'selinux: KASAN: slab-out-of-bounds in xattr_getsecurity'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       git-commits-head
Subject:    selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
From:       "Linux Kernel Mailing List" <linux-kernel () vger ! kernel ! org>
Date:       2018-05-30 21:39:53
Message-ID: 20180530213953.A0E7621A14 () pdx-korg-gitolite-1 ! ci ! codeaurora ! org
[Download RAW message or body]

Web:        https://git.kernel.org/torvalds/c/efe3de79e0b52ca281ef6691480c8c68c82a4657
Commit:     efe3de79e0b52ca281ef6691480c8c68c82a4657
Parent:     4152dc91b5932e7fe49a5afed62a068b2f31d196
Refname:    refs/heads/master
Author:     Sachin Grover <sgrover@codeaurora.org>
AuthorDate: Fri May 25 14:01:39 2018 +0530
Committer:  Paul Moore <paul@paul-moore.com>
CommitDate: Tue May 29 20:11:19 2018 -0400

    selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
    
    Call trace:
     [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
     [<ffffff9203a8dbf8>] show_stack+0x28/0x38
     [<ffffff920409bfb8>] dump_stack+0xd4/0x124
     [<ffffff9203d187e8>] print_address_description+0x68/0x258
     [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
     [<ffffff9203d1927c>] kasan_report+0x5c/0x70
     [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
     [<ffffff9203d17cdc>] memcpy+0x34/0x68
     [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
     [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
     [<ffffff9203d75d68>] getxattr+0x100/0x2c8
     [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
     [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28
    
    If user get root access and calls security.selinux setxattr() with an
    embedded NUL on a file and then if some process performs a getxattr()
    on that file with a length greater than the actual length of the string,
    it would result in a panic.
    
    To fix this, add the actual length of the string to the security context
    instead of the length passed by the userspace process.
    
    Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 security/selinux/ss/services.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8057e19dc15f..3ce225e3f142 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1494,7 +1494,7 @@ static int security_context_to_sid_core(struct selinux_state *state,
 				      scontext_len, &context, def_sid);
 	if (rc == -EINVAL && force) {
 		context.str = str;
-		context.len = scontext_len;
+		context.len = strlen(str) + 1;
 		str = NULL;
 	} else if (rc)
 		goto out_unlock;
--
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic