Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5178130ybi; Tue, 28 May 2019 08:47:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqzZidt/TjlbWgHm/8MfMIfonMyPrYjDVVS+5660rTRHAREzJe13DoCBhG6Un+l7d2UWRZwK X-Received: by 2002:a62:75c6:: with SMTP id q189mr141474472pfc.98.1559058426824; Tue, 28 May 2019 08:47:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559058426; cv=none; d=google.com; s=arc-20160816; b=eXAr9RDqNwFSj8vMrf2uWGHOcI2ECr4NX8BBST+3FUokHxV8TzJkUGmqJhCz/dF04t pe6XwYNFmAZTN2XTkSPFyXcsAe0WtqQWRA277C6vW04WBCdbX+cxqTWGKQNj5oRipiiq mtBuvNBETMSAYshLaSAXmuzgWC/DwMjCUwMvVZs+9wbVbW4SKT8p3A3JIP6r0cODGiVK cvP1ayMgoZbMXJli/+rD41yD8vI4W4iJRAbuB9XOkcGqZEXnWRrgGQH8oGOnSDkb2CIu rwL0daP2EwXc166EZ4E7bMz8Yttf5GklcGqrGHyftpkxqbP3bY2b6kxC2WOBRNKk+ogd HZYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=gfjeve/Jsw5lOi8JMAQQxMghnHhlj8GnAzUWdfIEwD4=; b=bW7Q3Ty0wDVci8/pbUFcLZJwR/ntEg1feWmlpUcreuawmAGmSCNb9sm1F08KWzYW4U hudm0f6t6NIBnjEXrmmDZyHLmR6AOwzVPRP7d/NMh0vPwh/Un9Cyv6APK3eRrcck/joc K/8YKgqe3bSCxTm9Rs6hikrXn9kiOZhlNEHF6x+j0pEWlUUZcE7Pwr+JVWaX6xvze6wh qNkMagm7k8zark+FJgZE+RkLpzlUiamBW+G2htj9VGC1YHN3hLqZ5s2H6kWulUw7FynV 24DgteX0PkRQxM7VjAJ8NmAM/WXx9fbsYu43Cfiag2y3P2TYA2yagRYn3/NhXTGh5QjT CE0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MEickYCO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 36si22827585pgw.281.2019.05.28.08.46.49; Tue, 28 May 2019 08:47:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MEickYCO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727753AbfE1Pc4 (ORCPT + 99 others); Tue, 28 May 2019 11:32:56 -0400 Received: from mail-yw1-f73.google.com ([209.85.161.73]:50958 "EHLO mail-yw1-f73.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727676AbfE1Pc4 (ORCPT ); Tue, 28 May 2019 11:32:56 -0400 Received: by mail-yw1-f73.google.com with SMTP id x3so3090294ywd.17 for ; Tue, 28 May 2019 08:32:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=gfjeve/Jsw5lOi8JMAQQxMghnHhlj8GnAzUWdfIEwD4=; b=MEickYCOmg/vqRSyekS1D+0uAv2rRtP/GiT+iGHTYeeAYVwvz2sZEGrmL6FlvRGuIW 9KcQGEuYnP4h34p/RDPaIbQqbuIFCOVdhgYWk+da2achzLGGIJqboEdCAiMic3s+m897 HOF0nfz0zjPc/6EHUrW4NWgocinps9cnHCN/WkPojHEKIZANi1yKQKCZ5IFXhy8rpH1D JHLA+r7gvZDWJzDayK8poYJ+pByRsDuNWqGpFxrJR9wpG5EqamRZebocTZXfd1G03TFO 1Qn6H6KLNTi0EgxuhbW5S2ylD04MD5N4OOgcG3IU2fnEf404r0rFKtZsKkIqP3gQmM/2 mHuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=gfjeve/Jsw5lOi8JMAQQxMghnHhlj8GnAzUWdfIEwD4=; b=lKDXsQkSaOgFKWn2ho4HGjJg1UlabQuozK3wTJA5u1kxVHtlGT5qt0dYN2W1zEWs2D tTRuaJlrV+nUROwVvskb83aa1QUw0pVUHtoSY/NSwzSQi/WAtsX4H/2t7DvfNUPX9ALJ FziUGpQCtg5OvYalTjtJC1CzOHZ8pdVaAMVcscHFkbpMTGqO964oAMHRXKj8eVCJc5mF xH0sW1nXojXNBbhJIOMjbFOzt4H7u5GZOx3NIqncke26IZdgg20X0mrEY5SKMr1prDIK mc3+br7YV6hjTjbe7ek8LpkTIfa3D1Ey/+Xpz6yhR6zz1ExynT9PWK0LakmhqPIrGUSb 5Mdg== X-Gm-Message-State: APjAAAX8mRvBJCBboRGCAzhLdRCXLNsjpiMIxkE8suP1jmFIbgdOm2Aw 94q/jhpCG5YoToAwWCUNE1+5+jfyqg== X-Received: by 2002:a81:55c9:: with SMTP id j192mr6615282ywb.161.1559057575350; Tue, 28 May 2019 08:32:55 -0700 (PDT) Date: Tue, 28 May 2019 17:32:26 +0200 Message-Id: <20190528153226.248785-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.22.0.rc1.257.g3120a18244-goog Subject: [PATCH] apparmor: enforce nullbyte at end of tag string From: Jann Horn To: John Johansen , jannh@google.com Cc: "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A packed AppArmor policy contains null-terminated tag strings that are read by unpack_nameX(). However, unpack_nameX() uses string functions on them without ensuring that they are actually null-terminated, potentially leading to out-of-bounds accesses. Make sure that the tag string is null-terminated before passing it to strcmp(). Cc: stable@vger.kernel.org Signed-off-by: Jann Horn --- Warning: The existence of this bug has not been verified at runtime, and the patch is compile-tested only. I noticed this while browsing through the code, but didn't want to spend the time necessary to figure out how to actually test this at runtime. security/apparmor/policy_unpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index f6c2bcb2ab14..33041c4fb69f 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -276,7 +276,7 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) char *tag = NULL; size_t size = unpack_u16_chunk(e, &tag); /* if a name is specified it must match. otherwise skip tag */ - if (name && (!size || strcmp(name, tag))) + if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) goto fail; } else if (name) { /* if a name is specified and there is no name tag fail */ -- 2.22.0.rc1.257.g3120a18244-goog