Received: by 10.223.185.116 with SMTP id b49csp1113516wrg; Fri, 23 Feb 2018 12:09:33 -0800 (PST) X-Google-Smtp-Source: AH8x224PNj5H/xZUMc4noX1DqUZviLYa9phMSldYaYVrGd+xIonDXogodu5+RsdNtTk6vUMmv+9b X-Received: by 2002:a17:902:d68e:: with SMTP id v14-v6mr2799287ply.199.1519416573118; Fri, 23 Feb 2018 12:09:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519416573; cv=none; d=google.com; s=arc-20160816; b=P73UalHBVFioY9YM85F7VfiTc2w9EhcxyzHXd/Pl74/IedLKPsuRZN5tm9bSFhiO20 Qfl5tAdLULOuv8n33cp2HjZMsFxhOTHV0UdNXrgaLo+wXf8K2jaW4T8fWUXR6log+m43 A+ZdtcMTma0rb7dB4hjneyBp/R9wOP7sIOvKg6tSP8GdQUzd73SmcssboJUDK1nxPDnD f3ikH+C787a4HduqgJ765d4LEP/WnEYEMlNzXnmVgIhwT2Ax3zO0VG38b62uEikWTxHF ZShlIjS7vRN4xLEnBDO7z37eqSiosTtPm8qRTp08t7z4FYt7iky5g4C+4rW787TMbwtx bCHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=/WpSpFZUl4GsKQHt9mJg64tSfiJAqhYqqCAeCXh8gS4=; b=bkMXE10QnktcfA3Dq9cCACqjLMJkTUVgrHb0LeYRexOi0UPJfHrjdUB7zo5jfq6KUS hZPnQsuK1teHdI1lmHe0WF5eAXV0hwHpADJChJOCH+Klx7Rf1SFaOEkVAbdf84wkV3uZ +pOokSRWGKRwfZit/EwrmbIFQcrfG6uTOtutjPJX5wHOck/iC1b6SJrkg9l2pmcpZjDK w2tbc32S3baRVdIz66XStXBtgkqSZnWI6mankbfB7cWlBKk1H1R66VKI5wyJUB2dZCjG 4aQouiyW2gUXGKl4Q9BBUj7JS27WTqevqFHFoReZqsfMs2L84QPBS8jQmf4k/BPYjfyJ 4FUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s16-v6si2210283plr.109.2018.02.23.12.09.15; Fri, 23 Feb 2018 12:09:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933172AbeBWUIX (ORCPT + 99 others); Fri, 23 Feb 2018 15:08:23 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:41694 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933057AbeBWSmb (ORCPT ); Fri, 23 Feb 2018 13:42:31 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 007BDFC7; Fri, 23 Feb 2018 18:42:30 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Paul Moore , William Roberts Subject: [PATCH 4.9 014/145] selinux: ensure the context is NUL terminated in security_context_to_sid_core() Date: Fri, 23 Feb 2018 19:25:20 +0100 Message-Id: <20180223170726.493008536@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180223170724.669759283@linuxfoundation.org> References: <20180223170724.669759283@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Paul Moore commit ef28df55ac27e1e5cd122e19fa311d886d47a756 upstream. The syzbot/syzkaller automated tests found a problem in security_context_to_sid_core() during early boot (before we load the SELinux policy) where we could potentially feed context strings without NUL terminators into the strcmp() function. We already guard against this during normal operation (after the SELinux policy has been loaded) by making a copy of the context strings and explicitly adding a NUL terminator to the end. The patch extends this protection to the early boot case (no loaded policy) by moving the context copy earlier in security_context_to_sid_core(). Reported-by: syzbot Signed-off-by: Paul Moore Reviewed-By: William Roberts Signed-off-by: Greg Kroah-Hartman --- security/selinux/ss/services.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1400,27 +1400,25 @@ static int security_context_to_sid_core( if (!scontext_len) return -EINVAL; + /* Copy the string to allow changes and ensure a NUL terminator */ + scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags); + if (!scontext2) + return -ENOMEM; + if (!ss_initialized) { int i; for (i = 1; i < SECINITSID_NUM; i++) { - if (!strcmp(initial_sid_to_string[i], scontext)) { + if (!strcmp(initial_sid_to_string[i], scontext2)) { *sid = i; - return 0; + goto out; } } *sid = SECINITSID_KERNEL; - return 0; + goto out; } *sid = SECSID_NULL; - /* Copy the string so that we can modify the copy as we parse it. */ - scontext2 = kmalloc(scontext_len + 1, gfp_flags); - if (!scontext2) - return -ENOMEM; - memcpy(scontext2, scontext, scontext_len); - scontext2[scontext_len] = 0; - if (force) { /* Save another copy for storing in uninterpreted form */ rc = -ENOMEM;