• Sachin Grover's avatar
    selinux: KASAN: slab-out-of-bounds in xattr_getsecurity · c738c806
    Sachin Grover authored
    commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream.
    
    Call trace:
     [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
     [<ffffff9203a8dbf8>] show_stack+0x28/0x38
     [<ffffff920409bfb8>] dump_stack+0xd4/0x124
     [<ffffff9203d187e8>] print_address_description+0x68/0x258
     [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
     [<ffffff9203d1927c>] kasan_report+0x5c/0x70
     [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
     [<ffffff9203d17cdc>] memcpy+0x34/0x68
     [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
     [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
     [<ffffff9203d75d68>] getxattr+0x100/0x2c8
     [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
     [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28
    
    If user get root access and calls security.selinux setxattr() with an
    embedded NUL on a file and then if some process performs a getxattr()
    on that file with a length greater than the actual length of the string,
    it would result in a panic.
    
    To fix this, add the actual length of the string to the security context
    instead of the length passed by the userspace process.
    Signed-off-by: 's avatarSachin Grover <sgrover@codeaurora.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: 's avatarPaul Moore <paul@paul-moore.com>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    c738c806
Name
Last commit
Last update
..
apparmor Loading commit data...
integrity Loading commit data...
keys Loading commit data...
loadpin Loading commit data...
selinux Loading commit data...
smack Loading commit data...
tomoyo Loading commit data...
yama Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
commoncap.c Loading commit data...
device_cgroup.c Loading commit data...
inode.c Loading commit data...
lsm_audit.c Loading commit data...
min_addr.c Loading commit data...
security.c Loading commit data...