From: Vegard Nossum <vegard.nossum@oracle.com>
To: Jiri Slaby <jslaby@suse.cz>, stable@vger.kernel.org
Cc: Al Viro <viro@zeniv.linux.org.uk>,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
Casey Schaufler <casey@schaufler-ca.com>,
James Morris <james.l.morris@oracle.com>
Subject: Re: [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr()
Date: Fri, 27 Jan 2017 11:54:59 +0100 [thread overview]
Message-ID: <65ab4f7b-8b8e-a449-2dd8-8ce1882ee99a@oracle.com> (raw)
In-Reply-To: <20170127104747.24816-48-jslaby@suse.cz>
On 27/01/2017 11:47, Jiri Slaby wrote:
> From: Vegard Nossum <vegard.nossum@oracle.com>
>
> This patch has been added to the 3.12 stable tree. If you have any
> objections, please let us know.
>
> ===============
>
> commit e89b8081327ac9efbf273e790b8677e64fd0361a upstream.
IIRC this fixed a bug introduced in 4.7 or 4.8 or something, so I don't
think it's needed for 3.12, unless...
>
> When proc_pid_attr_write() was changed to use memdup_user apparmor's
> (interface violating) assumption that the setprocattr buffer was always
> a single page was violated.
>
> The size test is not strictly speaking needed as proc_pid_attr_write()
> will reject anything larger, but for the sake of robustness we can keep
> it in.
>
> SMACK and SELinux look safe to me, but somebody else should probably
> have a look just in case.
>
> Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
> modified for the case that apparmor provides null termination.
>
> Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
...unless 3.12 has a backport of this commit?
Or did you find that older kernels are vulnerable too?
Vegard
next prev parent reply other threads:[~2017-01-27 10:56 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-27 10:46 [patch added to 3.12-stable] IB/mlx4: Set traffic class in AH Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] perf scripting: Avoid leaking the scripting_context variable Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix clock control module interrupts description Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: dts: imx31: fix AVIC base address Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] svcrpc: don't leak contexts on PROC_DESTROY Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] mmc: mxs-mmc: Fix additional cycles after transmission stop Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] mtd: nand: xway: disable module support Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] qla2xxx: Fix crash due to null pointer access Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ubifs: Fix journal replay wrt. xattr nodes Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] clockevents/drivers/exynos_mct: Remove unneeded container_of() Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] clocksource/exynos_mct: Clear interrupt when cpu is shut down Jiri Slaby
2017-01-27 10:46 ` [patch added to 3.12-stable] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ARM: dts: da850-evm: fix read access to SPI flash Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Preserve previous registers for short regset write Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ite-cir: initialize use_demodulator before using it Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] posix_acl: Clear SGID bit when setting file permissions Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] vmxnet3: Wake queue from reset work Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] fs/cifs: make share unaccessible at root level mountable Jiri Slaby
2017-01-31 10:54 ` Aurélien Aptel
2017-01-31 10:55 ` Jiri Slaby
2017-10-08 22:15 ` Ben Hutchings
2017-01-27 10:47 ` [patch added to 3.12-stable] Fix memory leaks in cifs_do_mount() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Compare prepaths when comparing superblocks Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Move check for prefix path to within cifs_get_root() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] Fix regression which breaks DFS mounting Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix refcount bug in profile replacement Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix replacement bug that adds new child to old parent Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix uninitialized lsm_audit member Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: exec should not be returning ENOENT when it denies Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix update the mtime of the profile file on replacement Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix disconnected bind mnts reconnection Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: internal paths should be treated as disconnected Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix put() parent ref after updating the active ref Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix log failures for all profiles in a set Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix audit full profile hname on successful load Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: ensure the target profile name is always audited Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: check that xindex is in trans_table bounds Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix refcount race when finding a child profile Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: add missing id bounds check on dfa verification Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: don't check for vmalloc_addr if kvzalloc() failed Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops in profile_unpack() when policy_db is not present Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix module parameters can be changed after policy is locked Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: do not expose kernel stack Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix oops, validate buffer size in apparmor_setprocattr() Jiri Slaby
2017-01-27 10:54 ` Vegard Nossum [this message]
2017-01-27 12:16 ` Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] apparmor: fix arg_size computation for when setprocattr is null terminated Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] vfio/pci: Fix integer overflows, bitmask check Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] bna: Add synchronization for tx ring Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] [media] xc2028: avoid use after free Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] [media] xc2028: unlock on error in xc2028_set_config() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] block: fix use-after-free in sys_ioprio_get() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] xc2028: Fix use-after-free bug properly Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] sg: Fix double-free when drives detach during SG_IO Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] fuse: do not use iocb after it may have been freed Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] serial: 8250_pci: Detach low-level driver during PCI error recovery Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] bnx2x: Correct ringparam estimate when DOWN Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() Jiri Slaby
2017-01-27 10:47 ` [patch added to 3.12-stable] tmpfs: clear S_ISGID when setting posix ACLs Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65ab4f7b-8b8e-a449-2dd8-8ce1882ee99a@oracle.com \
--to=vegard.nossum@oracle.com \
--cc=casey@schaufler-ca.com \
--cc=eparis@parisplace.org \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=jslaby@suse.cz \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).