From 135122f174c357b7a3e58f40fa5792156c5e93e6 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 12 Apr 2021 22:45:50 +0900 Subject: smackfs: restrict bytes count in smk_set_cipso() commit 49ec114a6e62d8d320037ce71c1aaf9650b3cafd upstream. Oops, I failed to update subject line. From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 12 Apr 2021 22:25:06 +0900 Subject: smackfs: restrict bytes count in smk_set_cipso() Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write functions") missed that count > SMK_CIPSOMAX check applies to only format == SMK_FIXED24_FMT case. Reported-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Casey Schaufler Signed-off-by: Greg Kroah-Hartman --- security/smack/smackfs.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security') diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 5e75ff2e1b14..3823ab2c4e4b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, if (format == SMK_FIXED24_FMT && (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) return -EINVAL; + if (count > PAGE_SIZE) + return -EINVAL; data = memdup_user_nul(buf, count); if (IS_ERR(data)) -- cgit v1.2.3