summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorOndrej Mosnacek <omosnace@redhat.com>2019-10-03 15:59:22 +0200
committerPaul Moore <paul@paul-moore.com>2019-10-03 20:13:36 +0200
commit2a5243937c700ffe6a28e6557a4562a9ab0a17a4 (patch)
treee472f908d8afb9593b8858a2bb67e77372b55f81 /lib
parentlsm: remove current_security() (diff)
downloadlinux-2a5243937c700ffe6a28e6557a4562a9ab0a17a4.tar.xz
linux-2a5243937c700ffe6a28e6557a4562a9ab0a17a4.zip
selinux: fix context string corruption in convert_context()
string_to_context_struct() may garble the context string, so we need to copy back the contents again from the old context struct to avoid storing the corrupted context. Since string_to_context_struct() tokenizes (and therefore truncates) the context string and we are later potentially copying it with kstrdup(), this may eventually cause pieces of uninitialized kernel memory to be disclosed to userspace (when copying to userspace based on the stored length and not the null character). How to reproduce on Fedora and similar: # dnf install -y memcached # systemctl start memcached # semodule -d memcached # load_policy # load_policy # systemctl stop memcached # ausearch -m AVC type=AVC msg=audit(1570090572.648:313): avc: denied { signal } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon=73797374656D5F75007400000000000070BE6E847296FFFF726F6D000096FFFF76 Cc: stable@vger.kernel.org Reported-by: Milos Malik <mmalik@redhat.com> Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'lib')
0 files changed, 0 insertions, 0 deletions