leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
efe3de79e0
linux/security/selinux
History
Sachin Grover efe3de79e0 selinux: KASAN: slab-out-of-bounds in xattr_getsecurity 
Call trace:
 [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
 [<ffffff9203a8dbf8>] show_stack+0x28/0x38
 [<ffffff920409bfb8>] dump_stack+0xd4/0x124
 [<ffffff9203d187e8>] print_address_description+0x68/0x258
 [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
 [<ffffff9203d1927c>] kasan_report+0x5c/0x70
 [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
 [<ffffff9203d17cdc>] memcpy+0x34/0x68
 [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
 [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
 [<ffffff9203d75d68>] getxattr+0x100/0x2c8
 [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
 [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28

If user get root access and calls security.selinux setxattr() with an
embedded NUL on a file and then if some process performs a getxattr()
on that file with a length greater than the actual length of the string,
it would result in a panic.

To fix this, add the actual length of the string to the security context
instead of the length passed by the userspace process.

Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore <paul@paul-moore.com>
2018-05-29 20:11:19 -04:00
..
include selinux: wrap AVC state 2018-03-20 16:58:17 -04:00
ss selinux: KASAN: slab-out-of-bounds in xattr_getsecurity 2018-05-29 20:11:19 -04:00
.gitignore SELinux: add .gitignore files for dynamic classes 2009-10-24 09:42:27 +08:00
avc.c selinux: wrap AVC state 2018-03-20 16:58:17 -04:00
exports.c selinux: sparse fix: include selinux.h in exports.c 2011-09-09 16:56:32 -07:00
hooks.c selinux: correctly handle sa_family cases in selinux_sctp_bind_connect() 2018-05-14 15:20:59 -04:00
ibpkey.c selinux: wrap global selinux state 2018-03-01 18:48:02 -05:00
Kconfig security: introduce CONFIG_SECURITY_WRITABLE_HOOKS 2017-03-06 11:00:12 +11:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netif.c selinux: wrap global selinux state 2018-03-01 18:48:02 -05:00
netlabel.c selinux: wrap AVC state 2018-03-20 16:58:17 -04:00
netlink.c selinux: replace obsolete NLMSG_* with type safe nlmsg_* 2013-03-28 14:25:49 -04:00
netnode.c selinux: wrap global selinux state 2018-03-01 18:48:02 -05:00
netport.c selinux: wrap global selinux state 2018-03-01 18:48:02 -05:00
nlmsgtab.c rtnetlink: add NEWCACHEREPORT message type 2017-06-21 11:22:52 -04:00
selinuxfs.c selinux: wrap AVC state 2018-03-20 16:58:17 -04:00
xfrm.c selinux: wrap AVC state 2018-03-20 16:58:17 -04:00