mirror of
https://github.com/torvalds/linux.git
synced 2026-05-12 16:18:45 +02:00
828bf7929b
When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm
Snapdragon X1 we see a string buffer overrun:
BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535)
Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120
CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY
Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025
Call trace:
show_stack (arch/arm64/kernel/stacktrace.c:501) (C)
dump_stack_lvl (lib/dump_stack.c:122)
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:597)
__asan_report_load1_noabort (mm/kasan/report_generic.c:378)
aa_dfa_match (security/apparmor/match.c:535)
match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336)
match_mnt (security/apparmor/mount.c:371)
aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4))
apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))
security_sb_mount (security/security.c:1062 (discriminator 31))
path_mount (fs/namespace.c:4101)
__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)
invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)
el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))
do_el0_svc (arch/arm64/kernel/syscall.c:152)
el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)
el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)
el0t_64_sync (arch/arm64/kernel/entry.S:596)
Allocated by task 2120:
kasan_save_stack (mm/kasan/common.c:58)
kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79)
kasan_save_alloc_info (mm/kasan/generic.c:571)
__kasan_kmalloc (mm/kasan/common.c:419)
__kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272)
aa_get_buffer (security/apparmor/lsm.c:2201)
aa_bind_mount (security/apparmor/mount.c:442)
apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1))
security_sb_mount (security/security.c:1062 (discriminator 31))
path_mount (fs/namespace.c:4101)
__arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338)
invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49)
el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2))
do_el0_svc (arch/arm64/kernel/syscall.c:152)
el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725)
el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744)
el0t_64_sync (arch/arm64/kernel/entry.S:596)
The buggy address belongs to the object at ffff0008901ca000
which belongs to the cache kmalloc-rnd-06-8k of size 8192
The buggy address is located 0 bytes to the right of
allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0
flags: 0x8000000000000040(head|zone=2)
page_type: f5(slab)
raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70
raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000
head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70
head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000
head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0008901cbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0008901cc000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0008901cc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0008901cc100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
This was introduced by previous incorrect conversion from strcpy(). Fix it
by adding the missing terminator.
Cc: stable@vger.kernel.org
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: Daniel J Blueman <daniel@quora.org>
Fixes: 93d4dbdc8d ("apparmor: Replace deprecated strcpy in d_namespace_path")
Signed-off-by: John Johansen <john.johansen@canonical.com>
223 lines
6.1 KiB
C
223 lines
6.1 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor function for pathnames
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*/
|
|
|
|
#include <linux/magic.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/namei.h>
|
|
#include <linux/nsproxy.h>
|
|
#include <linux/path.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/fs_struct.h>
|
|
|
|
#include "include/apparmor.h"
|
|
#include "include/path.h"
|
|
#include "include/policy.h"
|
|
|
|
/* modified from dcache.c */
|
|
static int prepend(char **buffer, int buflen, const char *str, int namelen)
|
|
{
|
|
buflen -= namelen;
|
|
if (buflen < 0)
|
|
return -ENAMETOOLONG;
|
|
*buffer -= namelen;
|
|
memcpy(*buffer, str, namelen);
|
|
return 0;
|
|
}
|
|
|
|
#define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
|
|
|
|
/* If the path is not connected to the expected root,
|
|
* check if it is a sysctl and handle specially else remove any
|
|
* leading / that __d_path may have returned.
|
|
* Unless
|
|
* specifically directed to connect the path,
|
|
* OR
|
|
* if in a chroot and doing chroot relative paths and the path
|
|
* resolves to the namespace root (would be connected outside
|
|
* of chroot) and specifically directed to connect paths to
|
|
* namespace root.
|
|
*/
|
|
static int disconnect(const struct path *path, char *buf, char **name,
|
|
int flags, const char *disconnected)
|
|
{
|
|
int error = 0;
|
|
|
|
if (!(flags & PATH_CONNECT_PATH) &&
|
|
!(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
|
|
our_mnt(path->mnt))) {
|
|
/* disconnected path, don't return pathname starting
|
|
* with '/'
|
|
*/
|
|
error = -EACCES;
|
|
if (**name == '/')
|
|
*name = *name + 1;
|
|
} else {
|
|
if (**name != '/')
|
|
/* CONNECT_PATH with missing root */
|
|
error = prepend(name, *name - buf, "/", 1);
|
|
if (!error && disconnected)
|
|
error = prepend(name, *name - buf, disconnected,
|
|
strlen(disconnected));
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* d_namespace_path - lookup a name associated with a given path
|
|
* @path: path to lookup (NOT NULL)
|
|
* @buf: buffer to store path to (NOT NULL)
|
|
* @name: Returns - pointer for start of path name with in @buf (NOT NULL)
|
|
* @flags: flags controlling path lookup
|
|
* @disconnected: string to prefix to disconnected paths
|
|
*
|
|
* Handle path name lookup.
|
|
*
|
|
* Returns: %0 else error code if path lookup fails
|
|
* When no error the path name is returned in @name which points to
|
|
* a position in @buf
|
|
*/
|
|
static int d_namespace_path(const struct path *path, char *buf, char **name,
|
|
int flags, const char *disconnected)
|
|
{
|
|
char *res;
|
|
int error = 0;
|
|
int connected = 1;
|
|
int isdir = (flags & PATH_IS_DIR) ? 1 : 0;
|
|
int buflen = aa_g_path_max - isdir;
|
|
|
|
if (path->mnt->mnt_flags & MNT_INTERNAL) {
|
|
/* it's not mounted anywhere */
|
|
res = dentry_path(path->dentry, buf, buflen);
|
|
*name = res;
|
|
if (IS_ERR(res)) {
|
|
*name = buf;
|
|
return PTR_ERR(res);
|
|
}
|
|
if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
|
|
strncmp(*name, "/sys/", 5) == 0) {
|
|
/* TODO: convert over to using a per namespace
|
|
* control instead of hard coded /proc
|
|
*/
|
|
error = prepend(name, *name - buf, "/proc", 5);
|
|
goto out;
|
|
} else
|
|
error = disconnect(path, buf, name, flags,
|
|
disconnected);
|
|
goto out;
|
|
}
|
|
|
|
/* resolve paths relative to chroot?*/
|
|
if (flags & PATH_CHROOT_REL) {
|
|
struct path root;
|
|
get_fs_root(current->fs, &root);
|
|
res = __d_path(path, &root, buf, buflen);
|
|
path_put(&root);
|
|
} else {
|
|
res = d_absolute_path(path, buf, buflen);
|
|
if (!our_mnt(path->mnt))
|
|
connected = 0;
|
|
}
|
|
|
|
/* handle error conditions - and still allow a partial path to
|
|
* be returned.
|
|
*/
|
|
if (IS_ERR_OR_NULL(res)) {
|
|
if (PTR_ERR(res) == -ENAMETOOLONG) {
|
|
error = -ENAMETOOLONG;
|
|
*name = buf;
|
|
goto out;
|
|
}
|
|
connected = 0;
|
|
res = dentry_path_raw(path->dentry, buf, buflen);
|
|
if (IS_ERR(res)) {
|
|
error = PTR_ERR(res);
|
|
*name = buf;
|
|
goto out;
|
|
}
|
|
} else if (!our_mnt(path->mnt))
|
|
connected = 0;
|
|
|
|
*name = res;
|
|
|
|
if (!connected)
|
|
error = disconnect(path, buf, name, flags, disconnected);
|
|
|
|
/* Handle two cases:
|
|
* 1. A deleted dentry && profile is not allowing mediation of deleted
|
|
* 2. On some filesystems, newly allocated dentries appear to the
|
|
* security_path hooks as a deleted dentry except without an inode
|
|
* allocated.
|
|
*/
|
|
if (d_unlinked(path->dentry) && d_is_positive(path->dentry) &&
|
|
!(flags & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))) {
|
|
error = -ENOENT;
|
|
goto out;
|
|
}
|
|
|
|
out:
|
|
/* Append "/" to directory paths and reterminate string, except for
|
|
* root "/" which already ends in a slash.
|
|
*/
|
|
if (!error && isdir) {
|
|
bool is_root = (*name)[0] == '/' && (*name)[1] == '\0';
|
|
|
|
if (!is_root) {
|
|
buf[aa_g_path_max - 2] = '/';
|
|
buf[aa_g_path_max - 1] = '\0';
|
|
}
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* aa_path_name - get the pathname to a buffer ensure dir / is appended
|
|
* @path: path the file (NOT NULL)
|
|
* @flags: flags controlling path name generation
|
|
* @buffer: buffer to put name in (NOT NULL)
|
|
* @name: Returns - the generated path name if !error (NOT NULL)
|
|
* @info: Returns - information on why the path lookup failed (MAYBE NULL)
|
|
* @disconnected: string to prepend to disconnected paths
|
|
*
|
|
* @name is a pointer to the beginning of the pathname (which usually differs
|
|
* from the beginning of the buffer), or NULL. If there is an error @name
|
|
* may contain a partial or invalid name that can be used for audit purposes,
|
|
* but it can not be used for mediation.
|
|
*
|
|
* We need PATH_IS_DIR to indicate whether the file is a directory or not
|
|
* because the file may not yet exist, and so we cannot check the inode's
|
|
* file type.
|
|
*
|
|
* Returns: %0 else error code if could retrieve name
|
|
*/
|
|
int aa_path_name(const struct path *path, int flags, char *buffer,
|
|
const char **name, const char **info, const char *disconnected)
|
|
{
|
|
char *str = NULL;
|
|
int error = d_namespace_path(path, buffer, &str, flags, disconnected);
|
|
|
|
if (info && error) {
|
|
if (error == -ENOENT)
|
|
*info = "Failed name lookup - deleted entry";
|
|
else if (error == -EACCES)
|
|
*info = "Failed name lookup - disconnected path";
|
|
else if (error == -ENAMETOOLONG)
|
|
*info = "Failed name lookup - name too long";
|
|
else
|
|
*info = "Failed name lookup";
|
|
}
|
|
|
|
*name = str;
|
|
|
|
return error;
|
|
}
|