1 |
Hi folks, I have made another rsbac fixation patch to rsbac kernel 3.8 |
2 |
|
3 |
http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=summary |
4 |
|
5 |
and with PaX 3.8.13 |
6 |
|
7 |
http://grsecurity.net/test/pax-linux-3.8.13-test24.patch |
8 |
|
9 |
|
10 |
I'm not sure if the stuff related with namei.c file is correct |
11 |
|
12 |
|
13 |
|
14 |
#ifdef CONFIG_RSBAC_SYM_REDIR |
15 |
rsbac_name = rsbac_symlink_redirect(dentry- |
16 |
>d_inode, link, buflen); |
17 |
if (rsbac_name) { |
18 |
len = strlen(rsbac_name); |
19 |
if (copy_to_user(buffer, rsbac_name, len)) |
20 |
len = -EFAULT; |
21 |
kfree(rsbac_name); |
22 |
} |
23 |
else |
24 |
#endif |
25 |
if (len < sizeof(tmpbuf)) { |
26 |
memcpy(tmpbuf, link, len); |
27 |
newlink = tmpbuf; |
28 |
} else |
29 |
newlink = link; |
30 |
|
31 |
if (copy_to_user(buffer, newlink, len)) |
32 |
len = -EFAULT; |
33 |
out: |
34 |
return len; |
35 |
} |
36 |
|
37 |
/* |
38 |
|
39 |
|
40 |
PaX tries to do this modification to rsbac git code: |
41 |
|
42 |
--- fs/namei.c 2013-03-19 01:53:21.091281869 +0100 |
43 |
+++ fs/namei.c 2013-03-19 01:53:31.251281326 +0100 |
44 |
@@ -3954,7 +3956,14 @@ |
45 |
len = strlen(link); |
46 |
if (len > (unsigned) buflen) |
47 |
len = buflen; |
48 |
- if (copy_to_user(buffer, link, len)) |
49 |
+ |
50 |
+ if (len < sizeof(tmpbuf)) { |
51 |
+ memcpy(tmpbuf, link, len); |
52 |
+ newlink = tmpbuf; |
53 |
+ } else |
54 |
+ newlink = link; |
55 |
+ |
56 |
+ if (copy_to_user(buffer, newlink, len)) |
57 |
len = -EFAULT; |
58 |
out: |
59 |
return len; |
60 |
|
61 |
In fixation patch if CONFIG_RSBAC_SYM_REDIR is defined then test is: |
62 |
|
63 |
if (copy_to_user(buffer, rsbac_name, len)) |
64 |
len = -EFAULT; |
65 |
|
66 |
if you don't think this is correct any stuff is highly appreciated. |