[PATCH 1/4] security: smack: limit a length for a rule string in thelong format

From: Tomasz Stanislawski
Date: Wed Jun 19 2013 - 11:13:58 EST


The maximal length for a rule line for long format is introduced as
SMK_LOAD2LEN. Limiting the length of a rule line helps to avoid allocations of
a very long contiguous buffer from a heap if user calls write() for a very long
chunk. Such an allocation often causes a lot swapper/writeback havoc and it is
very likely to fail.

Signed-off-by: Tomasz Stanislawski <t.stanislaws@xxxxxxxxxxx>
---
security/smack/smackfs.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 08aebc2..5dcd520 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -137,6 +137,7 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION;
* SMK_ACCESS: Maximum possible combination of access permissions
* SMK_ACCESSLEN: Maximum length for a rule access field
* SMK_LOADLEN: Smack rule length
+ * SMK_LOAD2LEN: Smack maximal long rule length excluding \0
*/
#define SMK_OACCESS "rwxa"
#define SMK_ACCESS "rwxat"
@@ -144,6 +145,7 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION;
#define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
#define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
+#define SMK_LOAD2LEN (2 * SMK_LONGLABEL + SMK_ACCESSLEN + 2)

/*
* Stricly for CIPSO level manipulation.
@@ -459,6 +461,9 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
if (*ppos != 0)
return -EINVAL;

+ if (count > SMK_LOAD2LEN)
+ count = SMK_LOAD2LEN;
+
if (format == SMK_FIXED24_FMT) {
/*
* Minor hack for backward compatibility
--
1.7.9.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/