Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1345018ybp; Thu, 17 Oct 2019 11:22:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqx7MAjEtTeeljc/9LJXTqUoGIgilwKXCCiYmTatmNps47VTuGiZ7/4sef9wJWgYlLw2vHgp X-Received: by 2002:a50:eb95:: with SMTP id y21mr5355337edr.155.1571336521591; Thu, 17 Oct 2019 11:22:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571336521; cv=none; d=google.com; s=arc-20160816; b=c5YFEGVoaECJEhQw1lxm5RaPZt4UkQA/+lfwsYzlemPtFRJiDqkaLhiBbvGNcuKgpz F601RyjXH555K5e3YaktxkDtNbFaqEsuBWvjtCGHnG3t1ocTUIRQObOWU3ocQFQQnw+t 3n+BjqGFSP012ygQ9SQDgFIMbTwTxp8soEu2tiGSrHEBbSVOfX9SjmZrfxRSzOrbYHnI NfdlNzHVAnRsTziICk8e3DD3zf/BtrFZXw+78yuR4jMA5Cvpy84XGFg0rUM+fgUZp+8I bDVleosg4EQS2miCdDYsAy3GbWMAbrsL3Cu8oSawean5ug8+1WmNEGdlHMMTG+YCYTRy JyLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AfGhglQqaLtkBw/wYAJBjgebvESJ3qC+zFFGbtz3Rqw=; b=FZUflOJCDPZjGUuFTOvgCluqx80YGDp6YJfSh8SCxNVWL7cGWvJd7OmcHNBA/1kXWX qqNlLeYBOMvnrCCDuU72Iax31BWfeTxFNoiEDE0L09Vt1bwu2WfX4z40RO5Axr2O6mrg Lhfsy2ptoZM+VezxTEp9A7n9tkLxGZWDesNPhvT0kr9pB+1nsVfgfB9et4v4sgaMA4ik TScs3v4mDJbTvSWjT2NAbOry7jPzZnHSZiHzAy+heGsGCftaQWNtYDeT2I0xGIHtasyb C5QVDbBojwsDIcjrp6oVM/RtU7nT7fJunb1R/1o9GceT6AK/K/1SsE79aBhgG/vPZ5oW E5LQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="CPNf/XtL"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3si2317752edj.220.2019.10.17.11.21.39; Thu, 17 Oct 2019 11:22:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="CPNf/XtL"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2438792AbfJPWAa (ORCPT + 99 others); Wed, 16 Oct 2019 18:00:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:53982 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2438474AbfJPV7U (ORCPT ); Wed, 16 Oct 2019 17:59:20 -0400 Received: from localhost (unknown [192.55.54.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7F41D20872; Wed, 16 Oct 2019 21:59:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571263159; bh=K5yb8dbyG3rknn0iUfjQOz9VplQrDY1Y/nQQHL4cefE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CPNf/XtLjIPYjwRsFbAerEZeqDpqHfyfRCv3uO5YA5os3bePp13YvEi6TGnPQzSPR 4GEc9zOBxyfTC31yIGYOxie4vsnjfsWejDg4lQhKg2DUXKz9INOHgSdKYzF59wRUZz 6plFg/0PewbWtYdSaHRsnott+V6nozMjeNEnRRd4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Milos Malik , Ondrej Mosnacek , Stephen Smalley , Paul Moore Subject: [PATCH 5.3 070/112] selinux: fix context string corruption in convert_context() Date: Wed, 16 Oct 2019 14:51:02 -0700 Message-Id: <20191016214903.275204395@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191016214844.038848564@linuxfoundation.org> References: <20191016214844.038848564@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ondrej Mosnacek commit 2a5243937c700ffe6a28e6557a4562a9ab0a17a4 upstream. string_to_context_struct() may garble the context string, so we need to copy back the contents again from the old context struct to avoid storing the corrupted context. Since string_to_context_struct() tokenizes (and therefore truncates) the context string and we are later potentially copying it with kstrdup(), this may eventually cause pieces of uninitialized kernel memory to be disclosed to userspace (when copying to userspace based on the stored length and not the null character). How to reproduce on Fedora and similar: # dnf install -y memcached # systemctl start memcached # semodule -d memcached # load_policy # load_policy # systemctl stop memcached # ausearch -m AVC type=AVC msg=audit(1570090572.648:313): avc: denied { signal } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon=73797374656D5F75007400000000000070BE6E847296FFFF726F6D000096FFFF76 Cc: stable@vger.kernel.org Reported-by: Milos Malik Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") Signed-off-by: Ondrej Mosnacek Acked-by: Stephen Smalley Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- security/selinux/ss/services.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1946,7 +1946,14 @@ static int convert_context(struct contex rc = string_to_context_struct(args->newp, NULL, s, newc, SECSID_NULL); if (rc == -EINVAL) { - /* Retain string representation for later mapping. */ + /* + * Retain string representation for later mapping. + * + * IMPORTANT: We need to copy the contents of oldc->str + * back into s again because string_to_context_struct() + * may have garbled it. + */ + memcpy(s, oldc->str, oldc->len); context_init(newc); newc->str = s; newc->len = oldc->len;