From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>,
John Johansen <john.johansen@canonical.com>
Subject: [PATCH 4.14 11/51] apparmor: enforce nullbyte at end of tag string
Date: Mon, 24 Jun 2019 17:56:29 +0800 [thread overview]
Message-ID: <20190624092307.714151995@linuxfoundation.org> (raw)
In-Reply-To: <20190624092305.919204959@linuxfoundation.org>
From: Jann Horn <jannh@google.com>
commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
A packed AppArmor policy contains null-terminated tag strings that are read
by unpack_nameX(). However, unpack_nameX() uses string functions on them
without ensuring that they are actually null-terminated, potentially
leading to out-of-bounds accesses.
Make sure that the tag string is null-terminated before passing it to
strcmp().
Cc: stable@vger.kernel.org
Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy_unpack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -259,7 +259,7 @@ static bool unpack_nameX(struct aa_ext *
char *tag = NULL;
size_t size = unpack_u16_chunk(e, &tag);
/* if a name is specified it must match. otherwise skip tag */
- if (name && (!size || strcmp(name, tag)))
+ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
goto fail;
} else if (name) {
/* if a name is specified and there is no name tag fail */
next prev parent reply other threads:[~2019-06-24 9:57 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-24 9:56 [PATCH 4.14 00/51] 4.14.130-stable review Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 01/51] tracing: Silence GCC 9 array bounds warning Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 02/51] objtool: Support per-function rodata sections Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 03/51] gcc-9: silence address-of-packed-member warning Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 04/51] net: phy: broadcom: Use strlcpy() for ethtool::get_strings Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 05/51] mmc: core: Prevent processing SDIO IRQs when the card is suspended Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 06/51] scsi: ufs: Avoid runtime suspend possibly being blocked forever Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 07/51] usb: chipidea: udc: workaround for endpoint conflict issue Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 08/51] IB/hfi1: Silence txreq allocation warnings Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 09/51] Input: synaptics - enable SMBus on ThinkPad E480 and E580 Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 10/51] Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD Greg Kroah-Hartman
2019-06-24 9:56 ` Greg Kroah-Hartman [this message]
2019-06-24 9:56 ` [PATCH 4.14 12/51] ARC: fix build warnings Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 13/51] ARC: [plat-hsdk]: Add missing multicast filter bins number to GMAC node Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 14/51] ARC: [plat-hsdk]: Add missing FIFO size entry in " Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 15/51] parport: Fix mem leak in parport_register_dev_model Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 16/51] parisc: Fix compiler warnings in float emulation code Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 17/51] IB/rdmavt: Fix alloc_qpn() WARN_ON() Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 18/51] IB/hfi1: Insure freeze_work work_struct is canceled on shutdown Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 19/51] IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 20/51] IB/hfi1: Validate page aligned for a given virtual address Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 21/51] MIPS: uprobes: remove set but not used variable epc Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 22/51] xtensa: Fix section mismatch between memblock_reserve and mem_reserve Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 23/51] net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0 Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 24/51] net: hns: Fix loopback test failed at copper ports Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 25/51] mdesc: fix a missing-check bug in get_vdev_port_node_info() Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 26/51] sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 27/51] net: ethernet: mediatek: Use hw_feature to judge if HWLRO is supported Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 28/51] net: ethernet: mediatek: Use NET_IP_ALIGN to judge if HW RX_2BYTE_OFFSET is enabled Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 29/51] drm/arm/hdlcd: Actually validate CRTC modes Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 30/51] drm/arm/hdlcd: Allow a bit of clock tolerance Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 31/51] scripts/checkstack.pl: Fix arm64 wrong or unknown architecture Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 32/51] scsi: ufs: Check that space was properly alloced in copy_query_response Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 33/51] scsi: smartpqi: unlock on error in pqi_submit_raid_request_synchronous() Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 34/51] net: ipvlan: Fix ipvlan device tso disabled while NETIF_F_IP_CSUM is set Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 35/51] s390/qeth: fix VLAN attribute in bridge_hostnotify udev event Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 36/51] hwmon: (core) add thermal sensors only if dev->of_node is present Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 37/51] hwmon: (pmbus/core) Treat parameters as paged if on multiple pages Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 38/51] nvme: Fix u32 overflow in the number of namespace list calculation Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 39/51] btrfs: start readahead also in seed devices Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 40/51] can: flexcan: fix timeout when set small bitrate Greg Kroah-Hartman
2019-06-24 9:56 ` [PATCH 4.14 41/51] can: purge socket error queue on sock destruct Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 42/51] powerpc/bpf: use unsigned division instruction for 64-bit operations Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 43/51] ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 44/51] ARM: dts: am57xx-idk: Remove support for voltage switching for SD card Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 45/51] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 46/51] Bluetooth: Fix regression with minimum encryption key size alignment Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 47/51] SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 48/51] cfg80211: fix memory leak of wiphy device name Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 49/51] mac80211: drop robust management frames from unknown TA Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 50/51] mac80211: handle deauthentication/disassociation from TDLS peer Greg Kroah-Hartman
2019-06-24 9:57 ` [PATCH 4.14 51/51] mac80211: Do not use stack memory with scatterlist for GMAC Greg Kroah-Hartman
2019-06-24 15:31 ` [PATCH 4.14 00/51] 4.14.130-stable review kernelci.org bot
2019-06-24 15:47 ` Naresh Kamboju
2019-06-24 18:03 ` Guenter Roeck
2019-06-25 9:59 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190624092307.714151995@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).