Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp49240rbb; Fri, 23 Feb 2024 11:17:19 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUrI0Qa3dQ0I88NZpSU5YV+fLRUP7up4NFaRcJm57N8wSSYm3PWpRHPEokFwQgXorYw+XBYr7zEqrynl9gjCC3ik2ioYx4GqvBNRXaTwg== X-Google-Smtp-Source: AGHT+IFyxF5Tg5P1RvYXbVZVsLygt3E14frhATG4ybXpX/nj0GHjlivxRezKAEt68mpDROc6mpTD X-Received: by 2002:a1f:4841:0:b0:4ce:7663:af1f with SMTP id v62-20020a1f4841000000b004ce7663af1fmr849013vka.7.1708715838996; Fri, 23 Feb 2024 11:17:18 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708715838; cv=pass; d=google.com; s=arc-20160816; b=wSWIFOxDGdTqKFt96cAlYrYwGFreh/M2yS6OPKUc7p1c+QpZzpKXAr8/8WAn0ghE3e RyBQlwFAcLNvgMYMgON8thldxUW3nziPKxVo13i1DujpuEfaaHi7ocGB6vW3a7zjWPCG dg6wAQIvNUFySecb7U5F9L+UgluEDhaFk7JhKl/dasvP4yw0ROZpI0Ov5EQvUPKi+f59 dcOg5ZcY4Q8dbnFjKsBs6ldQc3aJJDJYuh5SX2SnugL8kLilR7Bs1zq4npzEfFdp/Pyk 4LbBsIWBUGkgl0rpZExZT0CdLrg0JjmuM2R374SNBzu8q9QlRkE12rI+L3jTTRcqW1eb Qhhg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=gZXPETzw/yptM1JEo2NjV2EtqnPv5SU5p+eKypi1Has=; fh=qxzM8Sm/Hx+ygcMF2MHZboL3GtB1uaDCGPQDfW2tVeY=; b=K9XhrLGtlo/MZGhHCLQjG/EMzbA8y85KsFcPq0pRGa5kqjYMcbDQhrK3EdpjzqIq9I 7O5Rbh5T0Cnv5RrsC9A3eYl5VnUlyQmZI+01slrMeLaZMABuZZXiA3/ksmhkrKX+4jFC nMaCNRKlcOHnQQPu0IqZR2JlOpT3VDwMfrslWi2/NkjNURKdYxsBJUHa6rlcs+IYfgzT h4BCAKEMF7fjH4ytt2kT6L7q9z+VnnrApZ6HeiASAe/CzuuzUYn03Hb8+DPi93Bivzev dCGe8UcpbKGa2gdGNZQ/VgGNN31jIyOGQPLTiUYpC7JS4AXych/8Vr0dlpw8cZqscZHL 8Xhw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=tEPf2WBO; arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net); spf=pass (google.com: domain of linux-kernel+bounces-79019-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-79019-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id kc30-20020a056214411e00b0068eeff8b49esi15684572qvb.137.2024.02.23.11.17.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Feb 2024 11:17:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-79019-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=tEPf2WBO; arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net); spf=pass (google.com: domain of linux-kernel+bounces-79019-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-79019-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id B823B1C2362F for ; Fri, 23 Feb 2024 19:17:18 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C4392143C78; Fri, 23 Feb 2024 19:17:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="tEPf2WBO" Received: from smtp-42ac.mail.infomaniak.ch (smtp-42ac.mail.infomaniak.ch [84.16.66.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EAC5D7D413; Fri, 23 Feb 2024 19:17:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708715832; cv=none; b=Lihw+bC63bc+7d0nMPIbFaIwIla/3jQhoNrlQSWyypE52+xVBnZRI5b1RfTCt6Dp0jqXPzNo4a/2/IPEUM5pGCCGHvYEZUsmb2YMm5dJls2xD+xlhroDEscNqdFeMggaEdQlxWrt8hRhE6BViv6sk0twUpvfziLciCASZJCWxAM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708715832; c=relaxed/simple; bh=btAxHCenbi7nA/lRWN8WH3LBJ7bc55IUulvOXV3KHy4=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Jq4Xmq5GrSmvfob+6hkojqyoxZ4uSCCPYjhI0w3UciSIP2jahB7KG6709o+0s9vsvihYLXkH+hOqGA2DfqoPDsRsOwZC+76EwdVY+ucQbvaGmcyP2BPRQ6QHwPFg0KKkpOypXgjvRaTqmrI3B3fLC1CtfzX5+U0BQnjg/1kGI/I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=tEPf2WBO; arc=none smtp.client-ip=84.16.66.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4ThKWc173pzMq205; Fri, 23 Feb 2024 20:17:00 +0100 (CET) Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4ThKWb3JSzzMpvFL; Fri, 23 Feb 2024 20:16:59 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1708715820; bh=btAxHCenbi7nA/lRWN8WH3LBJ7bc55IUulvOXV3KHy4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=tEPf2WBOddV0HtcOKEC89Zq1oHkkaqbIaJh7gNzZTdvff9eHWwSIfoKs7tUPC+Dg+ UpCviJ+Ib4KO5xHYkkkO4vtdWAXkWihiuLqBR5Mtj78Uu6Mkp+p5mE4z26sq4LXLcB uDvHwTOeNX3xuAdjyaSslK3arp6nJMCing9z4RE8= Date: Fri, 23 Feb 2024 20:16:51 +0100 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: Casey Schaufler , John Johansen , Paul Moore Cc: James Morris , "Serge E . Hallyn" , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/2] SELinux: Fix lsm_get_self_attr() Message-ID: <20240223.iph9eew7pooX@digikod.net> References: <20240223190546.3329966-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240223190546.3329966-1-mic@digikod.net> X-Infomaniak-Routing: alpha These bugs have been found with syzkaller. I just sent a PR to add support for the new LSM syscalls: https://github.com/google/syzkaller/pull/4524 On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > selinux_lsm_getattr() may not initialize the value's pointer in some > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > selinux_getselfattr() to avoid an UAF in the kfree() call. > > Cc: Casey Schaufler > Cc: Paul Moore > Cc: stable@vger.kernel.org > Fixes: 762c934317e6 ("SELinux: Add selfattr hooks") > Signed-off-by: Mickaël Salaün > --- > security/selinux/hooks.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index a6bf90ace84c..338b023a8c3e 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -6559,7 +6559,7 @@ static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, > size_t *size, u32 flags) > { > int rc; > - char *val; > + char *val = NULL; > int val_len; > > val_len = selinux_lsm_getattr(attr, current, &val); > -- > 2.43.0 >