From: Al Viro <viro@ftp.linux.org.uk>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: torvalds@osdl.org, akpm@osdl.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Version 7 (2.6.23) Smack: Simplified Mandatory Access Control Kernel
Date: Sun, 14 Oct 2007 18:34:39 +0100 [thread overview]
Message-ID: <20071014173439.GV8181@ftp.linux.org.uk> (raw)
In-Reply-To: <47124EBE.5090303@schaufler-ca.com>
On Sun, Oct 14, 2007 at 10:15:42AM -0700, Casey Schaufler wrote:
> This version fixes a major blunder in label handling. The system
> works, but has a serious memory leak that also induces a gradual
> performance degradation. Al Viro gets the credit for pointing out
> that one. Al suggested several other improvements that are not
> included. They should come soon, but I wanted to get this flaw
> out of the code before too many people hit it.
Ahem... This
> +static ssize_t smk_write_doi(struct file *file, const char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + char temp[80];
> + int i;
> +
> + if (!capable(CAP_MAC_OVERRIDE))
> + return -EPERM;
> +
> + if (count > sizeof(temp))
> + return -EINVAL;
> +
> + if (copy_from_user(temp, buf, count) != 0)
> + return -EFAULT;
> +
> + if (sscanf(temp, "%d", &i) != 1)
> + return -EINVAL;
is not really a missing improvement; it's a geniune undefined behaviour.
temp[] is uninitialized, then you copy there some data that doesn't have
to contain NUL, then you call sscanf(). Boom. The same goes for the rest
of similar places.
And this
> +static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
> + size_t cn, loff_t *ppos)
> +{
> + ssize_t rc;
> + int asize = strlen(smack_net_ambient) + 1;
> +
> + if (cn < asize)
> + return -EINVAL;
> +
> + if (*ppos != 0)
> + return 0;
> +
> + rc = simple_read_from_buffer(buf, cn, ppos, smack_net_ambient, asize);
is honest-to-$DEITY security hole - that file is world-readable and there's
nothing to prevent simple_read_from_buffer() blocking on page-in of buf,
then root writing to that file changing smack_net_ambient and doing kfree()
on the old value - one we'd already passed to simple_read_from_buffer().
At which point reader is about to get whatever data that might land in
whatever that memory gets reused for.
Besides, as I said the last time, smack_net_ambient has every right to
get changed between strlen() and passing argument to simple_read_from_buffer(),
in which case you'll be copying the amount of data that used to be in the
old one, taking it from the new one. New one might very well be shorter.
next prev parent reply other threads:[~2007-10-14 17:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-14 17:15 [PATCH] Version 7 (2.6.23) Smack: Simplified Mandatory Access Control Kernel Casey Schaufler
2007-10-14 17:34 ` Al Viro [this message]
2007-10-14 17:56 ` Casey Schaufler
2007-10-14 23:13 ` Ahmed S. Darwish
2007-10-15 3:30 ` Casey Schaufler
2007-10-15 15:12 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071014173439.GV8181@ftp.linux.org.uk \
--to=viro@ftp.linux.org.uk \
--cc=akpm@osdl.org \
--cc=casey@schaufler-ca.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox