[prev in list] [next in list] [prev in thread] [next in thread]
List: tar-bug
Subject: [Bug-tar] [PATCH RESEND] xattrs: Fix bug with --selinux option and unlabeled files
From: Ben Shelton <ben.shelton () ni ! com>
Date: 2015-04-16 18:25:59
Message-ID: 1429208759-16712-1-git-send-email-ben.shelton () ni ! com
[Download RAW message or body]
When SELinux is enabled in the kernel but no policy is loaded, files may
be marked as unlabeled. When these files are processed,
rpl_lgetfilecon() returns the security context as "unlabeled".
map_to_failure() then frees the security context, sets errno to ENODATA,
and returns -1. However, since the security context is not NULL,
xattr_selinux_coder() attempts to read from it when the header is
generated, which leads to memory corruption (and a failure on some
future malloc).
For unlabeled files, set the security context to NULL to avoid this
use-after-free bug.
Signed-off-by: Ben Shelton <ben.shelton@ni.com>
---
src/xattrs.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/xattrs.c b/src/xattrs.c
index 307ee38..0648c18 100644
--- a/src/xattrs.c
+++ b/src/xattrs.c
@@ -551,6 +551,11 @@ xattrs_selinux_get (int parentfd, char const *file_name,
fgetfilecon (fd, &st->cntx_name)
: lgetfileconat (parentfd, file_name, &st->cntx_name);
+ /* If the file is unlabeled, map_to_failure() will have freed cntx_name.
+ * If this is the case, set it to NULL so it is not used after freeing. */
+ if (result == -1 && errno == ENODATA)
+ st->cntx_name = NULL;
+
if (result == -1 && errno != ENODATA && errno != ENOTSUP)
call_arg_warn (fd ? "fgetfilecon" : "lgetfileconat", file_name);
#endif
--
2.3.2
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic