smackfs: restrict bytes count before memdup_user_nul in write functions
syzbot found WARNINGs in several smackfs write operations where
bytes count is passed to memdup_user_nul which exceeds
GFP MAX_ORDER. Check count size if bigger SMK_LONGLABEL,
for smk_write_syslog if bigger than PAGE_SIZE - 1.
Change-Id: Ifb5d4a6d4ee33df61c119462cbecbd6cc7ce7014
Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 5d44b7d..88678c6 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -1167,7 +1167,7 @@
return -EPERM;
if (*ppos != 0)
return -EINVAL;
- if (count < SMK_NETLBLADDRMIN)
+ if (count < SMK_NETLBLADDRMIN || count > SMK_LONGLABEL)
return -EINVAL;
data = memdup_user_nul(buf, count);
@@ -1427,7 +1427,7 @@
return -EPERM;
if (*ppos != 0)
return -EINVAL;
- if (count < SMK_NETLBLADDRMIN)
+ if (count < SMK_NETLBLADDRMIN || count > SMK_LONGLABEL)
return -EINVAL;
data = memdup_user_nul(buf, count);
@@ -2647,6 +2647,8 @@
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
+ if (count > PAGE_SIZE - 1)
+ return -EINVAL;
data = memdup_user_nul(buf, count);
if (IS_ERR(data))
@@ -2744,6 +2746,8 @@
*/
if (*ppos != 0)
return -EINVAL;
+ if (count > SMK_LONGLABEL)
+ return -EINVAL;
data = memdup_user_nul(buf, count);
if (IS_ERR(data))