From 5e722b217ad3cf41f5504db80a68062df82b5242 Mon Sep 17 00:00:00 2001

From: Ondrej Mosnacek <omosnace@redhat.com>

Date: Fri, 7 May 2021 13:57:19 +0200

Subject: [PATCH] serial: core: fix suspicious security_locked_down() call

Git-commit: 5e722b217ad3cf41f5504db80a68062df82b5242

Patch-mainline: v5.13-rc4

References: git-fixes

The commit that added this check did so in a very strange way - first

security_locked_down() is called, its value stored into retval, and if

it's nonzero, then an additional check is made for (change_irq ||

change_port), and if this is true, the function returns. However, if

the goto exit branch is not taken, the code keeps the retval value and

continues executing the function. Then, depending on whether

uport->ops->verify_port is set, the retval value may or may not be reset

to zero and eventually the error value from security_locked_down() may

abort the function a few lines below.

I will go out on a limb and assume that this isn't the intended behavior

and that an error value from security_locked_down() was supposed to

abort the function only in case (change_irq || change_port) is true.

Note that security_locked_down() should be called last in any series of

checks, since the SELinux implementation of this hook will do a check

against the policy and generate an audit record in case of denial. If

the operation was to carry on after calling security_locked_down(), then

the SELinux denial record would be bogus.

See commit 59438b46471a ("security,lockdown,selinux: implement SELinux

lockdown") for how SELinux implements this hook.

Fixes: 794edf30ee6c ("lockdown: Lock down TIOCSSERIAL")

Acked-by: Kees Cook <keescook@chromium.org>

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Cc: stable <stable@vger.kernel.org>

Link: https://lore.kernel.org/r/20210507115719.140799-1-omosnace@redhat.com

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/tty/serial/serial_core.c | 8 +++++---

 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c

index 87f7127b57e6..18ff85a83f80 100644

--- a/drivers/tty/serial/serial_core.c

+++ b/drivers/tty/serial/serial_core.c

@@ -863,9 +863,11 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,

 		goto check_and_exit;

 	}

-	retval = security_locked_down(LOCKDOWN_TIOCSSERIAL);

-	if (retval && (change_irq || change_port))

-		goto exit;

+	if (change_irq || change_port) {

+		retval = security_locked_down(LOCKDOWN_TIOCSSERIAL);

+		if (retval)

+			goto exit;

+	}

 	/*

 	 * Ask the low level driver to verify the settings.

-- 

2.26.2