From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
Serge Hallyn <serge@hallyn.com>,
James Morris <james.l.morris@oracle.com>
Subject: [PATCH 4.14 02/14] capabilities: fix buffer overread on very short xattr
Date: Thu, 4 Jan 2018 13:09:19 +0100 [thread overview]
Message-ID: <20180104120917.362003545@linuxfoundation.org> (raw)
In-Reply-To: <20180104120917.043667757@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit dc32b5c3e6e2ef29cef76d9ce1b92d394446150e upstream.
If userspace attempted to set a "security.capability" xattr shorter than
4 bytes (e.g. 'setfattr -n security.capability -v x file'), then
cap_convert_nscap() read past the end of the buffer containing the xattr
value because it accessed the ->magic_etc field without verifying that
the xattr value is long enough to contain that field.
Fix it by validating the xattr value size first.
This bug was found using syzkaller with KASAN. The KASAN report was as
follows (cleaned up slightly):
BUG: KASAN: slab-out-of-bounds in cap_convert_nscap+0x514/0x630 security/commoncap.c:498
Read of size 4 at addr ffff88002d8741c0 by task syz-executor1/2852
CPU: 0 PID: 2852 Comm: syz-executor1 Not tainted 4.15.0-rc6-00200-gcc0aac99d977 #253
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xe3/0x195 lib/dump_stack.c:53
print_address_description+0x73/0x260 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x235/0x350 mm/kasan/report.c:409
cap_convert_nscap+0x514/0x630 security/commoncap.c:498
setxattr+0x2bd/0x350 fs/xattr.c:446
path_setxattr+0x168/0x1b0 fs/xattr.c:472
SYSC_setxattr fs/xattr.c:487 [inline]
SyS_setxattr+0x36/0x50 fs/xattr.c:483
entry_SYSCALL_64_fastpath+0x18/0x85
Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/commoncap.c | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -348,21 +348,18 @@ static __u32 sansflags(__u32 m)
return m & ~VFS_CAP_FLAGS_EFFECTIVE;
}
-static bool is_v2header(size_t size, __le32 magic)
+static bool is_v2header(size_t size, const struct vfs_cap_data *cap)
{
- __u32 m = le32_to_cpu(magic);
if (size != XATTR_CAPS_SZ_2)
return false;
- return sansflags(m) == VFS_CAP_REVISION_2;
+ return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
}
-static bool is_v3header(size_t size, __le32 magic)
+static bool is_v3header(size_t size, const struct vfs_cap_data *cap)
{
- __u32 m = le32_to_cpu(magic);
-
if (size != XATTR_CAPS_SZ_3)
return false;
- return sansflags(m) == VFS_CAP_REVISION_3;
+ return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
}
/*
@@ -405,7 +402,7 @@ int cap_inode_getsecurity(struct inode *
fs_ns = inode->i_sb->s_user_ns;
cap = (struct vfs_cap_data *) tmpbuf;
- if (is_v2header((size_t) ret, cap->magic_etc)) {
+ if (is_v2header((size_t) ret, cap)) {
/* If this is sizeof(vfs_cap_data) then we're ok with the
* on-disk value, so return that. */
if (alloc)
@@ -413,7 +410,7 @@ int cap_inode_getsecurity(struct inode *
else
kfree(tmpbuf);
return ret;
- } else if (!is_v3header((size_t) ret, cap->magic_etc)) {
+ } else if (!is_v3header((size_t) ret, cap)) {
kfree(tmpbuf);
return -EINVAL;
}
@@ -470,9 +467,9 @@ static kuid_t rootid_from_xattr(const vo
return make_kuid(task_ns, rootid);
}
-static bool validheader(size_t size, __le32 magic)
+static bool validheader(size_t size, const struct vfs_cap_data *cap)
{
- return is_v2header(size, magic) || is_v3header(size, magic);
+ return is_v2header(size, cap) || is_v3header(size, cap);
}
/*
@@ -495,7 +492,7 @@ int cap_convert_nscap(struct dentry *den
if (!*ivalue)
return -EINVAL;
- if (!validheader(size, cap->magic_etc))
+ if (!validheader(size, cap))
return -EINVAL;
if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
return -EPERM;
next prev parent reply other threads:[~2018-01-04 12:09 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-04 12:09 [PATCH 4.14 00/14] 4.14.12-stable review Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 01/14] exec: Weaken dumpability for secureexec Greg Kroah-Hartman
2018-01-04 12:09 ` Greg Kroah-Hartman [this message]
2018-01-04 12:09 ` [PATCH 4.14 03/14] x86/cpu, x86/pti: Do not enable PTI on AMD processors Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 04/14] x86/pti: Make sure the user/kernel PTEs match Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 05/14] x86/dumpstack: Fix partial register dumps Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 06/14] x86/dumpstack: Print registers for first stack frame Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 07/14] x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat() Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 08/14] x86/process: Define cpu_tss_rw in same section as declaration Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 09/14] Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find." Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 10/14] rtc: m41t80: m41t80_sqw_set_rate should return 0 on success Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 11/14] rtc: m41t80: fix m41t80_sqw_round_rate return value Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 12/14] rtc: m41t80: avoid i2c read in m41t80_sqw_recalc_rate Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 13/14] rtc: m41t80: avoid i2c read in m41t80_sqw_is_prepared Greg Kroah-Hartman
2018-01-04 12:09 ` [PATCH 4.14 14/14] rtc: m41t80: remove unneeded checks from m41t80_sqw_set_rate Greg Kroah-Hartman
2018-01-04 17:47 ` [PATCH 4.14 00/14] 4.14.12-stable review kernelci.org bot
2018-01-05 0:12 ` Kevin Hilman
2018-01-05 7:55 ` Greg Kroah-Hartman
2018-01-08 14:58 ` Guillaume Tucker
2018-01-04 18:52 ` Guenter Roeck
2018-01-05 12:13 ` Greg Kroah-Hartman
2018-01-04 19:46 ` Dan Rue
2018-01-05 8:04 ` Greg Kroah-Hartman
2018-01-04 22:03 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180104120917.362003545@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiggers@google.com \
--cc=james.l.morris@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox