evm: check xattr value length and type in evm_inode_setxattr()
commit
3b1deef6b1289a99505858a3b212c5b50adf0c2f upstream.
evm_inode_setxattr() can be called with no value. The function does not
check the length so that following command can be used to produce the
kernel oops: setfattr -n security.evm FOO. This patch fixes it.
Changes in v3:
* there is no reason to return different error codes for EVM_XATTR_HMAC
and non EVM_XATTR_HMAC. Remove unnecessary test then.
Changes in v2:
* testing for validity of xattr type
[ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 1106.398192] IP: [<
ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
[ 1106.399244] PGD
29048067 PUD
290d7067 PMD 0
[ 1106.399953] Oops: 0000 [#1] SMP
[ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
[ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936
[ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1106.400020] task:
ffff8800291a0000 ti:
ffff88002917c000 task.ti:
ffff88002917c000
[ 1106.400020] RIP: 0010:[<
ffffffff812af7b8>] [<
ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
[ 1106.400020] RSP: 0018:
ffff88002917fd50 EFLAGS:
00010246
[ 1106.400020] RAX:
0000000000000000 RBX:
ffff88002917fdf8 RCX:
0000000000000000
[ 1106.400020] RDX:
0000000000000000 RSI:
ffffffff818136d3 RDI:
ffff88002917fdf8
[ 1106.400020] RBP:
ffff88002917fd68 R08:
0000000000000000 R09:
00000000003ec1df
[ 1106.400020] R10:
0000000000000000 R11:
0000000000000000 R12:
ffff8800438a0a00
[ 1106.400020] R13:
0000000000000000 R14:
0000000000000000 R15:
0000000000000000
[ 1106.400020] FS:
00007f7dfa7d7740(0000) GS:
ffff88005da00000(0000) knlGS:
0000000000000000
[ 1106.400020] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 1106.400020] CR2:
0000000000000000 CR3:
000000003763e000 CR4:
00000000000006f0
[ 1106.400020] Stack:
[ 1106.400020]
ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98
[ 1106.400020]
ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000
[ 1106.400020]
0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8
[ 1106.400020] Call Trace:
[ 1106.400020] [<
ffffffff812a1030>] security_inode_setxattr+0x5d/0x6a
[ 1106.400020] [<
ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f
[ 1106.400020] [<
ffffffff8116d1e0>] setxattr+0x122/0x16c
[ 1106.400020] [<
ffffffff811687e8>] ? mnt_want_write+0x21/0x45
[ 1106.400020] [<
ffffffff8114d011>] ? __sb_start_write+0x10f/0x143
[ 1106.400020] [<
ffffffff811687e8>] ? mnt_want_write+0x21/0x45
[ 1106.400020] [<
ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f
[ 1106.400020] [<
ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0
[ 1106.400020] [<
ffffffff81529da9>] system_call_fastpath+0x16/0x1b
[ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83
[ 1106.400020] RIP [<
ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
[ 1106.400020] RSP <
ffff88002917fd50>
[ 1106.400020] CR2:
0000000000000000
[ 1106.428061] ---[ end trace
ae08331628ba3050 ]---
Reported-by: Jan Kara <jack@suse.cz>
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>