projects
/
platform
/
kernel
/
linux-starfive.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
545de8f
)
apparmor: Make path_max parameter readonly
author
John Johansen
<john.johansen@canonical.com>
Thu, 6 Apr 2017 13:55:24 +0000
(06:55 -0700)
committer
James Morris
<james.l.morris@oracle.com>
Thu, 6 Apr 2017 22:58:36 +0000
(08:58 +1000)
The path_max parameter determines the max size of buffers allocated
but it should not be setable at run time. If can be used to cause an
oops
root@ubuntu:~# echo
16777216
> /sys/module/apparmor/parameters/path_max
root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max
Killed
[ 122.141911] BUG: unable to handle kernel paging request at
ffff880080945fff
[ 122.143497] IP: [<
ffffffff81228844
>] d_absolute_path+0x44/0xa0
[ 122.144742] PGD 220c067 PUD 0
[ 122.145453] Oops: 0002 [#1] SMP
[ 122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect
[ 122.163365] ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes
[ 122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu
[ 122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 122.168611] task:
ffff88003496aa00
ti:
ffff880076474000
task.ti:
ffff880076474000
[ 122.170018] RIP: 0010:[<
ffffffff81228844
>] [<
ffffffff81228844
>] d_absolute_path+0x44/0xa0
[ 122.171525] RSP: 0018:
ffff880076477b90
EFLAGS:
00010206
[ 122.172462] RAX:
ffff880080945fff
RBX:
0000000000000000
RCX:
0000000001000000
[ 122.173709] RDX:
0000000000ffffff
RSI:
ffff880080946000
RDI:
ffff8800348a1010
[ 122.174978] RBP:
ffff880076477bb8
R08:
ffff880076477c80
R09:
0000000000000000
[ 122.176227] R10:
00007ffffffff000
R11:
ffff88007f946000
R12:
ffff88007f946000
[ 122.177496] R13:
ffff880076477c80
R14:
ffff8800348a1010
R15:
ffff8800348a2400
[ 122.178745] FS:
00007fd459eb4700
(0000) GS:
ffff88007b6c0000
(0000) knlGS:
0000000000000000
[ 122.180176] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 122.181186] CR2:
ffff880080945fff
CR3:
0000000073422000
CR4:
00000000001406e0
[ 122.182469] Stack:
[ 122.182843]
00ffffff00000001
ffff880080946000
0000000000000000
0000000000000000
[ 122.184409]
00000000570f789c
ffff880076477c30
ffffffff81385671
ffff88007a2e7a58
[ 122.185810]
0000000000000000
ffff880076477c88
01000000008a1000
0000000000000000
[ 122.187231] Call Trace:
[ 122.187680] [<
ffffffff81385671
>] aa_path_name+0x81/0x370
[ 122.188637] [<
ffffffff813875dd
>] profile_transition+0xbd/0xb80
[ 122.190181] [<
ffffffff811af9bc
>] ? zone_statistics+0x7c/0xa0
[ 122.191674] [<
ffffffff81389b20
>] apparmor_bprm_set_creds+0x9b0/0xac0
[ 122.193288] [<
ffffffff812e1971
>] ? ext4_xattr_get+0x81/0x220
[ 122.194793] [<
ffffffff812e800c
>] ? ext4_xattr_security_get+0x1c/0x30
[ 122.196392] [<
ffffffff813449b9
>] ? get_vfs_caps_from_disk+0x69/0x110
[ 122.198004] [<
ffffffff81232d4f
>] ? mnt_may_suid+0x3f/0x50
[ 122.199737] [<
ffffffff81344b03
>] ? cap_bprm_set_creds+0xa3/0x600
[ 122.201377] [<
ffffffff81346e53
>] security_bprm_set_creds+0x33/0x50
[ 122.203024] [<
ffffffff81214ce5
>] prepare_binprm+0x85/0x190
[ 122.204515] [<
ffffffff81216545
>] do_execveat_common.isra.33+0x485/0x710
[ 122.206200] [<
ffffffff81216a6a
>] SyS_execve+0x3a/0x50
[ 122.207615] [<
ffffffff81838795
>] stub_execve+0x5/0x5
[ 122.208978] [<
ffffffff818384f2
>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff <c6> 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8
[ 122.217320] RIP [<
ffffffff81228844
>] d_absolute_path+0x44/0xa0
[ 122.218860] RSP <
ffff880076477b90
>
[ 122.219919] CR2:
ffff880080945fff
[ 122.220936] ---[ end trace
506cdbd85eb6c55e
]---
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
security/apparmor/lsm.c
patch
|
blob
|
history
diff --git
a/security/apparmor/lsm.c
b/security/apparmor/lsm.c
index
35444c8
..
8f3c0f7
100644
(file)
--- a/
security/apparmor/lsm.c
+++ b/
security/apparmor/lsm.c
@@
-710,7
+710,7
@@
module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
/* Maximum pathname length before accesses will start getting rejected */
unsigned int aa_g_path_max = 2 * PATH_MAX;
-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR
| S_IWUSR
);
+module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
/* Determines how paranoid loading of policy is and how much verification
* on the loaded policy is done.