summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-10-29 15:42:12 +1100
committerJames Morris <jmorris@namei.org>2008-11-11 22:01:24 +1100
commit637d32dc720897616e8a1a4f9e9609e29d431800 (patch)
tree6b9e500f4f9fa624da3b6bd28d6d161a615a3a63
parente68b75a027bb94066576139ee33676264f867b87 (diff)
Capabilities: BUG when an invalid capability is requested
If an invalid (large) capability is requested the capabilities system may panic as it is dereferencing an array of fixed (short) length. Its possible (and actually often happens) that the capability system accidentally stumbled into a valid memory region but it also regularly happens that it hits invalid memory and BUGs. If such an operation does get past cap_capable then the selinux system is sure to have problems as it already does a (simple) validity check and BUG. This is known to happen by the broken and buggy firegl driver. This patch cleanly checks all capable calls and BUG if a call is for an invalid capability. This will likely break the firegl driver for some situations, but it is the right thing to do. Garbage into a security system gets you killed/bugged Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Arjan van de Ven <arjan@linux.intel.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--kernel/capability.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/kernel/capability.c b/kernel/capability.c
index 19f9eda89975..adb262f83de1 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -514,6 +514,11 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
*/
int capable(int cap)
{
+ if (unlikely(!cap_valid(cap))) {
+ printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
+ BUG();
+ }
+
if (has_capability(current, cap)) {
current->flags |= PF_SUPERPRIV;
return 1;