From: Sasha Levin Date: Mon, 28 Oct 2024 00:24:32 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.15.170~24^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3594acab1619a6df804d64be7f0b6b4afaa0aedc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/selinux-improve-error-checking-in-sel_write_load.patch b/queue-4.19/selinux-improve-error-checking-in-sel_write_load.patch new file mode 100644 index 00000000000..0ba8f50da04 --- /dev/null +++ b/queue-4.19/selinux-improve-error-checking-in-sel_write_load.patch @@ -0,0 +1,89 @@ +From d268e1b7b967314c610ad15ece96f690fac60d83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2024 11:21:29 -0300 +Subject: selinux: improve error checking in sel_write_load() + +From: Paul Moore + +[ Upstream commit 42c773238037c90b3302bf37a57ae3b5c3f6004a ] + +Move our existing input sanity checking to the top of sel_write_load() +and add a check to ensure the buffer size is non-zero. + +Move a local variable initialization from the declaration to before it +is used. + +Minor style adjustments. + +Reported-by: Sam Sun +Signed-off-by: Paul Moore +[cascardo: keep fsi initialization at its declaration point as it is used earlier] +[cascardo: keep check for 64MiB size limit] +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Sasha Levin +--- + security/selinux/selinuxfs.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 60b3f16bb5c7b..c35aab9f24471 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -536,6 +536,16 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, + ssize_t length; + void *data = NULL; + ++ /* no partial writes */ ++ if (*ppos) ++ return -EINVAL; ++ /* no empty policies */ ++ if (!count) ++ return -EINVAL; ++ ++ if (count > 64 * 1024 * 1024) ++ return -EFBIG; ++ + mutex_lock(&fsi->mutex); + + length = avc_has_perm(&selinux_state, +@@ -544,23 +554,15 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, + if (length) + goto out; + +- /* No partial writes. */ +- length = -EINVAL; +- if (*ppos != 0) +- goto out; +- +- length = -EFBIG; +- if (count > 64 * 1024 * 1024) +- goto out; +- +- length = -ENOMEM; + data = vmalloc(count); +- if (!data) ++ if (!data) { ++ length = -ENOMEM; + goto out; +- +- length = -EFAULT; +- if (copy_from_user(data, buf, count) != 0) ++ } ++ if (copy_from_user(data, buf, count) != 0) { ++ length = -EFAULT; + goto out; ++ } + + length = security_load_policy(fsi->state, data, count); + if (length) { +@@ -579,6 +581,7 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, + "auid=%u ses=%u lsm=selinux res=1", + from_kuid(&init_user_ns, audit_get_loginuid(current)), + audit_get_sessionid(current)); ++ + out: + mutex_unlock(&fsi->mutex); + vfree(data); +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index e5188d42542..c521cd854c2 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -313,3 +313,4 @@ dt-bindings-power-add-r8a774b1-sysc-power-domain-def.patch net-usb-usbnet-fix-name-regression.patch posix-clock-posix-clock-fix-unbalanced-locking-in-pc.patch alsa-hda-realtek-update-default-depop-procedure.patch +selinux-improve-error-checking-in-sel_write_load.patch