From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Kees Cook <keescook@chromium.org>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
"Luis R. Rodriguez" <mcgrof@suse.com>,
Kexec Mailing List <kexec@lists.infradead.org>,
linux-modules@vger.kernel.org,
"linux-fsdevel@vger.kernel.org" <fsdevel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Subject: Re: [RFC PATCH 1/5] vfs: define a generic function to read a file from the kernel
Date: Fri, 08 Jan 2016 15:29:46 -0500 [thread overview]
Message-ID: <1452284986.2651.18.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CAGXu5jLBJJ70D7-6JGQ6NEPHHpGia-qFCQfrOt07Kdh+z7x+Lw@mail.gmail.com>
On Fri, 2016-01-08 at 12:24 -0800, Kees Cook wrote:
> On Fri, Jan 8, 2016 at 11:22 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > In order to measure and appraise files being read by the kernel,
> > new module and kexec syscalls were defined which include a file
> > descriptor. Other places in the kernel (eg. firmware, IMA,
> > sound) also read files.
> >
> > This patch introduces a common function for reading files from
> > the kernel with the corresponding security post-read hook and
> > function.
> >
> > Changelog:
> > - Add missing <linux/vmalloc.h>
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > ---
> > fs/exec.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++
> > include/linux/fs.h | 1 +
> > include/linux/lsm_hooks.h | 11 ++++++++++
> > include/linux/security.h | 9 ++++++++
> > security/security.c | 16 ++++++++++++++
> > 5 files changed, 93 insertions(+)
> >
> > diff --git a/fs/exec.c b/fs/exec.c
> > index b06623a..3c48a19 100644
> > --- a/fs/exec.c
> > +++ b/fs/exec.c
> > @@ -56,6 +56,7 @@
> > #include <linux/pipe_fs_i.h>
> > #include <linux/oom.h>
> > #include <linux/compat.h>
> > +#include <linux/vmalloc.h>
> >
> > #include <asm/uaccess.h>
> > #include <asm/mmu_context.h>
> > @@ -831,6 +832,61 @@ int kernel_read(struct file *file, loff_t offset,
> >
> > EXPORT_SYMBOL(kernel_read);
> >
> > +int kernel_read_file(struct file *file, void **buf, loff_t *size,
> > + loff_t max_size, int policy_id)
> > +{
> > + loff_t i_size, pos;
> > + ssize_t bytes = 0;
> > + int ret;
> > +
> > + if (!S_ISREG(file_inode(file)->i_mode))
> > + return -EINVAL;
> > +
> > + i_size = i_size_read(file_inode(file));
> > + if (max_size > 0 && i_size > max_size)
> > + return -EFBIG;
> > + if (i_size == 0)
> > + return -EINVAL;
> > +
> > + *buf = vmalloc(i_size);
>
> This could get very large -- what risks do we have to system stability
> here? Having userspace able to trigger such a massive allocation could
> be a problem. The firmware loader was limited to MAX_INT...
The different callers allowed different sizes. Instead of hard coding
the max size for all callers, the third parameter of kernel_file_read is
the caller max_size.
Mimi
next prev parent reply other threads:[~2016-01-08 20:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-08 19:21 [RFC PATCH 0/5] vfs: support for a common kernel file loader (step 1) Mimi Zohar
2016-01-08 19:22 ` [RFC PATCH 1/5] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-01-08 20:24 ` Kees Cook
2016-01-08 20:29 ` Mimi Zohar [this message]
2016-01-08 19:22 ` [RFC PATCH 2/5] firmware: replace call to fw_read_file_contents() with kernel version Mimi Zohar
2016-01-08 20:26 ` Kees Cook
2016-01-08 20:36 ` Mimi Zohar
2016-01-08 19:22 ` [RFC PATCH 3/5] kexec: replace call to copy_file_from_fd() " Mimi Zohar
2016-01-08 19:22 ` [RFC PATCH 4/5] ima: replace call to integrity_read_file() " Mimi Zohar
2016-01-08 19:22 ` [RFC PATCH 5/5] module: replace copy_module_from_fd " Mimi Zohar
2016-01-08 19:32 ` [RFC PATCH 0/5] vfs: support for a common kernel file loader (step 1) Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1452284986.2651.18.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=dwmw2@infradead.org \
--cc=fsdevel@vger.kernel.org \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).