]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commitdiff
projects / mirror_ubuntu-bionic-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9ccd9a8)
selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
authorSachin Grover <sgrover@codeaurora.org>
Fri, 25 May 2018 08:31:39 +0000 (14:01 +0530)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Wed, 5 Sep 2018 08:30:45 +0000 (10:30 +0200)
BugLink: http://bugs.launchpad.net/bugs/1788897
commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream.

Call trace:
 [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
 [<ffffff9203a8dbf8>] show_stack+0x28/0x38
 [<ffffff920409bfb8>] dump_stack+0xd4/0x124
 [<ffffff9203d187e8>] print_address_description+0x68/0x258
 [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
 [<ffffff9203d1927c>] kasan_report+0x5c/0x70
 [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
 [<ffffff9203d17cdc>] memcpy+0x34/0x68
 [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
 [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
 [<ffffff9203d75d68>] getxattr+0x100/0x2c8
 [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
 [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28

If user get root access and calls security.selinux setxattr() with an
embedded NUL on a file and then if some process performs a getxattr()
on that file with a length greater than the actual length of the string,
it would result in a panic.

To fix this, add the actual length of the string to the security context
instead of the length passed by the userspace process.

Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
security/selinux/ss/services.c patch | blob | blame | history

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 13118a9a25137af54524980f17306c09284e4cd0..de5eef3b575520623a7d9dca2fd2701a97bbc82e 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1449,7 +1449,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
                                      scontext_len, &context, def_sid);
        if (rc == -EINVAL && force) {
                context.str = str;
-               context.len = scontext_len;
+               context.len = strlen(str) + 1;
                str = NULL;
        } else if (rc)
                goto out_unlock;
ubuntu-bionic-kernel mirror