Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753319AbdLDNxN (ORCPT <rfc822;w@1wt.eu>);
        Mon, 4 Dec 2017 08:53:13 -0500
Received: from uphb19pa10.eemsg.mail.mil ([214.24.26.84]:2514 "EHLO
        USFB19PA13.eemsg.mail.mil" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1752209AbdLDNxL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 Dec 2017 08:53:11 -0500
X-Greylist: delayed 585 seconds by postgrey-1.27 at vger.kernel.org; Mon, 04 Dec 2017 08:53:11 EST
X-IronPort-AV: E=Sophos;i="5.45,359,1508803200"; 
   d="scan'208";a="6647275"
IronPort-PHdr: =?us-ascii?q?9a23=3A0ZavRRDw0upSWJ/mmcQ8UyQJP3N1i/DPJgcQr6Af?=
 =?us-ascii?q?oPdwSP39pc+wAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1Nou?=
 =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?=
 =?us-ascii?q?KeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+?=
 =?us-ascii?q?NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjD?=
 =?us-ascii?q?QhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/Vjq476dvVRTmli?=
 =?us-ascii?q?EJOTAk+23Tk8B8kb5XrBenqhdiwYDbfZuVOeJ9cK3Afd0UW2RPUcRfVyxGHoyy?=
 =?us-ascii?q?aIQAAeUaMOZErITwvUcCoAGiCQSuAu7k1z9GhmXx3a0/y+kvDB3G0xI4H9IOrn?=
 =?us-ascii?q?vUqsj+OroXUe+vyKnIySvMbvNL0jr684jHbwshrOqQXbNwbcXRyU4vGxnDjlWL?=
 =?us-ascii?q?s4PpJTyV1uMTs2WC6edrSOyhi2kiqw5rozivwN8hipLRhoIUzFDE9Dl2wJ0vKd?=
 =?us-ascii?q?2+VkF7fdipG4ZTuSGCL4Z6X8wvTm5ytCs617EKo4C3cScUxJg92hLSbeGMfZKS?=
 =?us-ascii?q?7RL5TumRJC91hHdieL2imRm/6VOgyujgVsms11ZKszZFnsHMtn8T0xzT7dCKSu?=
 =?us-ascii?q?dn8Ue72DaPyhvT5vtYIUE0iaXbK5khzqQ2lpUPqkTMAjX6mED3jK+Sbkkk++6o?=
 =?us-ascii?q?5Pr7Yrj+u5OROIB5hhv+P6gzgMCzH+s1PhYUU2SG4ei80afs/Uz9QLVElP02la?=
 =?us-ascii?q?zZvYjBJcsGva60GBNV04Y/5Ba/CDeqytIYnWIdI15fdxKHiJbpN0nUIP/kFfe/?=
 =?us-ascii?q?n0iskDBzyvDFPrzuHJLNLn7MkLj8erZ97VRQyAkyzdBa/J9UDr4BL+zpVkDts9?=
 =?us-ascii?q?zYCwczMxaozOb/FNV9yoQeVHqNAq+ENqPSsFuI6v4sLuWRa4IZojL9JOY76PP1?=
 =?us-ascii?q?iX85lkEScbO10psQbXCyBu5mLFmBYXrwntcBFn8Hvg89TOPwk1CNTT5TZ2y1X6?=
 =?us-ascii?q?I55zE7FYemAZ3ERoC3j7yLxD27EYFOZmBaFlCMFm/leJiAW/gSdS2SLMhhkiYZ?=
 =?us-ascii?q?WrW6UY8uywyhtA/gxLp7NObb5ioYtZf73thv++LTjQ0y9SBzD8mF12GNTmd0nn?=
 =?us-ascii?q?4HRjMv36Bwv1Z9ylGd3qh8mPFYC9NT6O1TUgsgNp7T0fZ6C9bsVQLFZNuJT0ym?=
 =?us-ascii?q?Qtq+CzErUt0x28MOY1p6G9i6lRDC3yurA7wPmLyPAJw77Ljc02HqKMZgxHbGz7?=
 =?us-ascii?q?Isj1YhQstIOm2mgrBw9wfJB47OjkWZj72qeb4A0y7K8WeJ1XCOs11AUA5sTaXF?=
 =?us-ascii?q?WmgSZk/XrdT/+0PDQKaiCa85PQRd1M6CMKpKasHpjFlfQffjP8nRY3+1m2iuHh?=
 =?us-ascii?q?uI2LyMY5Twe2kH3yXSFlIEkwYN8naCLwQ+AT2ho23GBjx0CV3ve1/s8fV5qH6j?=
