From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sachin Grover <sgrover@codeaurora.org>,
Paul Moore <paul@paul-moore.com>
Subject: [PATCH 3.18 02/21] selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
Date: Tue, 12 Jun 2018 18:51:59 +0200 [thread overview]
Message-ID: <20180612164825.495531260@linuxfoundation.org> (raw)
In-Reply-To: <20180612164825.401145490@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Grover <sgrover@codeaurora.org>
commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream.
Call trace:
[<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
[<ffffff9203a8dbf8>] show_stack+0x28/0x38
[<ffffff920409bfb8>] dump_stack+0xd4/0x124
[<ffffff9203d187e8>] print_address_description+0x68/0x258
[<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
[<ffffff9203d1927c>] kasan_report+0x5c/0x70
[<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
[<ffffff9203d17cdc>] memcpy+0x34/0x68
[<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
[<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
[<ffffff9203d75d68>] getxattr+0x100/0x2c8
[<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
[<ffffff9203a83f70>] el0_svc_naked+0x24/0x28
If user get root access and calls security.selinux setxattr() with an
embedded NUL on a file and then if some process performs a getxattr()
on that file with a length greater than the actual length of the string,
it would result in a panic.
To fix this, add the actual length of the string to the security context
instead of the length passed by the userspace process.
Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/ss/services.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1271,7 +1271,7 @@ static int security_context_to_sid_core(
scontext_len, &context, def_sid);
if (rc == -EINVAL && force) {
context.str = str;
- context.len = scontext_len;
+ context.len = strlen(str) + 1;
str = NULL;
} else if (rc)
goto out_unlock;
next prev parent reply other threads:[~2018-06-12 16:56 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-12 16:51 [PATCH 3.18 00/21] 3.18.113-stable review Greg Kroah-Hartman
2018-06-12 16:51 ` [PATCH 3.18 01/21] tracing: Fix crash when freeing instances with event triggers Greg Kroah-Hartman
2018-06-12 16:51 ` Greg Kroah-Hartman [this message]
2018-06-12 16:52 ` [PATCH 3.18 03/21] cfg80211: further limit wiphy names to 64 bytes Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 04/21] tcp: avoid integer overflows in tcp_rcv_space_adjust() Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 05/21] MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 07/21] fix io_destroy()/aio_complete() race Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 08/21] mm: fix the NULL mapping case in __isolate_lru_page() Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 09/21] mmap: introduce sane default mmap limits Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 10/21] mmap: relax file size limit for regular files Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 11/21] drm: set FMODE_UNSIGNED_OFFSET for drm files Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 12/21] bnx2x: use the right constant Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 13/21] dccp: dont free ccid2_hc_tx_sock struct in dccp_disconnect() Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 14/21] enic: set DMA mask to 47 bit Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 15/21] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 16/21] isdn: eicon: fix a missing-check bug Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 17/21] net/packet: refine check for priv area size Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 19/21] net/mlx4: Fix irq-unsafe spinlock usage Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 20/21] team: use netdev_features_t instead of u32 Greg Kroah-Hartman
2018-06-12 16:52 ` [PATCH 3.18 21/21] rtnetlink: validate attributes in do_setlink() Greg Kroah-Hartman
2018-06-12 18:19 ` [PATCH 3.18 00/21] 3.18.113-stable review Nathan Chancellor
2018-06-12 18:20 ` Harsh Shandilya
2018-06-12 18:49 ` Greg Kroah-Hartman
2018-06-12 21:00 ` Shuah Khan
[not found] ` <5b20444c.1c69fb81.cb5e6.5a8d@mx.google.com>
2018-06-13 4:40 ` Greg Kroah-Hartman
2018-06-14 0:09 ` Kevin Hilman
2018-06-14 15:51 ` Guenter Roeck
2018-06-20 0:36 ` Kevin Hilman
2018-06-20 2:18 ` Guenter Roeck
2018-06-13 13:48 ` Guenter Roeck
2018-06-13 14:09 ` Greg Kroah-Hartman
2018-06-13 14:58 ` Greg Kroah-Hartman
2018-06-13 17:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180612164825.495531260@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sgrover@codeaurora.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox