safesetid: check size of policy writes

[ Upstream commit f09ff307c7299392f1c88f763299e24bc99811c7 ] syzbot attempts to write a buffer with a large size to a sysfs entry with writes handled by handle_policy_update(), triggering a warning in kmalloc. Check the size specified for write buffers before allocating. Reported-by: syzbot+4eb7a741b3216020043a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4eb7a741b3216020043a Signed-off-by: Leo Stone <leocstone@gmail.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Leo Stone <leocstone@gmail.com> 2024-12-17 21:26:57 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-02-21 15:49:31 +0300
commit: a0dec65f88c8d9290dfa1d2ca1e897abe54c5881 (patch)
tree: 3f252b525e7f70bde6950567d17986cae8e59e56 /security
parent: 505899fb11ab6e6fd43f62734da79d4656815829 (diff)
download: linux-a0dec65f88c8d9290dfa1d2ca1e897abe54c5881.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
index 25310468bcdd..8e1ffd70b18a 100644
--- a/security/safesetid/securityfs.c
+++ b/security/safesetid/securityfs.c
@@ -143,6 +143,9 @@ static ssize_t handle_policy_update(struct file *file,
 	char *buf, *p, *end;
 	int err;
 
+	if (len >= KMALLOC_MAX_SIZE)
+		return -EINVAL;
+
 	pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL);
 	if (!pol)
 		return -ENOMEM;
author	Leo Stone <leocstone@gmail.com>	2024-12-17 21:26:57 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-02-21 15:49:31 +0300
commit	a0dec65f88c8d9290dfa1d2ca1e897abe54c5881 (patch)
tree	3f252b525e7f70bde6950567d17986cae8e59e56 /security
parent	505899fb11ab6e6fd43f62734da79d4656815829 (diff)
download	linux-a0dec65f88c8d9290dfa1d2ca1e897abe54c5881.tar.xz