From patchwork Tue Jan  2 09:56:29 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Morris <james.l.morris@oracle.com>
X-Patchwork-Id: 10140177
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	D712B60362
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  2 Jan 2018 09:56:40 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DC10128AA9
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  2 Jan 2018 09:56:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D0B7228AB2; Tue,  2 Jan 2018 09:56:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI, T_DKIM_INVALID,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0783F28AA9
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue,  2 Jan 2018 09:56:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753213AbeABJ4i (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 2 Jan 2018 04:56:38 -0500
Received: from userp2120.oracle.com ([156.151.31.85]:36402 "EHLO
	userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751565AbeABJ4h (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 2 Jan 2018 04:56:37 -0500
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1])
	by userp2120.oracle.com (8.16.0.21/8.16.0.21) with SMTP id
	w029qVPh056316; Tue, 2 Jan 2018 09:56:34 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
	h=date : from : to : cc
	: subject : message-id : mime-version : content-type;
	s=corp-2017-10-26;
	bh=vDNbQwe2iaF/rufNb0oLhPMDfYihW030VPS9hHYJ95Q=;
	b=hJCzNwt9ROu58IQtcfzJ2ouX5kbqN4qtuPa+QmA/PYo3nnxFQIyEhVCnY5tSytExiugZ
	Wu0afiZPLPXyNu2ov6kAnb4AobNTzahG4vxVKPnzihMuJDXgibaM2WlQKgUEn6j1s0Ts
	iO0C9TzvGbuDr9wkobzmtB8nHhpTwIqfURODaYeHwoWR7vDN0vip7v/fGXbmC8+BedQB
	CRffmef/kn6siQoHTfRTVPvC2ZYc70XdwUpD39xiLy26l0BPXKOJIj0Ik03GzlmtjV0D
	LWxlJWQdKjr1I9EqHrGcoQFZyX90jGi3Unn+bkYYBGGsiYWdjpvOmGtcIAEHl6tJ9txo
	Ig==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74])
	by userp2120.oracle.com with ESMTP id 2f87gx0617-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK); Tue, 02 Jan 2018 09:56:34 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
	by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w029uYLd009744
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=FAIL); Tue, 2 Jan 2018 09:56:34 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
	by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id
	w029uXVo008605; Tue, 2 Jan 2018 09:56:33 GMT
Received: from t440 (/101.161.158.92)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Tue, 02 Jan 2018 01:56:33 -0800
Date: Tue, 2 Jan 2018 20:56:29 +1100 (AEDT)
From: James Morris <james.l.morris@oracle.com>
X-X-Sender: james.l.morris@localhost
To: Linus Torvalds <torvalds@linux-foundation.org>
cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [GIT PULL] capabilities: fix buffer overread on very short xattr
Message-ID: <alpine.LFD.2.20.1801022055001.13103@localhost>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8761
	signatures=668650
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
	suspectscore=0 malwarescore=0
	phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999
	adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1711220000 definitions=main-1801020145
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Hi Linus,

Please pull this capabilities fix for v4.15.


The following changes since commit 30a7acd573899fd8b8ac39236eff6468b195ac7d:

  Linux 4.15-rc6 (2017-12-31 14:47:43 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git for-linus

for you to fetch changes up to dc32b5c3e6e2ef29cef76d9ce1b92d394446150e:

  capabilities: fix buffer overread on very short xattr (2018-01-02 20:49:13 +1100)

----------------------------------------------------------------
Eric Biggers (1):
      capabilities: fix buffer overread on very short xattr

 security/commoncap.c | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)
---

commit dc32b5c3e6e2ef29cef76d9ce1b92d394446150e
Author: Eric Biggers <ebiggers@google.com>
Date:   Mon Jan 1 09:28:31 2018 -0600

    capabilities: fix buffer overread on very short xattr
    
    If userspace attempted to set a "security.capability" xattr shorter than
    4 bytes (e.g. 'setfattr -n security.capability -v x file'), then
    cap_convert_nscap() read past the end of the buffer containing the xattr
    value because it accessed the ->magic_etc field without verifying that
    the xattr value is long enough to contain that field.
    
