Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5581156imm; Tue, 12 Jun 2018 09:57:28 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJOIwQDPIuo5OAydPNgGyqoQBXK8wa4l005UhhCUlV2gte6b25ByoSAtkqidNyFGOKRsLml X-Received: by 2002:a63:87c8:: with SMTP id i191-v6mr1036157pge.124.1528822648289; Tue, 12 Jun 2018 09:57:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528822648; cv=none; d=google.com; s=arc-20160816; b=rbqZAFt/ZZhHbZ31pTBADa5n9xJMnVJoDKSiPOo9YA9rx4tV34PKlcNk+DpMmx6u0+ lH8t5D9O+BQ+nBR4Mujo3NWH6CrHcj/F/qw1p7sVx6FdVpr0u7pz4Cg8DsTYpyZ2TvS9 +17n2lAPi0hQ/BJ9szZ6OXRE/5CSNSouBIb0RnSgEF0VcTcFrA5I7z8ur0VF8x2FKPa7 L5IpHR2BxY+Y7NJGnwdFWLqmZpKj5+cjcV8LPzyquy7uFtNprws7LMEld3MpvVNlPMte 94alu74FWIomeQm9LbCkW4sR62yitHnWOHdi8p01X0BnV+CgZWFCJIl1yGfspup6fotX MLdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=A83QcYc8pG3FPwkTNqdptOXz86LEep29ztt7n6t5Y9M=; b=PzlbjIbjfCHLTnel3grTavziu4Bt2U3jx+Pb2VJrk//Wwo1hXJ+BNEPe3OgtGiUJwc 3m8BLZjvCGLqzkkcE+CvoT4XRrdWn34NGLPSG3dZaKv1+ZCSSrNWmJnzsGLAWanqtSni t7Q1I7CLf1fhE2sKoYbb39KqfSHlyZxFvvGOV0XWvfMzi7LElVF5veQZka7JzGWpfs9D iz6lVuexyFr76XwJ5+6TA7oBIvLje/fLVpYBZVJNMj0eQki8rWwDBiuSGQicQzVa6TXO yLCabOZ9+xdC/EsklxLrPE+bBtLIzVIVMuURKInoyhiVBT8QVqKwpTjjTarYAuogLb6R CIOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=U2lW2N+S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m6-v6si433030pgt.636.2018.06.12.09.57.13; Tue, 12 Jun 2018 09:57:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=U2lW2N+S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934942AbeFLQ4f (ORCPT + 99 others); Tue, 12 Jun 2018 12:56:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:56074 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934957AbeFLQyX (ORCPT ); Tue, 12 Jun 2018 12:54:23 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 80CB8208B9; Tue, 12 Jun 2018 16:54:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528822463; bh=zMrU25xrZmh+80z99gcRrmiQR2yCTioTQZ4YRhth5YI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U2lW2N+SsOgaz3WSZHQaPrvgqCZ8QiqPVSkf5+abw5AZ0IghIqOt2+1l6OR/K0f2y FVXpmovRPnIhb0sazQHJWffIkrkxtEFkP+WH3VWIpLq508OwG84W6cIVGKpFv2S7ti YaJ8MGJLLPPP2wTigwJWbW+fCaOfRrpreeRSDd8Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sachin Grover , Paul Moore Subject: [PATCH 3.18 02/21] selinux: KASAN: slab-out-of-bounds in xattr_getsecurity Date: Tue, 12 Jun 2018 18:51:59 +0200 Message-Id: <20180612164825.495531260@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180612164825.401145490@linuxfoundation.org> References: <20180612164825.401145490@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sachin Grover commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream. Call trace: [] dump_backtrace+0x0/0x428 [] show_stack+0x28/0x38 [] dump_stack+0xd4/0x124 [] print_address_description+0x68/0x258 [] kasan_report.part.2+0x228/0x2f0 [] kasan_report+0x5c/0x70 [] check_memory_region+0x12c/0x1c0 [] memcpy+0x34/0x68 [] xattr_getsecurity+0xe0/0x160 [] vfs_getxattr+0xc8/0x120 [] getxattr+0x100/0x2c8 [] SyS_fgetxattr+0x64/0xa0 [] el0_svc_naked+0x24/0x28 If user get root access and calls security.selinux setxattr() with an embedded NUL on a file and then if some process performs a getxattr() on that file with a length greater than the actual length of the string, it would result in a panic. To fix this, add the actual length of the string to the security context instead of the length passed by the userspace process. Signed-off-by: Sachin Grover Cc: stable@vger.kernel.org Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- security/selinux/ss/services.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1271,7 +1271,7 @@ static int security_context_to_sid_core( scontext_len, &context, def_sid); if (rc == -EINVAL && force) { context.str = str; - context.len = scontext_len; + context.len = strlen(str) + 1; str = NULL; } else if (rc) goto out_unlock;