Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGoldwyn Rodrigues <rgoldwyn@suse.com>2018-10-15 10:56:30 -0500
committerGoldwyn Rodrigues <rgoldwyn@suse.com>2018-10-15 10:56:43 -0500
commit724e8629ea52184531059afb2a888406f930f8e2 (patch)
tree08f7537962360cb3d8c023c02e343ab2f974a991
parentfd44f084f8abdcc71ad9cda66a824636dcf64e91 (diff)
apparmor: Check buffer bounds when mapping permissions mask
(git-fixes).
-rw-r--r--patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch88
-rw-r--r--series.conf1
2 files changed, 89 insertions, 0 deletions
diff --git a/patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch b/patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch
new file mode 100644
index 0000000000..75c930c7c8
--- /dev/null
+++ b/patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch
@@ -0,0 +1,88 @@
+From 7f3ebcf2b1395e0248e56146041e1e5625fd2f23 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Fri Jul 6 05:25:00 2018 +0000
+Subject: [PATCH] apparmor: Check buffer bounds when mapping permissions mask
+Git-commit: 7f3ebcf2b1395e0248e56146041e1e5625fd2f23
+References: git-fixes
+Patch-mainline: v4.19-rc1
+
+Don't read past the end of the buffer containing permissions
+characters or write past the end of the destination string.
+
+Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")
+
+Fixes: e53cfe6c7caa ("apparmor: rework perm mapping to a slightly broader set")
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Acked-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+
+---
+ security/apparmor/file.c | 3 ++-
+ security/apparmor/include/perms.h | 3 ++-
+ security/apparmor/lib.c | 17 +++++++++++++----
+ 3 files changed, 17 insertions(+), 6 deletions(-)
+
+--- a/security/apparmor/file.c
++++ b/security/apparmor/file.c
+@@ -46,7 +46,8 @@ static void audit_file_mask(struct audit
+ {
+ char str[10];
+
+- aa_perm_mask_to_str(str, aa_file_perm_chrs, map_mask_to_chr_mask(mask));
++ aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
++ map_mask_to_chr_mask(mask));
+ audit_log_string(ab, str);
+ }
+
+--- a/security/apparmor/include/perms.h
++++ b/security/apparmor/include/perms.h
+@@ -137,7 +137,8 @@ extern struct aa_perms allperms;
+ xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
+
+
+-void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
++void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs,
++ u32 mask);
+ void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);
+ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
+ u32 chrsmask, const char **names, u32 namesmask);
+--- a/security/apparmor/lib.c
++++ b/security/apparmor/lib.c
+@@ -198,15 +198,24 @@ const char *aa_file_perm_names[] = {
+ /**
+ * aa_perm_mask_to_str - convert a perm mask to its short string
+ * @str: character buffer to store string in (at least 10 characters)
++ * @str_size: size of the @str buffer
++ * @chrs: NUL-terminated character buffer of permission characters
+ * @mask: permission mask to convert
+ */
+-void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask)
++void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs, u32 mask)
+ {
+ unsigned int i, perm = 1;
++ size_t num_chrs = strlen(chrs);
++
++ for (i = 0; i < num_chrs; perm <<= 1, i++) {
++ if (mask & perm) {
++ /* Ensure that one byte is left for NUL-termination */
++ if (WARN_ON_ONCE(str_size <= 1))
++ break;
+
+- for (i = 0; i < 32; perm <<= 1, i++) {
+- if (mask & perm)
+ *str++ = chrs[i];
++ str_size--;
++ }
+ }
+ *str = '\0';
+ }
+@@ -235,7 +244,7 @@ void aa_audit_perm_mask(struct audit_buf
+
+ audit_log_format(ab, "\"");
+ if ((mask & chrsmask) && chrs) {
+- aa_perm_mask_to_str(str, chrs, mask & chrsmask);
++ aa_perm_mask_to_str(str, sizeof(str), chrs, mask & chrsmask);
+ mask &= ~chrsmask;
+ audit_log_format(ab, "%s", str);
+ if (mask & namesmask)
diff --git a/series.conf b/series.conf
index 4957484b90..b0dfdb98d5 100644
--- a/series.conf
+++ b/series.conf
@@ -17594,6 +17594,7 @@
patches.arch/powerpc-topology-Get-topology-for-shared-processors-.patch
patches.arch/KVM-PPC-Book3S-Fix-guest-DMA-when-guest-partially-ba.patch
patches.arch/powerpc-mce-Fix-SLB-rebolting-during-MCE-recovery-pa.patch
+ patches.apparmor/apparmor-Check-buffer-bounds-when-mapping-permissions-mask.patch
patches.apparmor/apparmor-Fully-initialize-aa_perms-struct-when-answe.patch
patches.apparmor/apparmor-Fix-failure-to-audit-context-info-in-build_.patch
patches.apparmor/apparmor-fix-an-error-code-in-__aa_create_ns.patch