Page MenuHomeFreeBSD

Require MAC labels to be non-zero in length.
ClosedPublic

Authored by markj on Jul 31 2018, 3:18 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 3, 6:25 PM
Unknown Object (File)
Fri, Nov 29, 3:08 AM
Unknown Object (File)
Mon, Nov 25, 7:56 AM
Unknown Object (File)
Sun, Nov 24, 9:40 PM
Unknown Object (File)
Thu, Nov 21, 11:29 PM
Unknown Object (File)
Nov 1 2024, 4:43 PM
Unknown Object (File)
Sep 23 2024, 6:41 AM
Unknown Object (File)
Sep 18 2024, 7:42 PM

Details

Summary

In MAC_POLICY_EXTERNALIZE, the buffer length is used to create a
fixed-size sbuf. When creating such an sbuf, the code has a minimum
buffer size of 2. Thus, filter smaller buffers out when performing
validation.

Test Plan

Peter found the bug while doing syscall fuzz testing.

https://people.freebsd.org/~pho/stress/log/mark051.txt

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj added reviewers: rwatson, secteam.
markj added a subscriber: pho.

I dislike the magic 2 without a comment or #define

Add a comment and compare with 1 instead of 2.

delphij added a subscriber: delphij.
delphij added inline comments.
sys/security/mac/mac_framework.c
590 ↗(On Diff #46108)

LGTM as-is. If I was you I'd probably use sizeof("") in place of 1 because it would imply that the buffer would hold a nul-terminated string.

This revision is now accepted and ready to land.Aug 1 2018, 2:43 AM
This revision was automatically updated to reflect the committed changes.