03-20 14:47 ` Guenter Roeck
2018-03-21 11:03 ` Greg Kroah-Hartman
2018-03-20 17:34 ` Shuah Khan
2018-03-20 17:50 ` Harsh Shandilya
2018-03-21 10:05 ` Greg Kroah-Hartman
2018-03-21 11:04 ` Greg Kroah-Hartman
2018-03-21 17:47 ` Guenter Roeck
2018-03-22 8:21 ` Greg Kroah-Hartman
2018-03-22 16:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180319171832.014048042@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.