Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1190861ybn;
        Wed, 2 Oct 2019 12:11:49 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzUSpSWq0QhX9c6fWUnL4AGda/4dqmBz0jI5rwokz2BIEDMDcFF7tNezux0gPAnsW2s/DMz
X-Received: by 2002:a05:6402:13cd:: with SMTP id a13mr5503961edx.6.1570043509817;
        Wed, 02 Oct 2019 12:11:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570043509; cv=none;
        d=google.com; s=arc-20160816;
        b=jEWw8tGQf5GxeQuGKl4tqWyJxAWRRtZLhY1HvBi+xouj1FUEUiv0ZpOm4jvzayrciP
         US1Nyvkvcj+Jdtc9sa4ZW5OzDtJYeOHb7EmykpfWcepuSptXESqUN5A1tTHd5kWBRfkx
         O7fTHsgz1Lld0GBhbl7sKlBMFlXY37p7KaE1HJo4lDXOrggp/C7Ny+INhiSYSSMB7idC
         HHB+u8Epo6P3r3Pog+jaPdFBq7YVA6yg+EiL0WnxtSzmXB2diwQZYP06pGcHM9SPqQML
         77AAZRrf4rBR98bYKjCGL3QzzRK1R06T3IhSttH0sQUKjMV+AME2nnNFg/Hv5RpZF7rY
         ghfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=XfWe2vlkP6bs25WY6FzzTcp85uvW2PhEAUv87uU+CVE=;
        b=qvBPwwL9HOS6cVygqET0bHUXn+vH3RVUSNuvTjS89zWUih+fkHx6eJxV7AgUCyba8L
         3Om+d/21FzLIMS9TbuwU0+W/xlIGLtsYw4n0hZ4qNuMGuIDEvBFzEOEq0Ak5/b7P9q1B
         KV+Ye2PpVgjc5gMAAFNYWLz2dG/Wqhd0UDfZ3WL2NdfQF0TNsMjL64xmVQNTo54/mGN/
         7cejM2O27eqEtl9GsVVlwKQHx1kf2gV67FOuzIbzlR7rnS+cXf/l9I5N+aVIUOh8Dh8w
         XHZhxhi+UwxbCAisEbXtP+CdnuVH6A2TEnXbQ929guFvZfkj2NWaB7Qa3WmG8SYwIDFp
         iweg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m10si19966ejx.96.2019.10.02.12.11.25;
        Wed, 02 Oct 2019 12:11:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729858AbfJBTK1 (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Wed, 2 Oct 2019 15:10:27 -0400
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35882 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1729315AbfJBTIQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Oct 2019 15:08:16 -0400
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1iFjyx-00035r-HB; Wed, 02 Oct 2019 20:08:15 +0100
Received: from ben by deadeye with local (Exim 4.92.1)
        (envelope-from <ben@decadent.org.uk>)
        id 1iFjyp-0003fK-I4; Wed, 02 Oct 2019 20:08:07 +0100
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
        "John Johansen" <john.johansen@canonical.com>,
        "Jann Horn" <jannh@google.com>
Date:   Wed, 02 Oct 2019 20:06:51 +0100
Message-ID: <lsq.1570043211.513144298@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 68/87] apparmor: enforce nullbyte at end of tag string
In-Reply-To: <lsq.1570043210.379046399@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.75-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.

A packed AppArmor policy contains null-terminated tag strings that are read
by unpack_nameX(). However, unpack_nameX() uses string functions on them
without ensuring that they are actually null-terminated, potentially
leading to out-of-bounds accesses.

Make sure that the tag string is null-terminated before passing it to
strcmp().

Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 security/apparmor/policy_unpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -177,7 +177,7 @@ static bool unpack_nameX(struct aa_ext *
 		char *tag = NULL;
 		size_t size = unpack_u16_chunk(e, &tag);
 		/* if a name is specified it must match. otherwise skip tag */
-		if (name && (!size || strcmp(name, tag)))
+		if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
 			goto fail;
 	} else if (name) {
 		/* if a name is specified and there is no name tag fail */