Commit 3ed02ada2a5e695e2fbb5e4a0008cfcb0f50feaa
Committed by
James Morris
James Morris
1 parent
9f1c1d426b
AppArmor: Ensure the size of the copy is < the buffer allocated to hold it
Actually I think in this case the appropriate thing to do is to BUG as there is currently a case (remove) where the alloc_size needs to be larger than the copy_size, and if copy_size is ever greater than alloc_size there is a mistake in the caller code. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees.cook@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Showing 1 changed file with 3 additions and 1 deletions Side-by-side Diff
security/apparmor/apparmorfs.c
| ... | ... | @@ -29,7 +29,7 @@ |
| 29 | 29 | * aa_simple_write_to_buffer - common routine for getting policy from user |
| 30 | 30 | * @op: operation doing the user buffer copy |
| 31 | 31 | * @userbuf: user buffer to copy data from (NOT NULL) |
| 32 | - * @alloc_size: size of user buffer | |
| 32 | + * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) | |
| 33 | 33 | * @copy_size: size of data to copy from user buffer |
| 34 | 34 | * @pos: position write is at in the file (NOT NULL) |
| 35 | 35 | * |
| ... | ... | @@ -41,6 +41,8 @@ |
| 41 | 41 | loff_t *pos) |
| 42 | 42 | { |
| 43 | 43 | char *data; |
| 44 | + | |
| 45 | + BUG_ON(copy_size > alloc_size); | |
| 44 | 46 | |
| 45 | 47 | if (*pos != 0) |
| 46 | 48 | /* only writes from pos 0, that is complete writes */ |