From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933315AbaHHUyk (ORCPT ); Fri, 8 Aug 2014 16:54:40 -0400 Received: from static.92.5.9.176.clients.your-server.de ([176.9.5.92]:33275 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933255AbaHHUy0 (ORCPT ); Fri, 8 Aug 2014 16:54:26 -0400 Date: Fri, 8 Aug 2014 22:54:25 +0200 From: "Serge E. Hallyn" To: Konstantin Khlebnikov Cc: "Serge E. Hallyn" , Konstantin Khlebnikov , Casey Schaufler , linux-security-module@vger.kernel.org, Linux Kernel Mailing List , James Morris Subject: Re: [PATCH 2/3] Smack: handle zero-length security labels without panic Message-ID: <20140808205425.GE25352@mail.hallyn.com> References: <20140807165233.13463.55258.stgit@buzz> <20140807165243.13463.74200.stgit@buzz> <20140808202549.GA25352@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Konstantin Khlebnikov (koct9i@gmail.com): > On Sat, Aug 9, 2014 at 12:25 AM, Serge E. Hallyn wrote: > > Quoting Konstantin Khlebnikov (k.khlebnikov@samsung.com): > >> Zero-length security labels are invalid but kernel should handle them. > >> > >> This patch fixes kernel panic after setting zero-length security labels: > >> # attr -S -s "SMACK64" -V "" file > >> > >> And after writing zero-length string into smackfs files syslog and onlycp: > >> # python -c 'import os; os.write(1, "")' > /smack/syslog > >> > >> The problem is caused by brain-damaged logic in function smk_parse_smack() > >> which takes pointer to buffer and its length but if length below or equal zero > >> it thinks that the buffer is zero-terminated. Unfortunately callers of this > >> function are widely used and proper fix requires serious refactoring. > >> > >> Signed-off-by: Konstantin Khlebnikov > > > > Acked-by: Serge Hallyn > > > >> > >> --- > >> > >> Example: > >> > >> [ 28.063935] BUG: unable to handle kernel NULL pointer dereference at (null) > >> [ 28.064623] IP: [] strlen+0x0/0x30 > >> [ 28.064623] PGD 29a77067 PUD 2972d067 PMD 0 > >> [ 28.064623] Oops: 0000 [#1] SMP > >> [ 28.064623] Modules linked in: > >> [ 28.064623] CPU: 0 PID: 824 Comm: attr Not tainted 3.16.0+ #6 > >> [ 28.064623] task: ffff880029bd88c0 ti: ffff8800297d0000 task.ti: ffff8800297d0000 > >> [ 28.064623] RIP: 0010:[] [] strlen+0x0/0x30 > >> [ 28.064623] RSP: 0018:ffff8800297d3ca8 EFLAGS: 00010246 > >> [ 28.064623] RAX: 0000000000000001 RBX: ffff880029c096c0 RCX: 0000000000000001 > >> [ 28.064623] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > >> [ 28.064623] RBP: ffff8800297d3cd0 R08: ffffffff81e3d940 R09: ffff88002a3e8588 > >> [ 28.064623] R10: 8080808080808080 R11: 0000000000000000 R12: 0000000000000000 > >> [ 28.064623] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > >> [ 28.064623] FS: 00007effe391a700(0000) GS:ffff88002a400000(0000) knlGS:0000000000000000 > >> [ 28.064623] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > >> [ 28.064623] CR2: 0000000000000000 CR3: 00000000297a1000 CR4: 00000000001406b0 > >> [ 28.064623] Stack: > >> [ 28.064623] ffffffff812a6fa5 ffff880029c096c0 0000000000000001 0000000000000000 > >> [ 28.064623] 0000000000000000 ffff8800297d3cf8 ffffffff812a70ae ffff880029c096c0 > >> [ 28.064623] 0000000000000001 0000000000000000 ffff8800297d3d88 ffffffff812a64dc > >> [ 28.064623] Call Trace: > >> [ 28.064623] [] ? smk_parse_smack+0xe5/0x110 > >> [ 28.064623] [] smk_import_entry+0xe/0x130 > >> [ 28.064623] [] smack_inode_setxattr+0x11c/0x280 > >> [ 28.064623] [] ? lookup_fast+0x177/0x2e0 > >> [ 28.064623] [] ? dput+0x21/0x1a0 > >> [ 28.064623] [] security_inode_setxattr+0x1b/0x30 > >> [ 28.064623] [] vfs_setxattr+0x6f/0xb0 > >> [ 28.064623] [] setxattr+0x1a6/0x1f0 > >> [ 28.064623] [] ? final_putname+0x1d/0x40 > >> [ 28.064623] [] ? putname+0x24/0x40 > >> [ 28.064623] [] ? user_path_at_empty+0x5a/0xa0 > >> [ 28.064623] [] ? __sb_start_write+0x44/0xe0 > >> [ 28.064623] [] ? do_brk+0x241/0x320 > >> [ 28.064623] [] SyS_lsetxattr+0x87/0xe0 > >> [ 28.064623] [] system_call_fastpath+0x16/0x1b > >> [ 28.064623] Code: 89 f8 48 89 e5 f6 82 40 3e a6 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 40 3e a6 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80 > >> [ 28.064623] RIP [] strlen+0x0/0x30 > >> [ 28.064623] RSP > >> [ 28.064623] CR2: 0000000000000000 > >> [ 28.093561] ---[ end trace de1055429a98a5be ]--- > >> --- > >> security/smack/smack_lsm.c | 2 +- > >> security/smack/smackfs.c | 4 ++-- > >> 2 files changed, 3 insertions(+), 3 deletions(-) > >> > >> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > >> index b11ab23..afa5ad0 100644 > >> --- a/security/smack/smack_lsm.c > >> +++ b/security/smack/smack_lsm.c > >> @@ -923,7 +923,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, > >> rc = -EPERM; > >> > >> if (rc == 0 && check_import) { > >> - skp = smk_import_entry(value, size); > >> + skp = size ? smk_import_entry(value, size) : NULL; > >> if (skp == NULL || (check_star && > >> (skp == &smack_known_star || skp == &smack_known_web))) > >> rc = -EINVAL; > >> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c > >> index 3c720ff..56a1439 100644 > >> --- a/security/smack/smackfs.c > >> +++ b/security/smack/smackfs.c > >> @@ -1677,7 +1677,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, > >> if (smack_onlycap != NULL && smack_onlycap != skp) > >> return -EPERM; > >> > >> - data = kzalloc(count, GFP_KERNEL); > >> + data = kzalloc(count + 1, GFP_KERNEL); > >> if (data == NULL) > >> return -ENOMEM; > >> > >> @@ -2228,7 +2228,7 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf, > >> if (!smack_privileged(CAP_MAC_ADMIN)) > >> return -EPERM; > >> > > > > How about putting a comment here explaining that this way if len is 0 you > > make sure to have '\0' to avoid parsing problems? > > There are plenty of these comments. That design is uncommon and Exactly why it should be documented. > extremely dangerous, > it cannot be neutralized just by a comment. It's not about neutralizing it. It's about down the road, while you're on leave for a few months, someone saying "say that +1 seems unnecessary, I'll just remove it." > Probably magic length '0' might be replaced with magic '-1' which is much safer. Could be. > > > >> - data = kzalloc(count, GFP_KERNEL); > >> + data = kzalloc(count + 1, GFP_KERNEL); > >> if (data == NULL) > >> return -ENOMEM; > >> > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > Please read the FAQ at http://www.tux.org/lkml/