summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorEric Paris <eparis@parisplace.org>2005-06-30 02:58:51 -0700
committerLinus Torvalds <torvalds@ppc970.osdl.org>2005-06-30 08:45:09 -0700
commit6931dfc9f3f81d148b7ed0ab3fd796f8b986a995 (patch)
tree8c7251413b1243e29dc155fd9590931b423c5e31 /security
parent9a936eb928c1a253c2e5d66b947688bdc55094a6 (diff)
downloadlinux-3.10-6931dfc9f3f81d148b7ed0ab3fd796f8b986a995.tar.gz
linux-3.10-6931dfc9f3f81d148b7ed0ab3fd796f8b986a995.tar.bz2
linux-3.10-6931dfc9f3f81d148b7ed0ab3fd796f8b986a995.zip
[PATCH] selinux_sb_copy_data() should not require a whole page
Currently selinux_sb_copy_data requires an entire page be allocated to *orig when the function is called. This "requirement" is based on the fact that we call copy_page(in_save, nosec_save) and in_save = orig when the data is not FS_BINARY_MOUNTDATA. This means that if a caller were to call do_kern_mount with only about 10 bytes of options, they would get passed here and then we would corrupt PAGE_SIZE - 10 bytes of memory (with all zeros.) Currently it appears all in kernel FS's use one page of data so this has not been a problem. An out of kernel FS did just what is described above and it would almost always panic shortly after they tried to mount. From looking else where in the kernel it is obvious that this string of data must always be null terminated. (See example in do_mount where it always zeros the last byte.) Thus I suggest we use strcpy in place of copy_page. In this way we make sure the amount we copy is always less than or equal to the amount we received and since do_mount is zeroing the last byte this should be safe for all. Signed-off-by: Eric Paris <eparis@parisplace.org> Cc: Stephen Smalley <sds@epoch.ncsc.mil> Acked-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 17a1189f1ff..6be27385114 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -68,6 +68,7 @@
#include <linux/personality.h>
#include <linux/sysctl.h>
#include <linux/audit.h>
+#include <linux/string.h>
#include "avc.h"
#include "objsec.h"
@@ -1943,7 +1944,7 @@ static int selinux_sb_copy_data(struct file_system_type *type, void *orig, void
}
} while (*in_end++);
- copy_page(in_save, nosec_save);
+ strcpy(in_save, nosec_save);
free_page((unsigned long)nosec_save);
out:
return rc;