Commit b8ef9201 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'lsm-pr-20240215' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm 

Pull lsm fix from Paul Moore:
 "One small LSM patch to fix a potential integer overflow in the newly
  added lsm_set_self_attr() syscall"

* tag 'lsm-pr-20240215' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
  lsm: fix integer overflow in lsm_set_self_attr() syscall
parents 4f5e5092 d8bdd795

security/security.c

+5 −2
Original line number Diff line number Diff line
@@ -29,6 +29,7 @@ 
#include <linux/backing-dev.h>

#include <linux/string.h>

#include <linux/msg.h>

#include <linux/overflow.h>

#include <net/flow.h>



/* How many LSMs were built into the kernel? */
@@ -4015,6 +4016,7 @@ int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx, 
	struct security_hook_list *hp;

	struct lsm_ctx *lctx;

	int rc = LSM_RET_DEFAULT(setselfattr);

	u64 required_len;



	if (flags)

		return -EINVAL;
@@ -4027,8 +4029,9 @@ int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx, 
	if (IS_ERR(lctx))

		return PTR_ERR(lctx);



	if (size < lctx->len || size < lctx->ctx_len + sizeof(*lctx) ||

	    lctx->len < lctx->ctx_len + sizeof(*lctx)) {

	if (size < lctx->len ||

	    check_add_overflow(sizeof(*lctx), lctx->ctx_len, &required_len) ||

	    lctx->len < required_len) {

		rc = -EINVAL;

		goto free_out;

	}