commit 61280bbe04b114ac4d422304b67a79c6671dc8ee
author Sabyrzhan Tasbolatov <snovitoll@gmail.com> Fri Jan 22 19:12:00 2021 +0600
committer Sabyrzhan Tasbolatov <snovitoll@gmail.com> Sun Jan 24 17:45:51 2021 +0600
tree 36a48f585a8fa4fb3731dec5db52dbb135d4488b
parent 1e2a199f6ccdc15cf111d68d212e2fd4ce65682e

smackfs: restrict bytes count before memdup_user_nul in write functions

syzbot found WARNINGs in several smackfs write operations where
bytes count is passed to memdup_user_nul which exceeds
GFP MAX_ORDER. Check count size if bigger SMK_LONGLABEL,
for smk_write_syslog if bigger than PAGE_SIZE - 1.

Change-Id: Ifb5d4a6d4ee33df61c119462cbecbd6cc7ce7014
Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>

security/smack/smackfs.c

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 5d44b7d..88678c6 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -1167,7 +1167,7 @@
 		return -EPERM;
 	if (*ppos != 0)
 		return -EINVAL;
-	if (count < SMK_NETLBLADDRMIN)
+	if (count < SMK_NETLBLADDRMIN || count > SMK_LONGLABEL)
 		return -EINVAL;
 
 	data = memdup_user_nul(buf, count);
@@ -1427,7 +1427,7 @@
 		return -EPERM;
 	if (*ppos != 0)
 		return -EINVAL;
-	if (count < SMK_NETLBLADDRMIN)
+	if (count < SMK_NETLBLADDRMIN || count > SMK_LONGLABEL)
 		return -EINVAL;
 
 	data = memdup_user_nul(buf, count);
@@ -2647,6 +2647,8 @@
 
 	if (!smack_privileged(CAP_MAC_ADMIN))
 		return -EPERM;
+	if (count > PAGE_SIZE - 1)
+		return -EINVAL;
 
 	data = memdup_user_nul(buf, count);
 	if (IS_ERR(data))
@@ -2744,6 +2746,8 @@
 	 */
 	if (*ppos != 0)
 		return -EINVAL;
+	if (count > SMK_LONGLABEL)
+		return -EINVAL;
 
 	data = memdup_user_nul(buf, count);
 	if (IS_ERR(data))