Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3213666imm;
        Fri, 25 May 2018 01:34:14 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpqOlZU5rmVwtajY3rP2FLjkxt5LDa4r4F+ys1OzK+RRnYbVzqBXdb9+p7RjXJIJq7ovD1Q
X-Received: by 2002:a63:91c8:: with SMTP id l191-v6mr1245526pge.53.1527237254099;
        Fri, 25 May 2018 01:34:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527237254; cv=none;
        d=google.com; s=arc-20160816;
        b=FrsBtUnU4KeyAHZ8kqh934jUlgEUKLuYt+AQ+AMnC/eoGhhsn+Af4wltSrmDzQeCY+
         XA+2EaomxCkV3VMPZKgP3u9Yi2CegxCiP8x87Lc9eWi0fqC9QHsRF9NAE77PHSgp64Ul
         RrHiZm764U7B6RqXtHSYRXTGfc8h45WGvNABjazFiSjhfsXLIcIg/Df9kXd7t3STjc3r
         8m+IGF7B/GntCcnFX3FhQRKKBDNmOlnVZGHsAhOUQ4NoDbMN8WYpmVR3eIvFBsxa4mlC
         Vdc0TsTRlgJKlaVx6LIIvMDpwWJXiaLwIX7BUPbgSR4OvvNJTPHTqvRHBTtEp4v+rhQ6
         C7hQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dmarc-filter:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=CHvJiFCWcJDn++Envmgc5xD6v3OpgVp5kWK3mxzuQm4=;
        b=uoGav5Ti2qzqiJsZIHufOv5er2uXWOV4XP9wrJNK0tOZpAra67XyOKGG/LtaRaw1Av
         qJoNxu5rz5QiaTxdMsvR4s/lfD8fFUHOdVRzpEQeNtDRh0oELgkZ1naA9wXSKoE7/if6
         WqmVERVi/GXyWOhU3m0uw1ae8HmUz5v2xBsKY614crpyrIHxz+LLUU7m6d0pFxCIRSC5
         0g43EHeFCD9fUWEm7HcoExJfywOI5tuXySGivwwNIIoJI5pZ0XAqqoMptZoiRBBxm9R8
         v1Jui4D1secLrZPqyQoX5oirEC5Z6N9zT04dSuMlvSwU+7dtA+UBAgzdpnULKKV8k/Ib
         zagg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=NiDl/GZq;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=NiDl/GZq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k10-v6si11282042pgs.598.2018.05.25.01.33.58;
        Fri, 25 May 2018 01:34:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=NiDl/GZq;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=NiDl/GZq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S964861AbeEYIcr (ORCPT <rfc822;jekfish0@gmail.com> + 99 others);
        Fri, 25 May 2018 04:32:47 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:55550 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S935921AbeEYIcp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 25 May 2018 04:32:45 -0400
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
        id 6ADDB6076C; Fri, 25 May 2018 08:32:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1527237165;
        bh=k9J8GhpQRbbC7gMfTNFx7nH0Cc944t0ODdkJrReSXkk=;
        h=From:To:Cc:Subject:Date:From;
        b=NiDl/GZq+ihuyVC+RNWCQ9tDWd3DUzfNTDgeAYIKaK5yte6iJhdRyvW4FmZKbDROl
         02CMJEoXhBt6VpQ+jy86bacw1EgprhnWd2Z6zGrS8lPxkK184qKY5QOnl9/Rnsiova
         pJ+OAi1lB7QdFlJS4k3apx5ivzG28M5ySbSw7qsA=
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        pdx-caf-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00,
        DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Received: from sgrover-linux.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: sgrover@smtp.codeaurora.org)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id DF3A060290;
        Fri, 25 May 2018 08:32:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1527237165;
        bh=k9J8GhpQRbbC7gMfTNFx7nH0Cc944t0ODdkJrReSXkk=;
        h=From:To:Cc:Subject:Date:From;
        b=NiDl/GZq+ihuyVC+RNWCQ9tDWd3DUzfNTDgeAYIKaK5yte6iJhdRyvW4FmZKbDROl
         02CMJEoXhBt6VpQ+jy86bacw1EgprhnWd2Z6zGrS8lPxkK184qKY5QOnl9/Rnsiova
         pJ+OAi1lB7QdFlJS4k3apx5ivzG28M5ySbSw7qsA=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org DF3A060290
Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=sgrover@codeaurora.org
From:   Sachin Grover <sgrover@codeaurora.org>
To:     paul@paul-moore.com, sds@tycho.nsa.gov
Cc:     linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
        Sachin Grover <sgrover@codeaurora.org>
Subject: [PATCH] selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
Date:   Fri, 25 May 2018 14:01:39 +0530
Message-Id: <1527237099-9728-1-git-send-email-sgrover@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Call trace:
 [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
 [<ffffff9203a8dbf8>] show_stack+0x28/0x38
 [<ffffff920409bfb8>] dump_stack+0xd4/0x124
 [<ffffff9203d187e8>] print_address_description+0x68/0x258
 [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
 [<ffffff9203d1927c>] kasan_report+0x5c/0x70
 [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
 [<ffffff9203d17cdc>] memcpy+0x34/0x68
 [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
 [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
 [<ffffff9203d75d68>] getxattr+0x100/0x2c8
 [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
 [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28

If user get root access and calls security.selinux setxattr() with an
embedded NUL on a file and then if some process performs a getxattr()
on that file with a length greater than the actual length of the string,
it would result in a panic.

To fix this, add the actual length of the string to the security context
instead of the length passed by the userspace process.

Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
---
 security/selinux/ss/services.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 66ea81c..d17f5b4 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1434,7 +1434,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
 				      scontext_len, &context, def_sid);
 	if (rc == -EINVAL && force) {
 		context.str = str;
-		context.len = scontext_len;
+		context.len = strlen(str) + 1;
 		str = NULL;
 	} else if (rc)
 		goto out_unlock;
-- 
1.9.1