Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions

From: Sabyrzhan Tasbolatov
Date: Thu Jan 28 2021 - 08:28:14 EST

Next message: Rafael J. Wysocki: "Re: [net-next PATCH v4 01/15] Documentation: ACPI: DSD: Document MDIO PHY"
Previous message: Vincenzo Frascino: "Re: KASAN: invalid-access Read in kmem_cache_destroy"
In reply to: Tetsuo Handa: "Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions"
Next in thread: Tetsuo Handa: "Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > /*
> > + * No partial write.
> > * Enough data must be present.
> > */
> > if (*ppos != 0)
> > return -EINVAL;
> > + if (count == 0 || count > PAGE_SIZE)
> > + return -EINVAL;
> >
> > data = memdup_user_nul(buf, count);
> > if (IS_ERR(data))
> >
>
> Doesn't this change break legitimate requests like
>
> char buffer[20000];
>
> memset(buffer, ' ', sizeof(buffer));
> memcpy(buffer + sizeof(buffer) - 10, "foo", 3);
> write(fd, buffer, sizeof(buffer));
>
> ?

It does, in this case. Then I need to patch another version with
whitespace stripping before, after label. I just followed the same thing
that I see in security/selinux/selinuxfs.c sel_write_enforce() etc.

It has the same memdup_user_nul() and count >= PAGE_SIZE check prior to that.

Next message: Rafael J. Wysocki: "Re: [net-next PATCH v4 01/15] Documentation: ACPI: DSD: Document MDIO PHY"
Previous message: Vincenzo Frascino: "Re: KASAN: invalid-access Read in kmem_cache_destroy"
In reply to: Tetsuo Handa: "Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions"
Next in thread: Tetsuo Handa: "Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]