Received: by 10.223.185.116 with SMTP id b49csp1041492wrg; Fri, 23 Feb 2018 10:51:12 -0800 (PST) X-Google-Smtp-Source: AH8x226wN3HAuq394yM/2Kb490uufO8HVqm0fVpbl2/EbqsaimMlHT4JSZZAjYpKcEYLyOWA+bk5 X-Received: by 2002:a17:902:2b84:: with SMTP id l4-v6mr2602935plb.338.1519411872860; Fri, 23 Feb 2018 10:51:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519411872; cv=none; d=google.com; s=arc-20160816; b=RrFTgESc24tyLg0lf86ZvZhdnPif6V2p8KvO8Woukl6kcMCA5sWRxcOB7hK7XIdRGe RuB+2ashK54asR8uy9KCm8MCjc9Jlt3B0TUQORbJZ4PHSAeaqE4OPgISPul6CnXoMPPZ ZnUPUOnmJgJF7UvsuOx4ZG3ya73+NbCPsn3n7C4lXBqkLGO2v3kSDBRzYUbWVCiUk2Ne FcDCZOrZzS8KJG3Rad8DSZ9rFz+4ql+A9rC1jckdwweVJtc2veA6ESQE5xtjmqR4n8Q3 vv7GEd0eiVmC1RVJL5skrh/VZhCYkoX1MvHObrzt/tTXx5vHK0fD3tjB1wqulnE7D3/P LnJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=0zgWI1WqUCAWuuZ1dgEuN8g16VamCOwg5/7SVeRG8Rw=; b=lRKVbVN6XAH++qwpoTfWHBTKgllkPE1D+k+Txka8DUakp1qnvuwf3AHVsuSuToHEGo d7eE9+Sg7JPyZnKENN2F0NarjeZ2Z7mm2GtU3BGA0ma274LNaI3LWWaROWADPBRqfSRC t7oMSH68a07oYlLwbuvXmdSBtIDXVVLx1wKes/34cDZS+VEUTjVORd7z48UDeacHRdaP CjbcQgPq/0q7PRAiNEhNuNkKbzKtaUZArJpLix90gwiY0ZQmKgmZDRK5+aUBnRc/4AFG wKKIElBZMShUXvxCjlRup11DintaWWb5cFFWvIjoYqQNPr9FDV6cq8QGaN7VbXPXRdXj /WEA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d3si1846367pgt.286.2018.02.23.10.50.58; Fri, 23 Feb 2018 10:51:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934696AbeBWSuR (ORCPT + 99 others); Fri, 23 Feb 2018 13:50:17 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:45536 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934662AbeBWSuO (ORCPT ); Fri, 23 Feb 2018 13:50:14 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 78C2A11B5; Fri, 23 Feb 2018 18:50:13 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Paul Moore , William Roberts Subject: [PATCH 4.14 026/159] selinux: ensure the context is NUL terminated in security_context_to_sid_core() Date: Fri, 23 Feb 2018 19:25:34 +0100 Message-Id: <20180223170746.353838695@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180223170743.086611315@linuxfoundation.org> References: <20180223170743.086611315@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Paul Moore commit ef28df55ac27e1e5cd122e19fa311d886d47a756 upstream. The syzbot/syzkaller automated tests found a problem in security_context_to_sid_core() during early boot (before we load the SELinux policy) where we could potentially feed context strings without NUL terminators into the strcmp() function. We already guard against this during normal operation (after the SELinux policy has been loaded) by making a copy of the context strings and explicitly adding a NUL terminator to the end. The patch extends this protection to the early boot case (no loaded policy) by moving the context copy earlier in security_context_to_sid_core(). Reported-by: syzbot Signed-off-by: Paul Moore Reviewed-By: William Roberts Signed-off-by: Greg Kroah-Hartman --- security/selinux/ss/services.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1413,27 +1413,25 @@ static int security_context_to_sid_core( if (!scontext_len) return -EINVAL; + /* Copy the string to allow changes and ensure a NUL terminator */ + scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); + if (!scontext2) + return -ENOMEM; + if (!ss_initialized) { int i; for (i = 1; i < SECINITSID_NUM; i++) { - if (!strcmp(initial_sid_to_string[i], scontext)) { + if (!strcmp(initial_sid_to_string[i], scontext2)) { *sid = i; - return 0; + goto out; } } *sid = SECINITSID_KERNEL; - return 0; + goto out; } *sid = SECSID_NULL; - /* Copy the string so that we can modify the copy as we parse it. */ - scontext2 = kmalloc(scontext_len + 1, gfp_flags); - if (!scontext2) - return -ENOMEM; - memcpy(scontext2, scontext, scontext_len); - scontext2[scontext_len] = 0; - if (force) { /* Save another copy for storing in uninterpreted form */ rc = -ENOMEM;