AppArmor: Ensure the size of the copy is < the buffer allocated to hold it

Actually I think in this case the appropriate thing to do is to BUG as there is currently a case (remove) where the alloc_size needs to be larger than the copy_size, and if copy_size is ever greater than alloc_size there is a mistake in the caller code. Signed-off-by: N John Johansen <john.johansen@canonical.com> Acked-by: N Kees Cook <kees.cook@canonical.com> Signed-off-by: N James Morris <jmorris@namei.org>

AppArmor: Ensure the size of the copy is < the buffer allocated to hold it
Actually I think in this case the appropriate thing to do is to BUG as there is currently a case (remove) where the alloc_size needs to be larger than the copy_size, and if copy_size is ever greater than alloc_size there is a mistake in the caller code. Signed-off-by: N John Johansen <john.johansen@canonical.com> Acked-by: N Kees Cook <kees.cook@canonical.com> Signed-off-by: N James Morris <jmorris@namei.org>
3ed02ada · John Johansen · James Morris · 9f1c1d42 · 3ed02ada
显示空白变更内容
内联并排

Showing with 3 addition and 1 deletion

security/apparmor/apparmorfs.c security/apparmor/apparmorfs.c +3 -1

未找到文件。
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -29,7 +29,7 @@
 * aa_simple_write_to_buffer - common routine for getting policy from user
 * @op: operation doing the user buffer copy
 * @userbuf: user buffer to copy data from  (NOT NULL)
- * @alloc_size: size of user buffer
+ * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size)
 * @copy_size: size of data to copy from user buffer
 * @pos: position write is at in the file (NOT NULL)
 *
@@ -42,6 +42,8 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
 {
 	char *data;
+	BUG_ON(copy_size > alloc_size);
 	if (*pos != 0)
 		/* only writes from pos 0, that is complete writes */
 		return ERR_PTR(-ESPIPE);