safesetid: check size of policy writes

syzbot attempts to write a buffer with a large size to a sysfs entry
with writes handled by handle_policy_update(), triggering a warning
in kmalloc.

Check the size specified for write buffers before allocating.

Reported-by: syzbot+4eb7a741b3216020043a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4eb7a741b3216020043a
Signed-off-by: Leo Stone <leocstone@gmail.com>
[PM: subject tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
index 25310468bcddfff80bb4d6445b084c8654e52e75..8e1ffd70b18ab4d9745d3298bb7fcf63d4bfbbe5 100644 (file)
--- a/security/safesetid/securityfs.c
+++ b/security/safesetid/securityfs.c
@@ -143,6 +143,9 @@ static ssize_t handle_policy_update(struct file *file,
        char *buf, *p, *end;
        int err;
 
+       if (len >= KMALLOC_MAX_SIZE)
+               return -EINVAL;
+
        pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL);
        if (!pol)
                return -ENOMEM;