From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Leo Stone <leocstone@gmail.com>,
syzbot+4eb7a741b3216020043a@syzkaller.appspotmail.com,
Paul Moore <paul@paul-moore.com>, Sasha Levin <sashal@kernel.org>,
mortonm@chromium.org, jmorris@namei.org, serge@hallyn.com,
linux-security-module@vger.kernel.org
Subject: [PATCH AUTOSEL 6.12 28/31] safesetid: check size of policy writes
Date: Sun, 26 Jan 2025 09:54:44 -0500 [thread overview]
Message-ID: <20250126145448.930220-28-sashal@kernel.org> (raw)
In-Reply-To: <20250126145448.930220-1-sashal@kernel.org>
From: Leo Stone <leocstone@gmail.com>
[ Upstream commit f09ff307c7299392f1c88f763299e24bc99811c7 ]
syzbot attempts to write a buffer with a large size to a sysfs entry
with writes handled by handle_policy_update(), triggering a warning
in kmalloc.
Check the size specified for write buffers before allocating.
Reported-by: syzbot+4eb7a741b3216020043a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4eb7a741b3216020043a
Signed-off-by: Leo Stone <leocstone@gmail.com>
[PM: subject tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/safesetid/securityfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
index 25310468bcddf..8e1ffd70b18ab 100644
--- a/security/safesetid/securityfs.c
+++ b/security/safesetid/securityfs.c
@@ -143,6 +143,9 @@ static ssize_t handle_policy_update(struct file *file,
char *buf, *p, *end;
int err;
+ if (len >= KMALLOC_MAX_SIZE)
+ return -EINVAL;
+
pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL);
if (!pol)
return -ENOMEM;
--
2.39.5
next prev parent reply other threads:[~2025-01-26 14:56 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-26 14:54 [PATCH AUTOSEL 6.12 01/31] drm/virtio: New fence for every plane update Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 02/31] drm: Add panel backlight quirks Sasha Levin
2025-01-26 16:28 ` Thomas Weißschuh
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 03/31] drm: panel-backlight-quirks: Add Framework 13 matte panel Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 04/31] drm: panel-backlight-quirks: Add Framework 13 glossy and 2.8k panels Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 05/31] nvkm/gsp: correctly advance the read pointer of GSP message queue Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 06/31] nvkm: correctly calculate the available space of the GSP cmdq buffer Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 07/31] drm/tests: hdmi: handle empty modes in find_preferred_mode() Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 08/31] drm/tests: hdmi: return meaningful value from set_connector_edid() Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 09/31] drm/amd/display: Populate chroma prefetch parameters, DET buffer fix Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 10/31] drm/amd/display: Overwriting dualDPP UBF values before usage Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 11/31] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 12/31] drm/connector: add mutex to protect ELD from concurrent access Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 13/31] drm/bridge: anx7625: use eld_mutex to protect access to connector->eld Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 14/31] drm/bridge: ite-it66121: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 15/31] drm/amd/display: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 16/31] drm/exynos: hdmi: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 17/31] drm/radeon: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 18/31] drm/sti: hdmi: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 19/31] drm/vc4: " Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 20/31] drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 21/31] drm/amdgpu: Don't enable sdma 4.4.5 CTXEMPTY interrupt Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 22/31] drm/amdkfd: Queue interrupt work to different CPU Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 23/31] drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 24/31] drm/bridge: it6505: fix HDCP Bstatus check Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 25/31] drm/bridge: it6505: fix HDCP encryption when R0 ready Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 26/31] drm/bridge: it6505: fix HDCP CTS compare V matching Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 27/31] drm/bridge: it6505: fix HDCP CTS KSV list wait timer Sasha Levin
2025-01-26 14:54 ` Sasha Levin [this message]
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 29/31] drm/amd/display: Increase sanitizer frame larger than limit when compile testing with clang Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 30/31] drm/amd/display: Limit Scaling Ratio on DCN3.01 Sasha Levin
2025-01-26 14:54 ` [PATCH AUTOSEL 6.12 31/31] ring-buffer: Make reading page consistent with the code logic Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250126145448.930220-28-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jmorris@namei.org \
--cc=leocstone@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mortonm@chromium.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+4eb7a741b3216020043a@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.