Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4603846imm; Wed, 30 May 2018 08:33:19 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKXEuvfc3kCdvdDNc6/nkY8doW8D/rUCy4KKaEPIfP4M3p9O6q7c9iTyOJvgdPqo36JWRQL X-Received: by 2002:a62:4708:: with SMTP id u8-v6mr3232443pfa.89.1527694399063; Wed, 30 May 2018 08:33:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527694399; cv=none; d=google.com; s=arc-20160816; b=nTZPVrXfzWdZfiz8DbzONk32TF1nhjzBYWByQANHC7CZfwqXlzHrNXJUPGeBchAk+I EPgqYiTQQHV6mDW8aPmzMNYsp5PKLo4ETXktTEqiDLoOHwNR6yw0MYniIX0p9YfMuC4S cFLNSEl7YiFHquVKQxJWN9tEGnFzh55IUSZKEuduyc4qjjnr9ZtKdSKbre0ukXDAe5rC Q8hOYdcNSuArBoX1qAg7UupAER9Z87lcbfXIHJ7EpeGnPBevsnUeQqBZzPMi2xkt+1RS wV7aOUmz5mYEqpyzv6b42whQy2FitIdHEgg63Dj41gkT5Th5jhL+ZXn7NtKuV7ggY0xW HClA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:arc-authentication-results; bh=CKstEiXM8Nl1/OCf0vcM6Gkn6D3isyZK2YBnUomwXTE=; b=hnttHhgKUrsym2pjtGQqZOj8VjAPiTHCh0PMjbB3QHMZw4t85jnz5t7gQGbMx7fYF3 JY3YTi5bBxcf/NdkpO8DQj17HXnXl5abhnV+oXrX0Xl1J5RZlnL750mM0qoyWZ0DKxEQ MpF5ZIcmTwAW3BtBVX97TVYNV/AkoeFwtyM62NGMc6g+4y5TNAA/19Lpw3/E4pfgaRYG UNSIHQzx0GiU426k16p/X+eJ5rVZAOMoFa0oCXG2yNzc85j23MBWbHQJ3q7VX4Jguzqr jDQRFf7Zd1qT5AWv2amZO4qAvow4JGzlRfxyZW/w8x5z76JU1/jB77N7v9sCr9hT0IOz M8dw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=rWc/YWDX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1-v6si34716180pfe.158.2018.05.30.08.33.04; Wed, 30 May 2018 08:33:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=rWc/YWDX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753667AbeE3Pbf (ORCPT + 99 others); Wed, 30 May 2018 11:31:35 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:35327 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753076AbeE3Pbd (ORCPT ); Wed, 30 May 2018 11:31:33 -0400 Received: by mail-lf0-f67.google.com with SMTP id y72-v6so4968835lfd.2 for ; Wed, 30 May 2018 08:31:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=CKstEiXM8Nl1/OCf0vcM6Gkn6D3isyZK2YBnUomwXTE=; b=rWc/YWDXAglvzpsu7DsbtS6T7Kytte9foJSARr/9zlOiKouXD2pE+4JT2EFYSAzyAo TjzBA8vjGujrWzYFmLE5GnBooCdQmCjFYxIdnPD6Cnf/naEfpPzD7AzXXkmBbNuZWG2c K2Q7K1GCFl9gEIm5B842oc/yeMbc+yCZhJZ+lBwu0tkcnjYiVKHFSf/XCndyEIIx8k6M 5bvl5U0Wh3//0kx9hg9N4njQ57l82lokscDnfqhvGDAtoEybHGpqqCjj1FQu56bCdjqT 9RWYicKh82vqhdQD82S9vtWdBnLslE9ah/sRbOPx58AEPG5jzmafGgWTWwAXMYJuGHir ohTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=CKstEiXM8Nl1/OCf0vcM6Gkn6D3isyZK2YBnUomwXTE=; b=HBgxK8XgXHyNdrSYx530W5SH+Zzl5chk4LWLHXUNg5cwZ+ScVGIi9RM8W1I+MAQBgV Y8+dU2+Q4j48KtPJ2Wb4bv/eJd9YEwlAm7XX1pdNsRrhf53f9+iJASc7XTXACcRhz6xg uFYcncfdGrxXqwLo6fA2UFSM97vkZmCRzcEd5wbXRtqoYO2dFVWZK2BldiMv/ic5SMxd 7BRqHOjvJ9mIikvQ1TLmltIFMB63p4uq8yv4zs+XKOcw+o/jTG308RpbUg4Cf20dUgGI fSBckS6cpc1FSAX8jkwzqi61aeyeTXEBL8xFHZzEuiiUukG3SI2uwGvfP2XoGJzbvsfG mTTw== X-Gm-Message-State: ALKqPwcPSM8TfXe5KaV2TsrN4u+/uUTUnSFavQfkskkL+1vv3BMFMtzS ereqPiqeX23ZHlZxAKrLMoW2EIrxuQ/USYCCrpxf X-Received: by 2002:a2e:c41:: with SMTP id o1-v6mr2523712ljd.87.1527694292105; Wed, 30 May 2018 08:31:32 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Wed, 30 May 2018 08:31:31 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <0aac0a96-8565-1d9e-c53a-38bd5c861fd4@tycho.nsa.gov> References: <1527237099-9728-1-git-send-email-sgrover@codeaurora.org> <0aac0a96-8565-1d9e-c53a-38bd5c861fd4@tycho.nsa.gov> From: Paul Moore Date: Wed, 30 May 2018 11:31:31 -0400 Message-ID: Subject: Re: [PATCH] selinux: KASAN: slab-out-of-bounds in xattr_getsecurity To: Stephen Smalley Cc: Sachin Grover , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 30, 2018 at 11:23 AM, Stephen Smalley wrote= : > On 05/30/2018 11:19 AM, Paul Moore wrote: >> On Fri, May 25, 2018 at 4:31 AM, Sachin Grover = wrote: >>> Call trace: >>> [] dump_backtrace+0x0/0x428 >>> [] show_stack+0x28/0x38 >>> [] dump_stack+0xd4/0x124 >>> [] print_address_description+0x68/0x258 >>> [] kasan_report.part.2+0x228/0x2f0 >>> [] kasan_report+0x5c/0x70 >>> [] check_memory_region+0x12c/0x1c0 >>> [] memcpy+0x34/0x68 >>> [] xattr_getsecurity+0xe0/0x160 >>> [] vfs_getxattr+0xc8/0x120 >>> [] getxattr+0x100/0x2c8 >>> [] SyS_fgetxattr+0x64/0xa0 >>> [] el0_svc_naked+0x24/0x28 >>> >>> If user get root access and calls security.selinux setxattr() with an >>> embedded NUL on a file and then if some process performs a getxattr() >>> on that file with a length greater than the actual length of the string= , >>> it would result in a panic. >>> >>> To fix this, add the actual length of the string to the security contex= t >>> instead of the length passed by the userspace process. >>> >>> Signed-off-by: Sachin Grover >>> --- >>> security/selinux/ss/services.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> Thanks for reporting this and providing a patch. It's small enough, >> and passes all the regular tests, so I've merged it into >> selinux/stable-4.17 (adding the stable metadata) and I'm going to send >> it up to Linus today. >> >> If Linus doesn't pull the fix in time for v4.17 I'll send it up during >> the upcoming merge window. > > NB Such a setxattr() call can only be performed by a process with CAP_MAC= _ADMIN that is also allowed mac_admin permission in SELinux policy. Consequ= ently, this is never possible on Android (no process is allowed mac_admin p= ermission, always enforcing) and is only possible in Fedora/RHEL for a few = domains (if enforcing). Yes the risk is small, and if it wasn't such a trivial and self-contained patch I probably would have just deferred it for the merge window, but considering everything I think there is value in getting this in for v4.17. If Linus decides not to merge this into v4.17 I think that is okay too. > Fixes: 9a59daa03df72526d234b91dd3e32ded5aebd3ef ("SELinux: fix sleeping a= llocation in security_context_to_sid") > >> >>> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/servi= ces.c >>> index 66ea81c..d17f5b4 100644 >>> --- a/security/selinux/ss/services.c >>> +++ b/security/selinux/ss/services.c >>> @@ -1434,7 +1434,7 @@ static int security_context_to_sid_core(const cha= r *scontext, u32 scontext_len, >>> scontext_len, &context, def_sid); >>> if (rc =3D=3D -EINVAL && force) { >>> context.str =3D str; >>> - context.len =3D scontext_len; >>> + context.len =3D strlen(str) + 1; >>> str =3D NULL; >>> } else if (rc) >>> goto out_unlock; >>> -- >>> 1.9.1 --=20 paul moore www.paul-moore.com