Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/selinux-improve-error-checking-in-sel_write_load.patch b/queue-5.4/selinux-improve-error-checking-in-sel_write_load.patch
new file mode 100644 (file)
index 0000000..989f2a9
--- /dev/null
+++ b/queue-5.4/selinux-improve-error-checking-in-sel_write_load.patch
@@ -0,0 +1,89 @@
+From 9b96c19a58b0c1a1bce6877617cdad028fd435bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 11:21:18 -0300
+Subject: selinux: improve error checking in sel_write_load()
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit 42c773238037c90b3302bf37a57ae3b5c3f6004a ]
+
+Move our existing input sanity checking to the top of sel_write_load()
+and add a check to ensure the buffer size is non-zero.
+
+Move a local variable initialization from the declaration to before it
+is used.
+
+Minor style adjustments.
+
+Reported-by: Sam Sun <samsun1006219@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+[cascardo: keep fsi initialization at its declaration point as it is used earlier]
+[cascardo: keep check for 64MiB size limit]
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/selinuxfs.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
+index e9eaff90cbccd..fd6282fa9c39f 100644
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -535,6 +535,16 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
+       ssize_t length;
+       void *data = NULL;
+ 
++      /* no partial writes */
++      if (*ppos)
++              return -EINVAL;
++      /* no empty policies */
++      if (!count)
++              return -EINVAL;
++
++      if (count > 64 * 1024 * 1024)
++              return -EFBIG;
++
+       mutex_lock(&fsi->mutex);
+ 
+       length = avc_has_perm(&selinux_state,
+@@ -543,23 +553,15 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
+       if (length)
+               goto out;
+ 
+-      /* No partial writes. */
+-      length = -EINVAL;
+-      if (*ppos != 0)
+-              goto out;
+-
+-      length = -EFBIG;
+-      if (count > 64 * 1024 * 1024)
+-              goto out;
+-
+-      length = -ENOMEM;
+       data = vmalloc(count);
+-      if (!data)
++      if (!data) {
++              length = -ENOMEM;
+               goto out;
+-
+-      length = -EFAULT;
+-      if (copy_from_user(data, buf, count) != 0)
++      }
++      if (copy_from_user(data, buf, count) != 0) {
++              length = -EFAULT;
+               goto out;
++      }
+ 
+       length = security_load_policy(fsi->state, data, count);
+       if (length) {
+@@ -578,6 +580,7 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
+               "auid=%u ses=%u lsm=selinux res=1",
+               from_kuid(&init_user_ns, audit_get_loginuid(current)),
+               audit_get_sessionid(current));
++
+ out:
+       mutex_unlock(&fsi->mutex);
+       vfree(data);
+-- 
+2.43.0
+

diff --git a/queue-5.4/series b/queue-5.4/series
index c6c38d90716d4d24391b5a7a1055675d53eada08..38e8f783420b7c851071b75ea3c263760ab75452 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -414,3 +414,4 @@ r8169-avoid-unsolicited-interrupts.patch
 posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch
 alsa-firewire-lib-avoid-division-by-zero-in-apply_co.patch
 alsa-hda-realtek-update-default-depop-procedure.patch
+selinux-improve-error-checking-in-sel_write_load.patch