Commit 6931dfc9 authored Jun 30, 2005 by Eric Paris Committed by Linus Torvalds Jun 30, 2005

[PATCH] selinux_sb_copy_data() should not require a whole page



Currently selinux_sb_copy_data requires an entire page be allocated to
*orig when the function is called.  This "requirement" is based on the fact
that we call copy_page(in_save, nosec_save) and in_save = orig when the
data is not FS_BINARY_MOUNTDATA.  This means that if a caller were to call
do_kern_mount with only about 10 bytes of options, they would get passed
here and then we would corrupt PAGE_SIZE - 10 bytes of memory (with all
zeros.)

Currently it appears all in kernel FS's use one page of data so this has
not been a problem.  An out of kernel FS did just what is described above
and it would almost always panic shortly after they tried to mount.  From
looking else where in the kernel it is obvious that this string of data
must always be null terminated.  (See example in do_mount where it always
zeros the last byte.) Thus I suggest we use strcpy in place of copy_page.
In this way we make sure the amount we copy is always less than or equal to
the amount we received and since do_mount is zeroing the last byte this
should be safe for all.

Signed-off-by: Eric Paris <eparis@parisplace.org>
Cc: Stephen Smalley <sds@epoch.ncsc.mil>
Acked-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

parent 9a936eb9

security/selinux/hooks.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -68,6 +68,7 @@
		#include <linux/personality.h>
		#include <linux/sysctl.h>
		#include <linux/audit.h>
		#include <linux/string.h>

		#include "avc.h"
		#include "objsec.h"
		@@ -1943,7 +1944,7 @@ static int selinux_sb_copy_data(struct file_system_type type, void orig, void
		}
		} while (*in_end++);

		copy_page(in_save, nosec_save);
		strcpy(in_save, nosec_save);
		free_page((unsigned long)nosec_save);
		out:
		return rc;

Admin message