    Fix it by validating the xattr value size first.
    
    This bug was found using syzkaller with KASAN.  The KASAN report was as
    follows (cleaned up slightly):
    
        BUG: KASAN: slab-out-of-bounds in cap_convert_nscap+0x514/0x630 security/commoncap.c:498
        Read of size 4 at addr ffff88002d8741c0 by task syz-executor1/2852
    
        CPU: 0 PID: 2852 Comm: syz-executor1 Not tainted 4.15.0-rc6-00200-gcc0aac99d977 #253
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
        Call Trace:
         __dump_stack lib/dump_stack.c:17 [inline]
         dump_stack+0xe3/0x195 lib/dump_stack.c:53
         print_address_description+0x73/0x260 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x235/0x350 mm/kasan/report.c:409
         cap_convert_nscap+0x514/0x630 security/commoncap.c:498
         setxattr+0x2bd/0x350 fs/xattr.c:446
         path_setxattr+0x168/0x1b0 fs/xattr.c:472
         SYSC_setxattr fs/xattr.c:487 [inline]
         SyS_setxattr+0x36/0x50 fs/xattr.c:483
         entry_SYSCALL_64_fastpath+0x18/0x85
    
    Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities")
    Cc: <stable@vger.kernel.org> # v4.14+
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Reviewed-by: Serge Hallyn <serge@hallyn.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/security/commoncap.c b/security/commoncap.c
index 4f8e093..48620c9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -348,21 +348,18 @@ static __u32 sansflags(__u32 m)
 	return m & ~VFS_CAP_FLAGS_EFFECTIVE;
 }
 
-static bool is_v2header(size_t size, __le32 magic)
+static bool is_v2header(size_t size, const struct vfs_cap_data *cap)
 {
-	__u32 m = le32_to_cpu(magic);
 	if (size != XATTR_CAPS_SZ_2)
 		return false;
-	return sansflags(m) == VFS_CAP_REVISION_2;
+	return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
 }
 
-static bool is_v3header(size_t size, __le32 magic)
+static bool is_v3header(size_t size, const struct vfs_cap_data *cap)
 {
-	__u32 m = le32_to_cpu(magic);
-
 	if (size != XATTR_CAPS_SZ_3)
 		return false;
-	return sansflags(m) == VFS_CAP_REVISION_3;
+	return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
 }
 
 /*
@@ -405,7 +402,7 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
 
 	fs_ns = inode->i_sb->s_user_ns;
 	cap = (struct vfs_cap_data *) tmpbuf;
-	if (is_v2header((size_t) ret, cap->magic_etc)) {
+	if (is_v2header((size_t) ret, cap)) {
 		/* If this is sizeof(vfs_cap_data) then we're ok with the
 		 * on-disk value, so return that.  */
 		if (alloc)
@@ -413,7 +410,7 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
 		else
 			kfree(tmpbuf);
 		return ret;
-	} else if (!is_v3header((size_t) ret, cap->magic_etc)) {
+	} else if (!is_v3header((size_t) ret, cap)) {
 		kfree(tmpbuf);
 		return -EINVAL;
 	}
@@ -470,9 +467,9 @@ static kuid_t rootid_from_xattr(const void *value, size_t size,
 	return make_kuid(task_ns, rootid);
 }
 
-static bool validheader(size_t size, __le32 magic)
+static bool validheader(size_t size, const struct vfs_cap_data *cap)
 {
-	return is_v2header(size, magic) || is_v3header(size, magic);
+	return is_v2header(size, cap) || is_v3header(size, cap);
 }
 
 /*
@@ -495,7 +492,7 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
 
 	if (!*ivalue)
 		return -EINVAL;
-	if (!validheader(size, cap->magic_etc))
+	if (!validheader(size, cap))
 		return -EINVAL;
 	if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
 		return -EPERM;