From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
John Johansen <john.johansen@canonical.com>,
James Morris <james.l.morris@oracle.com>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 3.18 30/68] apparmor: Make path_max parameter readonly
Date: Mon, 19 Mar 2018 19:06:08 +0100 [thread overview]
Message-ID: <20180319171832.014048042@linuxfoundation.org> (raw)
In-Reply-To: <20180319171827.899658615@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
[ Upstream commit 622f6e3265707ebf02ba776ac6e68003bcc31213 ]
The path_max parameter determines the max size of buffers allocated
but it should not be setable at run time. If can be used to cause an
oops
root@ubuntu:~# echo 16777216 > /sys/module/apparmor/parameters/path_max
root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max
Killed
[ 122.141911] BUG: unable to handle kernel paging request at ffff880080945fff
[ 122.143497] IP: [<ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.144742] PGD 220c067 PUD 0
[ 122.145453] Oops: 0002 [#1] SMP
[ 122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect
[ 122.163365] ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes
[ 122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu
[ 122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 122.168611] task: ffff88003496aa00 ti: ffff880076474000 task.ti: ffff880076474000
[ 122.170018] RIP: 0010:[<ffffffff81228844>] [<ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.171525] RSP: 0018:ffff880076477b90 EFLAGS: 00010206
[ 122.172462] RAX: ffff880080945fff RBX: 0000000000000000 RCX: 0000000001000000
[ 122.173709] RDX: 0000000000ffffff RSI: ffff880080946000 RDI: ffff8800348a1010
[ 122.174978] RBP: ffff880076477bb8 R08: ffff880076477c80 R09: 0000000000000000
[ 122.176227] R10: 00007ffffffff000 R11: ffff88007f946000 R12: ffff88007f946000
[ 122.177496] R13: ffff880076477c80 R14: ffff8800348a1010 R15: ffff8800348a2400
[ 122.178745] FS: 00007fd459eb4700(0000) GS:ffff88007b6c0000(0000) knlGS:0000000000000000
[ 122.180176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 122.181186] CR2: ffff880080945fff CR3: 0000000073422000 CR4: 00000000001406e0
[ 122.182469] Stack:
[ 122.182843] 00ffffff00000001 ffff880080946000 0000000000000000 0000000000000000
[ 122.184409] 00000000570f789c ffff880076477c30 ffffffff81385671 ffff88007a2e7a58
[ 122.185810] 0000000000000000 ffff880076477c88 01000000008a1000 0000000000000000
[ 122.187231] Call Trace:
[ 122.187680] [<ffffffff81385671>] aa_path_name+0x81/0x370
[ 122.188637] [<ffffffff813875dd>] profile_transition+0xbd/0xb80
[ 122.190181] [<ffffffff811af9bc>] ? zone_statistics+0x7c/0xa0
[ 122.191674] [<ffffffff81389b20>] apparmor_bprm_set_creds+0x9b0/0xac0
[ 122.193288] [<ffffffff812e1971>] ? ext4_xattr_get+0x81/0x220
[ 122.194793] [<ffffffff812e800c>] ? ext4_xattr_security_get+0x1c/0x30
[ 122.196392] [<ffffffff813449b9>] ? get_vfs_caps_from_disk+0x69/0x110
[ 122.198004] [<ffffffff81232d4f>] ? mnt_may_suid+0x3f/0x50
[ 122.199737] [<ffffffff81344b03>] ? cap_bprm_set_creds+0xa3/0x600
[ 122.201377] [<ffffffff81346e53>] security_bprm_set_creds+0x33/0x50
[ 122.203024] [<ffffffff81214ce5>] prepare_binprm+0x85/0x190
[ 122.204515] [<ffffffff81216545>] do_execveat_common.isra.33+0x485/0x710
[ 122.206200] [<ffffffff81216a6a>] SyS_execve+0x3a/0x50
[ 122.207615] [<ffffffff81838795>] stub_execve+0x5/0x5
[ 122.208978] [<ffffffff818384f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff <c6> 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8
[ 122.217320] RIP [<ffffffff81228844>] d_absolute_path+0x44/0xa0
[ 122.218860] RSP <ffff880076477b90>
[ 122.219919] CR2: ffff880080945fff
[ 122.220936] ---[ end trace 506cdbd85eb6c55e ]---
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -735,7 +735,7 @@ module_param_named(logsyscall, aa_g_logs
/* Maximum pathname length before accesses will start getting rejected */
unsigned int aa_g_path_max = 2 * PATH_MAX;
-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
+module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
/* Determines how paranoid loading of policy is and how much verification
* on the loaded policy is done.