 =?us-ascii?q?VUA0yB2KY0p927ao+hMan/KcRO4I0b4YpSsuti57HFij093MENWPvAtsc79dbN?=
 =?us-ascii?q?wm7ldIyH/WugxyM5GuM6xtnVwTfxppsE7u1xh7FotNkcY2o3wwzQd9NLmV0EhB?=
 =?us-ascii?q?djKZ3pD/ILnXKm3s8xC1caLZwEne0M6N+qcX7/Q4t1DjsxuoFkom6Xloz95V03?=
 =?us-ascii?q?6E7JXQEAUSSY7xUlow9xViv7HVfC8954zJ1X1tN6m4qzzC1MwzBOsj1Bmge8xS?=
 =?us-ascii?q?MKKdGA/2FM0aGdahJPYxm1ezbRIEIfpS+7QuM8OgafSKwqyrPP4z1A6h2FhK/J?=
 =?us-ascii?q?tg1Qqs/ixwQ6acx5sDzOyZ2E6EWi36gVOJs4Xznp5JIyobHXelwG7iCchTfvs2?=
 =?us-ascii?q?NZ0aG22pP4XjzNJixMa0BndW+FT7Xl8M1pWgcxDMZgL30wFciBhM+Xb4wyblkm?=
 =?us-ascii?q?QvnTog8Ka3xz3cwO3mcBcdfGdTXHJ6ikvpKImwydsdWR7sJwwokga1oF33zLVB?=
 =?us-ascii?q?pbhuamzUTVpMcgDoIGx4FKi9rLyPZ4hI8pxs+T5aVOW6fECyVq/2oxxc1TjqWW?=
 =?us-ascii?q?RZ2nRzbCC4uZz9mxFgzWiAI21bo33edsV9yg3Y+cTHA/VW22koXi593ALLC0C8?=
 =?us-ascii?q?Mt/hxtCdk5POo6jqTG66foFCeinsi4WbvW204nM8Uk73pOy6htCySVty6iT8zd?=
 =?us-ascii?q?Q/EHyQoQ=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2DKAADCTyVa/wHyM5BcGQEBAQEBAQEBAQEBAQcBAQEBAYM?=
 =?us-ascii?q?QLGZuJ4N/iiCOd0ABAQEBAQEGgTGXAYIMCSILhRgChTI/GAEBAQEBAQEBAQFqK?=
 =?us-ascii?q?II4JIJHAQEBAwEiDwFGEAsOCgICJgICKC8GAYgXghANEKdYgieKVAEBAQEBAQE?=
 =?us-ascii?q?DAQEBAQEBAQEbBYEPhEKBDoVchSGDFYJjBZIGgRSPUo8HhgqCFooZhyeYBx85M?=
 =?us-ascii?q?4EaKggCGAghD4JjglIcggUjNwGKGQEBAQ?=
Message-ID: <1512395025.20988.3.camel@tycho.nsa.gov>
Subject: Re: KASAN: slab-out-of-bounds Read in strcmp
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        syzbot 
        <bot+015afdb01dbf2abb6a6bfdd5430b72e5503fca6d@syzkaller.appspotmail.com>,
        linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
        syzkaller-bugs@googlegroups.com
Cc: linux-kernel@vger.kernel.org, dledford@redhat.com, mka@chromium.org,
        junil0814.lee@lge.com, kyeongdon.kim@lge.com
Date: Mon, 04 Dec 2017 08:43:45 -0500
In-Reply-To: <97d6bab0-d278-9945-5d82-a0a76b8b78c5@I-love.SAKURA.ne.jp>
References: <001a113f711a721c58055f052200@google.com>
         <089e08259d282c063e055f4bddbd@google.com>
         <97d6bab0-d278-9945-5d82-a0a76b8b78c5@I-love.SAKURA.ne.jp>
Organization: National Security Agency
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2942
Lines: 76

On Sun, 2017-12-03 at 20:33 +0900, Tetsuo Handa wrote:
> On 2017/12/02 3:52, syzbot wrote:
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in strcmp+0x96/0xb0 lib/string.c:328
> > Read of size 1 at addr ffff8801cd99d2c1 by task
> > syzkaller242593/3087
> > 
> > CPU: 0 PID: 3087 Comm: syzkaller242593 Not tainted 4.15.0-rc1-next-
> > 20171201+ #57
