Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4592241imm;
        Wed, 30 May 2018 08:21:28 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJqrmB91/0Sr5mNecseSIjGqhdYnezRmTm7VKbcOsgFORrjM8LcaixygoQH6+3MFtoPfELI
X-Received: by 2002:a17:902:b58e:: with SMTP id a14-v6mr3265275pls.261.1527693688121;
        Wed, 30 May 2018 08:21:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527693688; cv=none;
        d=google.com; s=arc-20160816;
        b=lI05I3ZLMHhwGiRyqkpdVWde2hoVBe1M19EYzE606JGV0BaPq5Pkg7YkEnZviLXzZl
         Mh5h8qluPw8KnUtTititzl7E2RGxqQ/ep3p84MG/ZD2tURpkI9jq8Xio3Sl3EHqk//F9
         3p/gxy0IFcHaHeY7xGMzYqz1nXfqFwN0idv+JIHa/CdseynbW1bTkvIygWErakPRJcus
         bduTchoyq2C8EcLpj6fpqYgmcAwLkIcYhnBY0jJ1QBYFMG4Q08k00+eQTxj5cMV9HmEg
         b9kMGeN8AnTvInLXt9qv6ACi//Ja53c861wTnwVeRys6evYX92R341hNEJBDLXi1qROV
         SgMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=WEZUViZ8bkkbEWPAJSOU7c7s1yZtgV+nJQH6BPMOtgU=;
        b=zKk1rvcqNtqoiKMvY4DNe/vOfLCTkg3KrrsH+Fxb5RXlzySDJVgKROb/QlDC/EmpbE
         VY29P1gex2rIW6DsYkqaYq14FFisRZN9njvVW4bgZnQIrpgg+lQo5YSOMol//dSN4uRX
         WEfGCcrvoR58su/IlJD+6OUIilLFPxfvUi4rj3Fsv36UBApFmZQhfEfWu52WXwX0uOmH
         l/r28O3Cce0ij0t1g6bbfTLmg5jzBVGdrTZ08uf1byN3aRZksAkmhSQewXdeQ53f6uf/
         LTpaHXizdY1F6qVEh41JJoWf7IlVuMNuj4LegrwcZkNEAQ0vMSktvmvKK3DrljuGKYCM
         hrdg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BqG0tWmz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s9-v6si33783996plr.477.2018.05.30.08.21.09;
        Wed, 30 May 2018 08:21:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=BqG0tWmz;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753365AbeE3PTr (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Wed, 30 May 2018 11:19:47 -0400
Received: from mail-lf0-f68.google.com ([209.85.215.68]:35510 "EHLO
        mail-lf0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751794AbeE3PTp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 May 2018 11:19:45 -0400
Received: by mail-lf0-f68.google.com with SMTP id y72-v6so4906954lfd.2
        for <linux-kernel@vger.kernel.org>; Wed, 30 May 2018 08:19:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=WEZUViZ8bkkbEWPAJSOU7c7s1yZtgV+nJQH6BPMOtgU=;
        b=BqG0tWmzX66MkwhjFssK8zksp+RpfsW9HmTAHQ2Nqdp38849r3bRyFextQIroJxjjp
         Gtrla07zv0X0Qt78cfA0GSAS68x+IzigilCltFfONq85zwROSdDHzFESy6U5myEgKZzQ
         pAn12S1MmyrggDmgnbp3BNzzDyjLAZnSN9ePKiyhQnWHw6ceXJECSt1tvKh8Nz3lHTmC
         iNb7Jg9jfjWw0aVB51MqfZPU91xMAcJTqzOzsfvssLFJyGdFcZGENmlZyDqcmIioqr+e
         LP3Tdd/hMLh25cGo2akyn2zejiTYROssJaTmY1BfdzF8LYnIJZUYLu6KTa6zdANpzaZr
         dpaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=WEZUViZ8bkkbEWPAJSOU7c7s1yZtgV+nJQH6BPMOtgU=;
        b=pIVJ8INO0Cw5RfyMdJJANXBn8tVTtCIyTvhU/9Yx2H0apZPQZUTM/eEPwkhPjAiKk5
         WbXnGpH5cT1W3FhD2000nffDLvGzahvKJeT/piU0HVw7e9eAsK6dls2ZViO6JqC+MJyY
         H6tw4rG1JuRnTs7pWV8r3s68VY0APiMdtxTAKbB/LIOroQcYJl2cWoS70klcio5QWgWF
         VhzFnJt1khz26qJPZqvD6QpTHahorTlUlN+UgY15JQ9jCkocQXL8/v7FwBx4cpGibcbb
         JUgI3qITsFfJBagBPIWawATOXaHehadH6t7HNg+NhJqQ1iLjzO2AolUGirakUCaWXSlm
         HMEQ==
X-Gm-Message-State: ALKqPweHlEjAoohvH5IPeAscXGEdbSCnFsNwRCjIAHzPmKC/oHihY1p9
        v/svYs7NnbAJs5QsjxSDitXHp9mOk2vAKy5NQl7C
X-Received: by 2002:a2e:29cf:: with SMTP id p76-v6mr2626931ljp.12.1527693584097;
 Wed, 30 May 2018 08:19:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Wed, 30 May 2018 08:19:42
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <1527237099-9728-1-git-send-email-sgrover@codeaurora.org>
References: <1527237099-9728-1-git-send-email-sgrover@codeaurora.org>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 30 May 2018 11:19:42 -0400
Message-ID: <CAHC9VhQui+U1wzms2=XSW7MeRZg-faAzZyG8XU8wc+bWAoVzJg@mail.gmail.com>
Subject: Re: [PATCH] selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
To:     Sachin Grover <sgrover@codeaurora.org>
Cc:     Stephen Smalley <sds@tycho.nsa.gov>,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 25, 2018 at 4:31 AM, Sachin Grover <sgrover@codeaurora.org> wrote:
> Call trace:
>  [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
>  [<ffffff9203a8dbf8>] show_stack+0x28/0x38
>  [<ffffff920409bfb8>] dump_stack+0xd4/0x124
>  [<ffffff9203d187e8>] print_address_description+0x68/0x258
>  [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
>  [<ffffff9203d1927c>] kasan_report+0x5c/0x70
>  [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
>  [<ffffff9203d17cdc>] memcpy+0x34/0x68
>  [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
>  [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
>  [<ffffff9203d75d68>] getxattr+0x100/0x2c8
>  [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
>  [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28
>
> If user get root access and calls security.selinux setxattr() with an
> embedded NUL on a file and then if some process performs a getxattr()
> on that file with a length greater than the actual length of the string,
> it would result in a panic.
>
> To fix this, add the actual length of the string to the security context
> instead of the length passed by the userspace process.
>
> Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
> ---
>  security/selinux/ss/services.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Thanks for reporting this and providing a patch.  It's small enough,
and passes all the regular tests, so I've merged it into
selinux/stable-4.17 (adding the stable metadata) and I'm going to send
it up to Linus today.

If Linus doesn't pull the fix in time for v4.17 I'll send it up during
the upcoming merge window.

> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 66ea81c..d17f5b4 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1434,7 +1434,7 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
>                                       scontext_len, &context, def_sid);
>         if (rc == -EINVAL && force) {
>                 context.str = str;
> -               context.len = scontext_len;
> +               context.len = strlen(str) + 1;
>                 str = NULL;
>         } else if (rc)
>                 goto out_unlock;
> --
> 1.9.1

-- 
paul moore
www.paul-moore.com