Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1190861ybn; Wed, 2 Oct 2019 12:11:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqzUSpSWq0QhX9c6fWUnL4AGda/4dqmBz0jI5rwokz2BIEDMDcFF7tNezux0gPAnsW2s/DMz X-Received: by 2002:a05:6402:13cd:: with SMTP id a13mr5503961edx.6.1570043509817; Wed, 02 Oct 2019 12:11:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570043509; cv=none; d=google.com; s=arc-20160816; b=jEWw8tGQf5GxeQuGKl4tqWyJxAWRRtZLhY1HvBi+xouj1FUEUiv0ZpOm4jvzayrciP US1Nyvkvcj+Jdtc9sa4ZW5OzDtJYeOHb7EmykpfWcepuSptXESqUN5A1tTHd5kWBRfkx O7fTHsgz1Lld0GBhbl7sKlBMFlXY37p7KaE1HJo4lDXOrggp/C7Ny+INhiSYSSMB7idC HHB+u8Epo6P3r3Pog+jaPdFBq7YVA6yg+EiL0WnxtSzmXB2diwQZYP06pGcHM9SPqQML 77AAZRrf4rBR98bYKjCGL3QzzRK1R06T3IhSttH0sQUKjMV+AME2nnNFg/Hv5RpZF7rY ghfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=XfWe2vlkP6bs25WY6FzzTcp85uvW2PhEAUv87uU+CVE=; b=qvBPwwL9HOS6cVygqET0bHUXn+vH3RVUSNuvTjS89zWUih+fkHx6eJxV7AgUCyba8L 3Om+d/21FzLIMS9TbuwU0+W/xlIGLtsYw4n0hZ4qNuMGuIDEvBFzEOEq0Ak5/b7P9q1B KV+Ye2PpVgjc5gMAAFNYWLz2dG/Wqhd0UDfZ3WL2NdfQF0TNsMjL64xmVQNTo54/mGN/ 7cejM2O27eqEtl9GsVVlwKQHx1kf2gV67FOuzIbzlR7rnS+cXf/l9I5N+aVIUOh8Dh8w XHZhxhi+UwxbCAisEbXtP+CdnuVH6A2TEnXbQ929guFvZfkj2NWaB7Qa3WmG8SYwIDFp iweg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m10si19966ejx.96.2019.10.02.12.11.25; Wed, 02 Oct 2019 12:11:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729858AbfJBTK1 (ORCPT + 99 others); Wed, 2 Oct 2019 15:10:27 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35882 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729315AbfJBTIQ (ORCPT ); Wed, 2 Oct 2019 15:08:16 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iFjyx-00035r-HB; Wed, 02 Oct 2019 20:08:15 +0100 Received: from ben by deadeye with local (Exim 4.92.1) (envelope-from ) id 1iFjyp-0003fK-I4; Wed, 02 Oct 2019 20:08:07 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "John Johansen" , "Jann Horn" Date: Wed, 02 Oct 2019 20:06:51 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 68/87] apparmor: enforce nullbyte at end of tag string In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.75-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit 8404d7a674c49278607d19726e0acc0cae299357 upstream. A packed AppArmor policy contains null-terminated tag strings that are read by unpack_nameX(). However, unpack_nameX() uses string functions on them without ensuring that they are actually null-terminated, potentially leading to out-of-bounds accesses. Make sure that the tag string is null-terminated before passing it to strcmp(). Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") Signed-off-by: Jann Horn Signed-off-by: John Johansen Signed-off-by: Ben Hutchings --- security/apparmor/policy_unpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -177,7 +177,7 @@ static bool unpack_nameX(struct aa_ext * char *tag = NULL; size_t size = unpack_u16_chunk(e, &tag); /* if a name is specified it must match. otherwise skip tag */ - if (name && (!size || strcmp(name, tag))) + if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag))) goto fail; } else if (name) { /* if a name is specified and there is no name tag fail */