> > Hardware name: Google Google Compute Engine/Google Compute Engine,
> > BIOS Google 01/01/2011
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:17 [inline]
> >  dump_stack+0x194/0x257 lib/dump_stack.c:53
> >  print_address_description+0x73/0x250 mm/kasan/report.c:252
> >  kasan_report_error mm/kasan/report.c:351 [inline]
> >  kasan_report+0x25b/0x340 mm/kasan/report.c:409
> >  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
> >  strcmp+0x96/0xb0 lib/string.c:328
> 
> This seems to be out of bound read for "scontext" at
> 
> 	for (i = 1; i < SECINITSID_NUM; i++) {
> 		if (!strcmp(initial_sid_to_string[i], scontext)) {
> 			*sid = i;
> 			return 0;
> 		}
> 	}
> 
> because "initial_sid_to_string[i]" is "const char *".
> 
> >  security_context_to_sid_core+0x437/0x620
> > security/selinux/ss/services.c:1420
> >  security_context_to_sid+0x32/0x40
> > security/selinux/ss/services.c:1479
> >  selinux_setprocattr+0x51c/0xb50 security/selinux/hooks.c:5986
> >  security_setprocattr+0x85/0xc0 security/security.c:1264
> 
> If "value" does not terminate with '\0' or '\n', "value" and
> "size" are as-is passed to "scontext" and "scontext_len" above
> 
> 	/* Obtain a SID for the context, if one was specified. */
> 	if (size && str[0] && str[0] != '\n') {
> 		if (str[size-1] == '\n') {
> 			str[size-1] = 0;
> 			size--;
> 		}
> 		error = security_context_to_sid(value, size, &sid,
> GFP_KERNEL);
> 
> which will allow strcmp() to trigger out of bound read when "size" is
> larger than strlen(initial_sid_to_string[i]).
> 
> Thus, I guess the simplest fix is to use strncmp() instead of
> strcmp().

Already fixed by
https://www.spinics.net/lists/selinux/msg23589.html

> 
> >  proc_pid_attr_write+0x1e6/0x280 fs/proc/base.c:2574
> >  __vfs_write+0xef/0x970 fs/read_write.c:480
> >  __kernel_write+0xfe/0x350 fs/read_write.c:501
> >  write_pipe_buf+0x175/0x220 fs/splice.c:797
> >  splice_from_pipe_feed fs/splice.c:502 [inline]
> >  __splice_from_pipe+0x328/0x730 fs/splice.c:626
> >  splice_from_pipe+0x1e9/0x330 fs/splice.c:661
> >  default_file_splice_write+0x40/0x90 fs/splice.c:809
> >  do_splice_from fs/splice.c:851 [inline]
> >  direct_splice_actor+0x125/0x180 fs/splice.c:1018
> >  splice_direct_to_actor+0x2c1/0x820 fs/splice.c:973
> >  do_splice_direct+0x2a7/0x3d0 fs/splice.c:1061
> >  do_sendfile+0x5d5/0xe90 fs/read_write.c:1413
> >  SYSC_sendfile64 fs/read_write.c:1468 [inline]
> >  SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460
> >  entry_SYSCALL_64_fastpath+0x1f/0x96