Re: [Bug][KASAN] crash in xattr_getsecurity()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

To clarify more, data and size both are coming from userspace, so I sent a string in void * __user arg of  lgetxattr(). My string format is - "abcdef/0ashasalksjas"
i.e. I sent a string with null character in between.
I sent size as 64840.
 Now according to your change:
context.str = str;               //context.str= "abcdef/0ashasalksjas"
context.len = scontext_len;      //context.len = 64840

But the actual length of string was 6. Because of not taking the actual length into consideration, memcpy function is failing in xattr_getsecurity() func.

I am not the expert in selinux stack so want your input on this.



On Thu, May 24, 2018 at 11:42 AM, Sachin Grover <sachin.grover91@xxxxxxxxx> wrote:
Hi,

Kernel panic is coming on calling lgetxattr() sys api with random user space value.

[   25.833951] Call trace:
[   25.833954] [<ffffff86adc8af40>] dump_backtrace+0x0/0x2a8
[   25.833957] [<ffffff86adc8b484>] show_stack+0x20/0x28
[   25.833959] [<ffffff86ae02b744>] dump_stack+0xa8/0xe0
[   25.833962] [<ffffff86ade79ed0>] xattr_getsecurity+0xac/0xd4
[   25.833964] [<ffffff86ade79f90>] vfs_getxattr+0x98/0xcc
[   25.833966] [<ffffff86ade7a548>] getxattr+0x9c/0x1d4
[   25.833969] [<ffffff86ade7a6f4>] path_getxattr+0x74/0xc4
[   25.833971] [<ffffff86ade7afd8>] SyS_lgetxattr+0x3c/0x48
[   25.833973] [<ffffff86adc83770>] el0_svc_naked+0x24/0x28

setxattr() is getting size and value from the userspace, if I am giving size as 64840, my code is entering this part and crashing on doing memcpy under  xattr_getsecurity().

rc = string_to_context_struct(&policydb, &sidtab, scontext2,
				      scontext_len, &context, def_sid);
	if (rc == -EINVAL && force) {
	context.str = str;
	context.len = scontext_len;
		str = NULL;


//rc value is coming as EINVAL(-22). In pass case rc value is always 0.

Please let me know if this fix is good enough.

rc = string_to_context_struct(&policydb, &sidtab, scontext2,
				      scontext_len, &context, def_sid);
	if (rc == -EINVAL && force) {
	context.str = str;
-      context.len = scontext_len;
+      context.len = strlen(str);
		str = NULL;



Regards,
Sachin Grover


_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux