lsm/stable-6.8 PR 20240215

-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmXOi94UHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXNtBRAAgbZnKpuUAmXdx5Z4IEfFOGJ+p5BI FzfL6kSYWw91MABi5kCbIHLhtNMO9nRTMZKXzbintltk/1dD1hEojTR2h7r4M+fj Bn0bFaWI1lYKN329KcTWsrVXzqekbRl1091VHaQRp3ce+ylwoCCt82v2m70gJRrx q9stlAeRmxpmPkRtyza4uk1R7BjliAujfKeXbPwq8IoPR0q75pFTaiATPMPXucxL Z1bSr08WrcbZepjJpmxujdPy9m+hR5M8e9dPv6mG5MfGFgwRjZrWQ06QdJHBr1Jq cFgiZxRp+EaSWNrmtYxIsiFYajPdkOiPkQ5uBTGIoYaAi3MDrq+LgShoLHq+eqvq DmWD/Vo98GRF3xHubcbRuJZkUEWkgZS4wl0WIeaxlCYpKrzKhrr1yPkeHBqXVHiE y5JnY0xI4Htg4vcYcQUAXEE5u/7MTF/ydMa22iwrmCpLcAfaWZ2sJGwo76TchWmD FbTCyFJ4aOCqY2ALZUJYp8ONgkeqsynMNv9YL7/dY7JIRx3nKjby0QtZPf8XtFOT D5h+iTwSADXENDgqpE6+/76eVWYPuQmvgD0xPx+6xpqKBIJKMOe+Fi6FB3N5Brnf 1PES5YvDT3qrb1DOtYP3QLKYFQDwbKKeu39A5i2pEHnarjJiqXTfeTDi5iZ/whLS SEWjfx5uexpBCmI= =E5XR -----END PGP SIGNATURE----- Merge tag 'lsm-pr-20240215' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull lsm fix from Paul Moore: "One small LSM patch to fix a potential integer overflow in the newly added lsm_set_self_attr() syscall" * tag 'lsm-pr-20240215' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: fix integer overflow in lsm_set_self_attr() syscall
2024-02-16 07:58:43 -08:00 · 2024-02-16 07:58:43 -08:00 · b8ef920168
parent 4f5e5092fd d8bdd795d3
commit b8ef920168
1 changed files with 5 additions and 2 deletions
--- a/security/security.c
+++ b/security/security.c
@ -29,6 +29,7 @@
 #include <linux/backing-dev.h>
 #include <linux/string.h>
 #include <linux/msg.h>
+#include <linux/overflow.h>
 #include <net/flow.h>

 /* How many LSMs were built into the kernel? */
@ -4015,6 +4016,7 @@ int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx,
 	struct security_hook_list *hp;
 	struct lsm_ctx *lctx;
 	int rc = LSM_RET_DEFAULT(setselfattr);
+	u64 required_len;

 	if (flags)
 		return -EINVAL;
@ -4027,8 +4029,9 @@ int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx,
 	if (IS_ERR(lctx))
 		return PTR_ERR(lctx);

-	if (size < lctx->len || size < lctx->ctx_len + sizeof(*lctx) ||
-	    lctx->len < lctx->ctx_len + sizeof(*lctx)) {
+	if (size < lctx->len ||
+	    check_add_overflow(sizeof(*lctx), lctx->ctx_len, &required_len) ||
+	    lctx->len < required_len) {
 		rc = -EINVAL;
 		goto free_out;
 	}