Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3ed02ada authored by John Johansen's avatar John Johansen Committed by James Morris
Browse files

AppArmor: Ensure the size of the copy is < the buffer allocated to hold it 



Actually I think in this case the appropriate thing to do is to BUG as there
is currently a case (remove) where the alloc_size needs to be larger than
the copy_size, and if copy_size is ever greater than alloc_size there is
a mistake in the caller code.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarKees Cook <kees.cook@canonical.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 9f1c1d42

security/apparmor/apparmorfs.c

+3 −1
Original line number Diff line number Diff line
@@ -29,7 +29,7 @@ 
 * aa_simple_write_to_buffer - common routine for getting policy from user

 * @op: operation doing the user buffer copy

 * @userbuf: user buffer to copy data from  (NOT NULL)

 * @alloc_size: size of user buffer

 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size)

 * @copy_size: size of data to copy from user buffer

 * @pos: position write is at in the file (NOT NULL)

 *
@@ -42,6 +42,8 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf, 
{

	char *data;



	BUG_ON(copy_size > alloc_size);



	if (*pos != 0)

		/* only writes from pos 0, that is complete writes */

		return ERR_PTR(-ESPIPE);