lsm/stable-6.8 PR 20240215
-----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmXOi94UHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXNtBRAAgbZnKpuUAmXdx5Z4IEfFOGJ+p5BI FzfL6kSYWw91MABi5kCbIHLhtNMO9nRTMZKXzbintltk/1dD1hEojTR2h7r4M+fj Bn0bFaWI1lYKN329KcTWsrVXzqekbRl1091VHaQRp3ce+ylwoCCt82v2m70gJRrx q9stlAeRmxpmPkRtyza4uk1R7BjliAujfKeXbPwq8IoPR0q75pFTaiATPMPXucxL Z1bSr08WrcbZepjJpmxujdPy9m+hR5M8e9dPv6mG5MfGFgwRjZrWQ06QdJHBr1Jq cFgiZxRp+EaSWNrmtYxIsiFYajPdkOiPkQ5uBTGIoYaAi3MDrq+LgShoLHq+eqvq DmWD/Vo98GRF3xHubcbRuJZkUEWkgZS4wl0WIeaxlCYpKrzKhrr1yPkeHBqXVHiE y5JnY0xI4Htg4vcYcQUAXEE5u/7MTF/ydMa22iwrmCpLcAfaWZ2sJGwo76TchWmD FbTCyFJ4aOCqY2ALZUJYp8ONgkeqsynMNv9YL7/dY7JIRx3nKjby0QtZPf8XtFOT D5h+iTwSADXENDgqpE6+/76eVWYPuQmvgD0xPx+6xpqKBIJKMOe+Fi6FB3N5Brnf 1PES5YvDT3qrb1DOtYP3QLKYFQDwbKKeu39A5i2pEHnarjJiqXTfeTDi5iZ/whLS SEWjfx5uexpBCmI= =E5XR -----END PGP SIGNATURE----- Merge tag 'lsm-pr-20240215' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull lsm fix from Paul Moore: "One small LSM patch to fix a potential integer overflow in the newly added lsm_set_self_attr() syscall" * tag 'lsm-pr-20240215' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: fix integer overflow in lsm_set_self_attr() syscall
This commit is contained in:
commit
b8ef920168
@ -29,6 +29,7 @@
|
||||
#include <linux/backing-dev.h>
|
||||
#include <linux/string.h>
|
||||
#include <linux/msg.h>
|
||||
#include <linux/overflow.h>
|
||||
#include <net/flow.h>
|
||||
|
||||
/* How many LSMs were built into the kernel? */
|
||||
@ -4015,6 +4016,7 @@ int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx,
|
||||
struct security_hook_list *hp;
|
||||
struct lsm_ctx *lctx;
|
||||
int rc = LSM_RET_DEFAULT(setselfattr);
|
||||
u64 required_len;
|
||||
|
||||
if (flags)
|
||||
return -EINVAL;
|
||||
@ -4027,8 +4029,9 @@ int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx,
|
||||
if (IS_ERR(lctx))
|
||||
return PTR_ERR(lctx);
|
||||
|
||||
if (size < lctx->len || size < lctx->ctx_len + sizeof(*lctx) ||
|
||||
lctx->len < lctx->ctx_len + sizeof(*lctx)) {
|
||||
if (size < lctx->len ||
|
||||
check_add_overflow(sizeof(*lctx), lctx->ctx_len, &required_len) ||
|
||||
lctx->len < required_len) {
|
||||
rc = -EINVAL;
|
||||
goto free_out;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user