Re: [PATCH] selinux: ensure the context is NULL terminated in security_context_to_sid_core()

Fri, 01 Dec 2017 11:20:07 -0800 

On Fri, 2017-12-01 at 10:34 -0500, Paul Moore wrote:
> On Thu, Nov 30, 2017 at 6:44 PM, William Roberts
> <bill.c.robe...@gmail.com> wrote:
> > On Thu, Nov 30, 2017 at 8:52 AM, Paul Moore <pmo...@redhat.com>
> > wrote:
> > > From: Paul Moore <p...@paul-moore.com>
> > > 
> > > The syzbot/syzkaller automated tests found a problem in
> > > security_context_to_sid_core() during early boot (before we load
> > > the
> > > SELinux policy) where we could potentially feed context strings
> > > without
> > > NULL terminators into the strcmp() function.
> > > 
> > > We already guard against this during normal operation (after the
> > > SELinux
> > > policy has been loaded) by making a copy of the context strings
> > > and
> > > explicitly adding a NULL terminator to the end.  The patch
> > > extends this
> > > protection to the early boot case (no loaded policy) by moving
> > > the context
> > > copy earlier in security_context_to_sid_core().
> > > 
> > > Reported-by: syzbot <syzkal...@googlegroups.com>
> > > Signed-off-by: Paul Moore <p...@paul-moore.com>
> > > ---
> > >  security/selinux/ss/services.c |   20 ++++++++++----------
> > >  1 file changed, 10 insertions(+), 10 deletions(-)
> > > 
> > > diff --git a/security/selinux/ss/services.c
> > > b/security/selinux/ss/services.c
> > > index 33cfe5d3d6cb..6ec4cdc8af8f 100644
> > > --- a/security/selinux/ss/services.c
> > > +++ b/security/selinux/ss/services.c
> > > @@ -1413,27 +1413,27 @@ static int
> > > security_context_to_sid_core(const char *scontext, u32
> > > scontext_len,
> > >         if (!scontext_len)
> > >                 return -EINVAL;
> > > 
> > > +       /* Copy the string to allow changes and ensure a NULL
> > > terminator */
> > > +       scontext2 = kmalloc(scontext_len + 1, gfp_flags);
> > > +       if (!scontext2)
> > > +               return -ENOMEM;
> > > +       memcpy(scontext2, scontext, scontext_len);
> > > +       scontext2[scontext_len] = 0;
> > 
> > Call me crazy, but can't we use kmemdup_nul() here?
> 
> Crazy good idea ;)
> 
> I didn't realize that function existed, I'll respin.  Thanks.

Also note that it should be NUL not NULL in the patch subject and
description.  '\0' vs (void*)0

> 
> > /**
> >  * kmemdup_nul - Create a NUL-terminated string from unterminated
> > data
> >  * @s: The data to stringify
> >  * @len: The size of the data
> >  * @gfp: the GFP mask used in the kmalloc() call when allocating
> > memory
> >  */
> > char *kmemdup_nul(const char *s, size_t len, gfp_t gfp)
> 
>

Reply via email to