| From: Sachin Grover <sgrover@codeaurora.org> |
| Date: Fri, 25 May 2018 14:01:39 +0530 |
| Subject: selinux: KASAN: slab-out-of-bounds in xattr_getsecurity |
| |
| commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream. |
| |
| Call trace: |
| [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428 |
| [<ffffff9203a8dbf8>] show_stack+0x28/0x38 |
| [<ffffff920409bfb8>] dump_stack+0xd4/0x124 |
| [<ffffff9203d187e8>] print_address_description+0x68/0x258 |
| [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0 |
| [<ffffff9203d1927c>] kasan_report+0x5c/0x70 |
| [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0 |
| [<ffffff9203d17cdc>] memcpy+0x34/0x68 |
| [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160 |
| [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120 |
| [<ffffff9203d75d68>] getxattr+0x100/0x2c8 |
| [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0 |
| [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28 |
| |
| If user get root access and calls security.selinux setxattr() with an |
| embedded NUL on a file and then if some process performs a getxattr() |
| on that file with a length greater than the actual length of the string, |
| it would result in a panic. |
| |
| To fix this, add the actual length of the string to the security context |
| instead of the length passed by the userspace process. |
| |
| Signed-off-by: Sachin Grover <sgrover@codeaurora.org> |
| Signed-off-by: Paul Moore <paul@paul-moore.com> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| security/selinux/ss/services.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/security/selinux/ss/services.c |
| +++ b/security/selinux/ss/services.c |
| @@ -1270,7 +1270,7 @@ static int security_context_to_sid_core( |
| scontext_len, &context, def_sid); |
| if (rc == -EINVAL && force) { |
| context.str = str; |
| - context.len = scontext_len; |
| + context.len = strlen(str) + 1; |
| str = NULL; |
| } else if (rc) |
| goto out_unlock; |