next prev parent reply other threads:[~2018-03-19 18:06 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-19 18:05 [PATCH 3.18 00/68] 3.18.101-stable review Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 01/68] Input: tsc2007 - check for presence and power down tsc2007 during probe Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 03/68] net: mvpp2: set dma mask and coherent dma mask on PPv2.2 Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 04/68] PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 05/68] selinux: check for address length in selinux_socket_bind() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 06/68] perf tools: Make perf_event__synthesize_mmap_events() scale Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 07/68] drivers: net: xgene: Fix hardware checksum setting Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 09/68] ath10k: disallow DFS simulation if DFS channel is not enabled Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 10/68] HID: clamp input to logical range if no null state Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 11/68] ARM: dts: Adjust moxart IRQ controller and flags Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 12/68] batman-adv: handle race condition for claims between gateways Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 13/68] of: fix of_device_get_modalias returned length when truncating buffers Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 14/68] scsi: ipr: Fix missed EH wakeup Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 15/68] [media] media: i2c/soc_camera: fix ov6650 sensor getting wrong clock Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 16/68] timers, sched_clock: Update timeout for clock wrap Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 17/68] sched: act_csum: dont mangle TCP and UDP GSO packets Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 18/68] spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 19/68] tcp: sysctl: Fix a race to avoid unexpected 0 window from space Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 20/68] mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 21/68] blk-throttle: make sure expire time isnt too big Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 22/68] ARM: DRA7: hwmod_data: Prevent wait_target_disable error for usb_otg_ss Greg Kroah-Hartman
2018-03-21 10:37 ` Roger Quadros
2018-03-21 11:02 ` Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 23/68] braille-console: Fix value returned by _braille_console_setup Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 24/68] ARM: dts: r8a7790: Correct parent of SSI[0-9] clocks Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 25/68] ARM: dts: r8a7791: " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 26/68] powerpc: Avoid taking a data miss on every userspace instruction miss Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 27/68] net/faraday: Add missing include of of.h Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 28/68] reiserfs: Make cancel_old_flush() reliable Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 29/68] fm10k: correctly check if interface is removed Greg Kroah-Hartman
2018-03-19 18:06 ` Greg Kroah-Hartman [this message]
2018-03-19 18:06 ` [PATCH 3.18 31/68] iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 32/68] video: ARM CLCD: fix dma allocation size Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 34/68] MIPS: BPF: Quit clobbering callee saved registers in JIT code Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 36/68] usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 37/68] perf inject: Copy events when reordering events in pipe mode Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 38/68] perf session: Dont rely on evlist " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 39/68] scsi: sg: check for valid direction before starting the request Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 40/68] scsi: sg: close race condition in sg_remove_sfp_usercontext() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 41/68] kprobes/x86: Fix kprobe-booster not to boost far call instructions Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 42/68] kprobes/x86: Set kprobes pages read-only Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 43/68] wil6210: fix memory access violation in wil_memcpy_from/toio_32 Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 44/68] HID: elo: clear BTN_LEFT mapping Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 45/68] sched: Stop resched_cpu() from sending IPIs to offline CPUs Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 46/68] net: xfrm: allow clearing socket xfrm policies Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 47/68] mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 48/68] ARM: dts: am335x-pepper: Fix the audio CODECs reset pin Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 49/68] ARM: dts: omap3-n900: " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 50/68] mtd: nand: ifc: update bufnum mask for ver >= 2.0.0 Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 52/68] spi: sun6i: disable/unprepare clocks on remove Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 53/68] scsi: devinfo: apply to HP XP the same flags as Hitachi VSP Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 54/68] media: cpia2: Fix a couple off by one bugs Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 55/68] veth: set peer GSO values Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 56/68] mac80211: remove BUG() when interface type is invalid Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 57/68] ASoC: nuc900: Fix a loop timeout test Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 58/68] rcutorture/configinit: Fix build directory error message Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 59/68] ima: relax requiring a file signature for new files with zero length Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 60/68] ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 61/68] ALSA: seq: Fix possible UAF in snd_seq_check_queue() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 62/68] ALSA: seq: Clear client entry before deleting else at closing Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 63/68] lock_parent() needs to recheck if dentry got __dentry_killed under it Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 64/68] fs/aio: Add explicit RCU grace period when freeing kioctx Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 65/68] fs/aio: Use RCU accessors for kioctx_table->table[] Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 66/68] scsi: sg: fix SG_DXFER_FROM_DEV transfers Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 67/68] scsi: sg: fix static checker warning in sg_is_valid_dxfer Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 68/68] scsi: sg: only check for dxfer_len greater than 256M Greg Kroah-Hartman
2018-03-20 14:47 ` [PATCH 3.18 00/68] 3.18.101-stable review Guenter Roeck
2018-03-21 11:03 ` Greg Kroah-Hartman
2018-03-20 17:34 ` Shuah Khan
[not found] ` <CALpmF+Fu1EHkBrG__6u8mY2LNa4jpq5ka78Oaa97X14FPwLLQQ@mail.gmail.com>
2018-03-21 10:05 ` Greg Kroah-Hartman
2018-03-21 11:04 ` Greg Kroah-Hartman
2018-03-21 17:47 ` Guenter Roeck
2018-03-22 8:21 ` Greg Kroah-Hartman
2018-03-22 16:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180319171832.014048042@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).