From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, morgan@kernel.org, arjan@infradead.org
Subject: Re: [PATCH] Capabilities: BUG when an invalid capability is requested
Date: Wed, 29 Oct 2008 11:28:17 -0500 [thread overview]
Message-ID: <20081029162817.GB14705@us.ibm.com> (raw)
In-Reply-To: <1225294932.23736.28.camel@localhost.localdomain>
Quoting Eric Paris (eparis@redhat.com):
> If an invalid (large) capability is requested the capabilities system
> may panic as it is dereferencing an array of fixed (short) length. Its
> possible (and actually often happens) that the capability system
> accidentally stumbled into a valid memory region but it also regularly
> happens that it hits invalid memory and BUGs. If such an operation does
> get past cap_capable then the selinux system is sure to have problems as
> it already does a (simple) validity check and BUG. This is known to
> happen by the broken and buggy firegl driver.
>
> This patch cleanly checks all capable calls and BUG if a call is for an
> invalid capability. This will likely break the firegl driver for some
> situations, but it is the right thing to do. Garbage into a security
> system gets you killed/bugged
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
I really don't like this, but I'm not sure we really have a choice.
Acked-by: Serge Hallyn <serue@us.ibm.com>
I suppose we can think later about whether it's worthwhile (a) having a
separate capable() function exported, keeping one without the check for
compiled-in use only, and/or (b) changing the cap_valid() definition to
be "(((unsigned int)cap) <= CAP_LAST_CAP)" which seems to work and shave
one whopping instruction. I suspect the answer will be no to both.
Thanks, Eric.
-serge
>
> ---
>
> kernel/capability.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/kernel/capability.c b/kernel/capability.c
> index 33e51e7..50d9d99 100644
> --- a/kernel/capability.c
> +++ b/kernel/capability.c
> @@ -498,6 +498,11 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
> */
> int capable(int cap)
> {
> + if (unlikely(!cap_valid(cap))) {
> + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
> + BUG();
> + }
> +
> if (has_capability(current, cap)) {
> current->flags |= PF_SUPERPRIV;
> return 1;
>
next prev parent reply other threads:[~2008-10-29 16:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-29 15:42 [PATCH] Capabilities: BUG when an invalid capability is requested Eric Paris
2008-10-29 15:49 ` Arjan van de Ven
2008-10-29 16:28 ` Serge E. Hallyn [this message]
2008-10-30 1:20 ` Andrew G. Morgan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081029162817.GB14705@us.ibm.com \
--to=serue@us.ibm.com \
--cc=arjan@infradead.org \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=morgan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox