[linux] 01/01: apparmor: fix oops, validate buffer size in apparmor_setprocattr() (CVE-2016-6187)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Jul 13 18:32:37 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit f00050636256f00148b347cb456e02b4affd3698
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Wed Jul 13 20:27:59 2016 +0200

    apparmor: fix oops, validate buffer size in apparmor_setprocattr() (CVE-2016-6187)
---
 debian/changelog                                   |   4 +
 ...x-oops-validate-buffer-size-in-apparmor_s.patch | 115 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 120 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 2eb3180..405b65b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -35,6 +35,10 @@ linux (4.6.4-1) UNRELEASED; urgency=medium
   [ Uwe Kleine-König ]
   * Cherry pick patches for rtc-s35390a from next. (Closes: #794266)
 
+  [ Salvatore Bonaccorso ]
+  * apparmor: fix oops, validate buffer size in apparmor_setprocattr()
+    (CVE-2016-6187)
+
  -- Uwe Kleine-König <ukleinek at debian.org>  Sun, 10 Jul 2016 15:25:48 +0200
 
 linux (4.6.3-1) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch b/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
new file mode 100644
index 0000000..1703371
--- /dev/null
+++ b/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
@@ -0,0 +1,115 @@
+From: Vegard Nossum <vegard.nossum at oracle.com>
+Date: Thu, 7 Jul 2016 13:41:11 -0700
+Subject: apparmor: fix oops, validate buffer size in apparmor_setprocattr()
+Origin: https://git.kernel.org/linus/30a46a4647fd1df9cf52e43bf467f0d9265096ca
+
+When proc_pid_attr_write() was changed to use memdup_user apparmor's
+(interface violating) assumption that the setprocattr buffer was always
+a single page was violated.
+
+The size test is not strictly speaking needed as proc_pid_attr_write()
+will reject anything larger, but for the sake of robustness we can keep
+it in.
+
+SMACK and SELinux look safe to me, but somebody else should probably
+have a look just in case.
+
+Based on original patch from Vegard Nossum <vegard.nossum at oracle.com>
+modified for the case that apparmor provides null termination.
+
+Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
+Reported-by: Vegard Nossum <vegard.nossum at oracle.com>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Cc: John Johansen <john.johansen at canonical.com>
+Cc: Paul Moore <paul at paul-moore.com>
+Cc: Stephen Smalley <sds at tycho.nsa.gov>
+Cc: Eric Paris <eparis at parisplace.org>
+Cc: Casey Schaufler <casey at schaufler-ca.com>
+Cc: stable at kernel.org
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Reviewed-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: James Morris <james.l.morris at oracle.com>
+---
+ security/apparmor/lsm.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -523,34 +523,34 @@ static int apparmor_setprocattr(struct t
+ {
+ 	struct common_audit_data sa;
+ 	struct apparmor_audit_data aad = {0,};
+-	char *command, *args = value;
++	char *command, *largs = NULL, *args = value;
+ 	size_t arg_size;
+ 	int error;
+ 
+ 	if (size == 0)
+ 		return -EINVAL;
+-	/* args points to a PAGE_SIZE buffer, AppArmor requires that
+-	 * the buffer must be null terminated or have size <= PAGE_SIZE -1
+-	 * so that AppArmor can null terminate them
+-	 */
+-	if (args[size - 1] != '\0') {
+-		if (size == PAGE_SIZE)
+-			return -EINVAL;
+-		args[size] = '\0';
+-	}
+-
+ 	/* task can only write its own attributes */
+ 	if (current != task)
+ 		return -EACCES;
+ 
+-	args = value;
++	/* AppArmor requires that the buffer must be null terminated atm */
++	if (args[size - 1] != '\0') {
++		/* null terminate */
++		largs = args = kmalloc(size + 1, GFP_KERNEL);
++		if (!args)
++			return -ENOMEM;
++		memcpy(args, value, size);
++		args[size] = '\0';
++	}
++
++	error = -EINVAL;
+ 	args = strim(args);
+ 	command = strsep(&args, " ");
+ 	if (!args)
+-		return -EINVAL;
++		goto out;
+ 	args = skip_spaces(args);
+ 	if (!*args)
+-		return -EINVAL;
++		goto out;
+ 
+ 	arg_size = size - (args - (char *) value);
+ 	if (strcmp(name, "current") == 0) {
+@@ -576,10 +576,12 @@ static int apparmor_setprocattr(struct t
+ 			goto fail;
+ 	} else
+ 		/* only support the "current" and "exec" process attributes */
+-		return -EINVAL;
++		goto fail;
+ 
+ 	if (!error)
+ 		error = size;
++out:
++	kfree(largs);
+ 	return error;
+ 
+ fail:
+@@ -588,9 +590,9 @@ fail:
+ 	aad.profile = aa_current_profile();
+ 	aad.op = OP_SETPROCATTR;
+ 	aad.info = name;
+-	aad.error = -EINVAL;
++	aad.error = error = -EINVAL;
+ 	aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
+-	return -EINVAL;
++	goto out;
+ }
+ 
+ static int apparmor_task_setrlimit(struct task_struct *task,
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 76be56e..c6c2330 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -114,6 +114,7 @@ bugfix/all/posix_acl-add-set_posix_acl.patch
 bugfix/all/nfsd-check-permissions-when-setting-acls.patch
 bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
 bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
+bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
 
 # ABI maintenance
 debian/mips-siginfo-fix-abi-change-in-4.6.2.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list