Commit 3ed02ada2a5e695e2fbb5e4a0008cfcb0f50feaa
Committed by
James Morris
1 parent
9f1c1d426b
AppArmor: Ensure the size of the copy is < the buffer allocated to hold it
Actually I think in this case the appropriate thing to do is to BUG as there is currently a case (remove) where the alloc_size needs to be larger than the copy_size, and if copy_size is ever greater than alloc_size there is a mistake in the caller code. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees.cook@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Showing 1 changed file with 3 additions and 1 deletions Side-by-side Diff
security/apparmor/apparmorfs.c
... | ... | @@ -29,7 +29,7 @@ |
29 | 29 | * aa_simple_write_to_buffer - common routine for getting policy from user |
30 | 30 | * @op: operation doing the user buffer copy |
31 | 31 | * @userbuf: user buffer to copy data from (NOT NULL) |
32 | - * @alloc_size: size of user buffer | |
32 | + * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) | |
33 | 33 | * @copy_size: size of data to copy from user buffer |
34 | 34 | * @pos: position write is at in the file (NOT NULL) |
35 | 35 | * |
... | ... | @@ -41,6 +41,8 @@ |
41 | 41 | loff_t *pos) |
42 | 42 | { |
43 | 43 | char *data; |
44 | + | |
45 | + BUG_ON(copy_size > alloc_size); | |
44 | 46 | |
45 | 47 | if (*pos != 0) |
46 | 48 | /* only writes from pos 0, that is complete writes */ |