Commit 730801e0 authored by Shawn Webb's avatar Shawn Webb
Browse files

Fix SMAP violation



Under the right conditions, secadm may cause a kernel panic due to an
SMAP violation:

1. kldload secadm
2. secadm add integriforce
3. secadm show
4. secadm flush
5. secadm add integriforce
6. secadm show <- panic here
Signed-off-by: Shawn Webb's avatarShawn Webb <shawn.webb@hardenedbsd.org>
Reported-by:	Airbus CyberSecurity SAS
Submitted-by:	Airbus CyberSecurity SAS
parent fcd80429
......@@ -2,6 +2,7 @@
* Copyright (c) 2014,2015 Shawn Webb <shawn.webb@hardenedbsd.org>
* Copyright (c) 2015 Brian Salcedo <brian.salcedo@hardenedbsd.org>
* All rights reserved.
* Copyright (c) 2021 Airbus CyberSecurity SAS. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -178,17 +179,26 @@ secadm_sysctl_handler(SYSCTL_HANDLER_ARGS)
rule = kernel_get_rule(req->td, (secadm_rule_t *) cmd.sc_data);
if (rule == NULL) {
rn = ((secadm_rule_t *) cmd.sc_data)->sr_id + 1;
secadm_rule_t *r = malloc(sizeof(secadm_rule_t), M_SECADM, M_WAITOK);
if (copyin(cmd.sc_data, r, sizeof(secadm_rule_t))) {
kernel_free_rule(r);
break;
}
rn = r->sr_id + 1;
entry = get_prison_list_entry(
req->td->td_ucred->cr_prison->pr_id);
if (rn >= entry->sp_last_id) {
free(r, M_SECADM);
break;
}
for (i = rn; i < entry->sp_last_id; i++) {
((secadm_rule_t *) cmd.sc_data)->sr_id = i;
r->sr_id = i;
if ((err = copyout(r, cmd.sc_data, sizeof(secadm_rule_t)))) {
break;
}
rule = kernel_get_rule(req->td,
(secadm_rule_t *) cmd.sc_data);
......@@ -196,6 +206,7 @@ secadm_sysctl_handler(SYSCTL_HANDLER_ARGS)
break;
}
}
free(r, M_SECADM);
}
if (rule == NULL) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment