TOMOYO
ForkA vulnerability was discovered in TOMOYO 1.6.7 / 1.6.7p1 / 1.6.8 when used with
CONFIG_SLOB=y .
This vulnerability will not be shown up when used with CONFIG_SLAB=y or
CONFIG_SLUB=y .
The problematic part is shown below.
------ definition part ------
#define CCS_MAX_PATHNAME_LEN 4000
#define CCS_EXEC_TMPSIZE 4096
struct ccs_execve_entry {
struct list_head list;
struct task_struct *task; /* = current */
struct ccs_request_info r;
struct ccs_obj_info obj;
struct linux_binprm *bprm;
int srcu_idx;
/* For execute_handler */
const struct ccs_path_info *handler;
char *program_path; /* Size is CCS_MAX_PATHNAME_LEN bytes */
/* For dumping argv[] and envp[]. */
struct ccs_page_dump dump;
/* For temporary use. */
char *tmp; /* Size is CCS_EXEC_TMPSIZE bytes */
};
------ allocation part ------
ee->program_path = kzalloc(CCS_MAX_PATHNAME_LEN, GFP_KERNEL);
ee->tmp = kzalloc(CCS_MAX_PATHNAME_LEN, GFP_KERNEL);
------ assignment part ------
new_domain_name = ee->tmp;
if (ccs_is_domain_initializer(r->domain->domainname, &rn, &ln)) {
/* Transit to the child of ccs_kernel_domain domain. */
snprintf(new_domain_name, CCS_EXEC_TMPSIZE - 1,
ROOT_NAME " " "%s", ee->program_path);
The comment on ee->tmp says that CCS_EXEC_TMPSIZE bytes are allocated.
However, the code was requesting for only CCS_MAX_PATHNAME_LEN bytes.
If you are using slab allocator or slub allocator, this vulnerability won't
shown up because 4096 bytes are actually allocated because these allocators
internally round up the requested size to power of 2.
But if you are using slob allocator, only 4000 bytes are actually allocated
and thus there is possibility of buffer overflow.
Regarding binary packages downloadable from
http://sourceforge.jp/projects/tomoyo/releases/?package_id=5026 ,
none of these binary packages uses slob allocator. Thus, you don't need to
update immediately.
If you are building from source, please check your kernel config for
memory allocator choice.
If your kernel config uses slob allocator (i.e. CONFIG_SLOB=y ),
please apply below patch or download a hotfix and rebuild.
ccs-patch-1.6.8-20090703.tar.gz MD5:1114ea8c201d78b044c87f2127932b8e
Regards.
---
fs/tomoyo_domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- ccs-patch.orig/fs/tomoyo_domain.c
+++ ccs-patch/fs/tomoyo_domain.c
@@ -1227,7 +1227,7 @@ static struct ccs_execve_entry *ccs_allo
return NULL;
memset(ee, 0, sizeof(*ee));
ee->program_path = ccs_alloc(CCS_MAX_PATHNAME_LEN, false);
- ee->tmp = ccs_alloc(CCS_MAX_PATHNAME_LEN, false);
+ ee->tmp = ccs_alloc(CCS_EXEC_TMPSIZE, false);
if (!ee->program_path || !ee->tmp) {
ccs_free(ee->program_path);
ccs_free(ee->tmp);