[linux] 01/01: apparmor: fix oops, validate buffer size in apparmor_setprocattr() (CVE-2016-6187)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Jul 13 18:32:37 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit f00050636256f00148b347cb456e02b4affd3698
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Wed Jul 13 20:27:59 2016 +0200
apparmor: fix oops, validate buffer size in apparmor_setprocattr() (CVE-2016-6187)
---
debian/changelog | 4 +
...x-oops-validate-buffer-size-in-apparmor_s.patch | 115 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 120 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 2eb3180..405b65b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -35,6 +35,10 @@ linux (4.6.4-1) UNRELEASED; urgency=medium
[ Uwe Kleine-König ]
* Cherry pick patches for rtc-s35390a from next. (Closes: #794266)
+ [ Salvatore Bonaccorso ]
+ * apparmor: fix oops, validate buffer size in apparmor_setprocattr()
+ (CVE-2016-6187)
+
-- Uwe Kleine-König <ukleinek at debian.org> Sun, 10 Jul 2016 15:25:48 +0200
linux (4.6.3-1) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch b/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
new file mode 100644
index 0000000..1703371
--- /dev/null
+++ b/debian/patches/bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
@@ -0,0 +1,115 @@
+From: Vegard Nossum <vegard.nossum at oracle.com>
+Date: Thu, 7 Jul 2016 13:41:11 -0700
+Subject: apparmor: fix oops, validate buffer size in apparmor_setprocattr()
+Origin: https://git.kernel.org/linus/30a46a4647fd1df9cf52e43bf467f0d9265096ca
+
+When proc_pid_attr_write() was changed to use memdup_user apparmor's
+(interface violating) assumption that the setprocattr buffer was always
+a single page was violated.
+
+The size test is not strictly speaking needed as proc_pid_attr_write()
+will reject anything larger, but for the sake of robustness we can keep
+it in.
+
+SMACK and SELinux look safe to me, but somebody else should probably
+have a look just in case.
+
+Based on original patch from Vegard Nossum <vegard.nossum at oracle.com>
+modified for the case that apparmor provides null termination.
+
+Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
+Reported-by: Vegard Nossum <vegard.nossum at oracle.com>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Cc: John Johansen <john.johansen at canonical.com>
+Cc: Paul Moore <paul at paul-moore.com>
+Cc: Stephen Smalley <sds at tycho.nsa.gov>
+Cc: Eric Paris <eparis at parisplace.org>
+Cc: Casey Schaufler <casey at schaufler-ca.com>
+Cc: stable at kernel.org
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Reviewed-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: James Morris <james.l.morris at oracle.com>
+---
+ security/apparmor/lsm.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -523,34 +523,34 @@ static int apparmor_setprocattr(struct t
+ {
+ struct common_audit_data sa;
+ struct apparmor_audit_data aad = {0,};
+- char *command, *args = value;
++ char *command, *largs = NULL, *args = value;
+ size_t arg_size;
+ int error;
+
+ if (size == 0)
+ return -EINVAL;
+- /* args points to a PAGE_SIZE buffer, AppArmor requires that
+- * the buffer must be null terminated or have size <= PAGE_SIZE -1
+- * so that AppArmor can null terminate them
+- */
+- if (args[size - 1] != '\0') {
+- if (size == PAGE_SIZE)
+- return -EINVAL;
+- args[size] = '\0';
+- }
+-
+ /* task can only write its own attributes */
+ if (current != task)
+ return -EACCES;
+
+- args = value;
++ /* AppArmor requires that the buffer must be null terminated atm */
++ if (args[size - 1] != '\0') {
++ /* null terminate */
++ largs = args = kmalloc(size + 1, GFP_KERNEL);
++ if (!args)
++ return -ENOMEM;
++ memcpy(args, value, size);
++ args[size] = '\0';
++ }
++
++ error = -EINVAL;
+ args = strim(args);
+ command = strsep(&args, " ");
+ if (!args)
+- return -EINVAL;
++ goto out;
+ args = skip_spaces(args);
+ if (!*args)
+- return -EINVAL;
++ goto out;
+
+ arg_size = size - (args - (char *) value);
+ if (strcmp(name, "current") == 0) {
+@@ -576,10 +576,12 @@ static int apparmor_setprocattr(struct t
+ goto fail;
+ } else
+ /* only support the "current" and "exec" process attributes */
+- return -EINVAL;
++ goto fail;
+
+ if (!error)
+ error = size;
++out:
++ kfree(largs);
+ return error;
+
+ fail:
+@@ -588,9 +590,9 @@ fail:
+ aad.profile = aa_current_profile();
+ aad.op = OP_SETPROCATTR;
+ aad.info = name;
+- aad.error = -EINVAL;
++ aad.error = error = -EINVAL;
+ aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
+- return -EINVAL;
++ goto out;
+ }
+
+ static int apparmor_task_setrlimit(struct task_struct *task,
+--
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 76be56e..c6c2330 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -114,6 +114,7 @@ bugfix/all/posix_acl-add-set_posix_acl.patch
bugfix/all/nfsd-check-permissions-when-setting-acls.patch
bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
+bugfix/all/apparmor-fix-oops-validate-buffer-size-in-apparmor_s.patch
# ABI maintenance
debian/mips-siginfo-fix-abi-change-in-4.6.2.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list