Re: [PATCH v3 3/3] evm: check xattr value length and type in evm_inode_setxattr()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: zohar@linux.vnet.ibm.com, linux-security-module@vger.kernel.org,
	linux-ima-devel@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org, jack@suse.cz, jmorris@namei.org,
	dmitry.kasatkin@gmail.com, stable@vger.kernel.org
Subject: Re: [PATCH v3 3/3] evm: check xattr value length and type in evm_inode_setxattr()
Date: Tue, 28 Oct 2014 14:33:22 +0200	[thread overview]
Message-ID: <544F8D12.2030104@samsung.com> (raw)
In-Reply-To: <5fccfb5344bad84eb87096dd6b9d5a775dc11efb.1414494901.git.d.kasatkin@samsung.com>

Sorry, this was the wrong version of the patch.
Please ignore this patch and use what is in the reply to this patch:
[PATCH v3 1/1] evm: check xattr value length and type in
evm_inode_setxattr()

- Dmitry

On 28/10/14 13:31, Dmitry Kasatkin wrote:
> evm_inode_setxattr() can be called with no value. The function does not
> check the length so that following command can be used to produce the
> kernel oops: setfattr -n security.evm FOO. This patch fixes it.
>
> Changes in v2:
> * testing for validity of xattr type
>
> [ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at           (null)
> [ 1106.398192] IP: [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
> [ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0
> [ 1106.399953] Oops: 0000 [#1] SMP
> [ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
> [ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936
> [ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> [ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000
> [ 1106.400020] RIP: 0010:[<ffffffff812af7b8>]  [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
> [ 1106.400020] RSP: 0018:ffff88002917fd50  EFLAGS: 00010246
> [ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000
> [ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8
> [ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df
> [ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00
> [ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [ 1106.400020] FS:  00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
> [ 1106.400020] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0
> [ 1106.400020] Stack:
> [ 1106.400020]  ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98
> [ 1106.400020]  ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000
> [ 1106.400020]  0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8
> [ 1106.400020] Call Trace:
> [ 1106.400020]  [<ffffffff812a1030>] security_inode_setxattr+0x5d/0x6a
> [ 1106.400020]  [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f
> [ 1106.400020]  [<ffffffff8116d1e0>] setxattr+0x122/0x16c
> [ 1106.400020]  [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
> [ 1106.400020]  [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143
> [ 1106.400020]  [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
> [ 1106.400020]  [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f
> [ 1106.400020]  [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0
> [ 1106.400020]  [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b
> [ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83
> [ 1106.400020] RIP  [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
> [ 1106.400020]  RSP <ffff88002917fd50>
> [ 1106.400020] CR2: 0000000000000000
> [ 1106.428061] ---[ end trace ae08331628ba3050 ]---
>
> Reported-by: Jan Kara <jack@suse.cz>
> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
> Cc: stable@vger.kernel.org
> ---
>  security/integrity/evm/evm_main.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index b392fe6..1384e4b 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -324,9 +324,14 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
>  {
>  	const struct evm_ima_xattr_data *xattr_data = xattr_value;
>  
> -	if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
> -	    && (xattr_data->type == EVM_XATTR_HMAC))
> -		return -EPERM;
> +	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
> +		if (!xattr_value_len)
> +			return -EINVAL;
> +		if (xattr_data->type == EVM_XATTR_HMAC)
> +			return -EPERM;
> +		if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
> +			return -EINVAL;
> +	}
>  	return evm_protect_xattr(dentry, xattr_name, xattr_value,
>  				 xattr_value_len);
>  }

next prev parent reply	other threads:[~2014-10-28 12:34 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-28 11:31 [PATCH v3 0/3] integrity: NULL pointer dereference fixes Dmitry Kasatkin
2014-10-28 11:31 ` [PATCH v3 1/3] ima: check xattr value length and type in the ima_inode_setxattr() Dmitry Kasatkin
2014-10-28 11:31 ` [PATCH v3 2/3] ima: limit file hash setting by user to fix and log modes Dmitry Kasatkin
2014-10-28 11:31 ` [PATCH v3 3/3] evm: check xattr value length and type in evm_inode_setxattr() Dmitry Kasatkin
2014-10-28 12:28   ` [PATCH v3 1/1] " Dmitry Kasatkin
2014-10-28 12:33   ` Dmitry Kasatkin [this message]
2014-10-28 14:23 ` [PATCH v3 0/3] integrity: NULL pointer dereference fixes Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=544F8D12.2030104@samsung.com \
    --to=d.kasatkin@samsung.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=jack@suse.cz \
    --cc=jmorris@namei.org \
    --cc=linux-ima-devel@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.