This is a note to let you know that I've just added the patch titled
smack: off by one error
to the 3.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
smack-off-by-one-error.patch
and it can be found in the queue-3.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 3b9fc37280c521b086943f9aedda767f5bf3b2d3 Mon Sep 17 00:00:00 2001
From: Alan Cox <[email protected]>
Date: Thu, 26 Jul 2012 14:47:11 -0700
Subject: smack: off by one error
From: Alan Cox <[email protected]>
commit 3b9fc37280c521b086943f9aedda767f5bf3b2d3 upstream.
Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0
In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)
will put 65 bytes into subject.
Signed-off-by: Alan Cox <[email protected]>
Acked-by: Casey Schaufler <[email protected]>
Signed-off-by: James Morris <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
security/smack/smackfs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -325,11 +325,11 @@ static int smk_parse_long_rule(const cha
int datalen;
int rc = -1;
- /*
- * This is probably inefficient, but safe.
- */
+ /* This is inefficient */
datalen = strlen(data);
- subject = kzalloc(datalen, GFP_KERNEL);
+
+ /* Our first element can be 64 + \0 with no spaces */
+ subject = kzalloc(datalen + 1, GFP_KERNEL);
if (subject == NULL)
return -1;
object = kzalloc(datalen, GFP_KERNEL);
Patches currently in stable-queue which might be from [email protected] are
queue-3.5/smack-off-by-one-error.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
