Hi,
Kernel panic is coming on calling lgetxattr() sys api with random user space value.
[ 25.833951] Call trace:
[ 25.833954] [<ffffff86adc8af40>] dump_backtrace+0x0/0x2a8
[ 25.833957] [<ffffff86adc8b484>] show_stack+0x20/0x28
[ 25.833959] [<ffffff86ae02b744>] dump_stack+0xa8/0xe0
[ 25.833962] [<ffffff86ade79ed0>] xattr_getsecurity+0xac/0xd4
[ 25.833964] [<ffffff86ade79f90>] vfs_getxattr+0x98/0xcc
[ 25.833966] [<ffffff86ade7a548>] getxattr+0x9c/0x1d4
[ 25.833969] [<ffffff86ade7a6f4>] path_getxattr+0x74/0xc4
[ 25.833971] [<ffffff86ade7afd8>] SyS_lgetxattr+0x3c/0x48
[ 25.833973] [<ffffff86adc83770>] el0_svc_naked+0x24/0x28
setxattr() is getting size and value from the userspace, if I am giving size as 64840, my code is entering this part and crashing on doing memcpy under
xattr_getsecurity().
rc = string_to_context_struct(&policydb, &sidtab, scontext2, scontext_len, &context, def_sid); if (rc == -EINVAL && force) { context.str = str; context.len = scontext_len; str = NULL;
//rc value is coming as EINVAL(-22). In pass case rc value is always 0.
Please let me know if this fix is good enough.
rc = string_to_context_struct(&policydb, &sidtab, scontext2, scontext_len, &context, def_sid); if (rc == -EINVAL && force) { context.str = str; - context.len = scontext_len;+ context.len = strlen(str);str = NULL;
Regards,
Sachin Grover
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
