summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSachin Grover <sgrover@codeaurora.org>2018-05-25 14:01:39 +0530
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-06-05 11:46:11 +0200
commit37ed107ea32bcc4f8cec381c9d3109dffc1b3b91 (patch)
tree2342af371e757cec2fa28ce78ef89d8d1136cca3
parentf230f951e0e7b602a793f31ae37bc6930b87472f (diff)
downloadlinux-stable-37ed107ea32bcc4f8cec381c9d3109dffc1b3b91.tar.gz
linux-stable-37ed107ea32bcc4f8cec381c9d3109dffc1b3b91.tar.bz2
linux-stable-37ed107ea32bcc4f8cec381c9d3109dffc1b3b91.zip
selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream. Call trace: [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428 [<ffffff9203a8dbf8>] show_stack+0x28/0x38 [<ffffff920409bfb8>] dump_stack+0xd4/0x124 [<ffffff9203d187e8>] print_address_description+0x68/0x258 [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0 [<ffffff9203d1927c>] kasan_report+0x5c/0x70 [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0 [<ffffff9203d17cdc>] memcpy+0x34/0x68 [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160 [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120 [<ffffff9203d75d68>] getxattr+0x100/0x2c8 [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0 [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28 If user get root access and calls security.selinux setxattr() with an embedded NUL on a file and then if some process performs a getxattr() on that file with a length greater than the actual length of the string, it would result in a panic. To fix this, add the actual length of the string to the security context instead of the length passed by the userspace process. Signed-off-by: Sachin Grover <sgrover@codeaurora.org> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--security/selinux/ss/services.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8900ea5cbabf..1dde563aff1d 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1448,7 +1448,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
scontext_len, &context, def_sid);
if (rc == -EINVAL && force) {
context.str = str;
- context.len = scontext_len;
+ context.len = strlen(str) + 1;
str = NULL;
} else if (rc)
goto out_unlock;