diff options
| author | Al Viro <viro@ZenIV.linux.org.uk> | 2012-06-09 11:15:16 +0400 | 
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2012-07-30 09:36:50 +0400 | 
| commit | e3fea3f70fd68af0574a5f24246cdb4ed07f2b74 (patch) | |
| tree | c3a8ae06734b2987646dd89c87c0a16ee50d420e /tools/perf/scripts/python/failed-syscalls-by-pid.py | |
| parent | 5935e6dcaaa8f666dd7f1169fa87d36752ebeb94 (diff) | |
| download | linux-e3fea3f70fd68af0574a5f24246cdb4ed07f2b74.tar.xz | |
selinux: fix selinux_inode_setxattr oops
OK, what we have so far is e.g.
	setxattr(path, name, whatever, 0, XATTR_REPLACE)
with name being good enough to get through xattr_permission().
Then we reach security_inode_setxattr() with the desired value and size.
Aha.  name should begin with "security.selinux", or we won't get that
far in selinux_inode_setxattr().  Suppose we got there and have enough
permissions to relabel that sucker.  We call security_context_to_sid()
with value == NULL, size == 0.  OK, we want ss_initialized to be non-zero.
I.e. after everything had been set up and running.  No problem...
We do 1-byte kmalloc(), zero-length memcpy() (which doesn't oops, even
thought the source is NULL) and put a NUL there.  I.e. form an empty
string.  string_to_context_struct() is called and looks for the first
':' in there.  Not found, -EINVAL we get.  OK, security_context_to_sid_core()
has rc == -EINVAL, force == 0, so it silently returns -EINVAL.
All it takes now is not having CAP_MAC_ADMIN and we are fucked.
All right, it might be a different bug (modulo strange code quoted in the
report), but it's real.  Easily fixed, AFAICS:
Deal with size == 0, value == NULL case in selinux_inode_setxattr()
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Dave Jones <davej@redhat.com>
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'tools/perf/scripts/python/failed-syscalls-by-pid.py')
0 files changed, 0 insertions, 0 deletions
