On Thu, Oct 3, 2019 at 9:59 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> string_to_context_struct() may garble the context string, so we need to
> copy back the contents again from the old context struct to avoid
> storing the corrupted context.
>
> Since string_to_context_struct() tokenizes (and therefore truncates) the
> context string and we are later potentially copying it with kstrdup(),
> this may eventually cause pieces of uninitialized kernel memory to be
> disclosed to userspace (when copying to userspace based on the stored
> length and not the null character).
>
> How to reproduce on Fedora and similar:
> # dnf install -y memcached
> # systemctl start memcached
> # semodule -d memcached
> # load_policy
> # load_policy
> # systemctl stop memcached
> # ausearch -m AVC
> type=AVC msg=audit(1570090572.648:313): avc: denied { signal } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon=73797374656D5F75007400000000000070BE6E847296FFFF726F6D000096FFFF76
>
> Reported-by: Milos Malik <mmalik@xxxxxxxxxx>
> Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance")
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
> security/selinux/ss/services.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
Thanks for finding and fixing this. This looks like a good candidate
for stable so I went ahead and merged it into selinux/stable-5.4; if
any one has any objections to that, let me know by the end of the
week.
--
paul moore
www.paul-moore.com
