• Eric Biggers's avatar
    capabilities: fix buffer overread on very short xattr · dc32b5c3
    Eric Biggers authored
    If userspace attempted to set a "security.capability" xattr shorter than
    4 bytes (e.g. 'setfattr -n security.capability -v x file'), then
    cap_convert_nscap() read past the end of the buffer containing the xattr
    value because it accessed the ->magic_etc field without verifying that
    the xattr value is long enough to contain that field.
    
    Fix it by validating the xattr value size first.
    
    This bug was found using syzkaller with KASAN.  The KASAN report was as
    follows (cleaned up slightly):
    
        BUG: KASAN: slab-out-of-bounds in cap_convert_nscap+0x514/0x630 security/commoncap.c:498
        Read of size 4 at addr ffff88002d8741c0 by task syz-executor1/2852
    
        CPU: 0 PID: 2852 Comm: syz-executor1 Not tainted 4.15.0-rc6-00200-gcc0aac99d977 #253
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
        Call Trace:
         __dump_stack lib/dump_stack.c:17 [inline]
         dump_stack+0xe3/0x195 lib/dump_stack.c:53
         print_address_description+0x73/0x260 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x235/0x350 mm/kasan/report.c:409
         cap_convert_nscap+0x514/0x630 security/commoncap.c:498
         setxattr+0x2bd/0x350 fs/xattr.c:446
         path_setxattr+0x168/0x1b0 fs/xattr.c:472
         SYSC_setxattr fs/xattr.c:487 [inline]
         SyS_setxattr+0x36/0x50 fs/xattr.c:483
         entry_SYSCALL_64_fastpath+0x18/0x85
    
    Fixes: 8db6c34f ("Introduce v3 namespaced file capabilities")
    Cc: <stable@vger.kernel.org> # v4.14+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    dc32b5c3
commoncap.c 38.9 KB