evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/security
History
Sachin Grover e42662afef selinux: KASAN: slab-out-of-bounds in xattr_getsecurity 
Call trace:
 [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
 [<ffffff9203a8dbf8>] show_stack+0x28/0x38
 [<ffffff920409bfb8>] dump_stack+0xd4/0x124
 [<ffffff9203d187e8>] print_address_description+0x68/0x258
 [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
 [<ffffff9203d1927c>] kasan_report+0x5c/0x70
 [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
 [<ffffff9203d17cdc>] memcpy+0x34/0x68
 [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
 [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
 [<ffffff9203d75d68>] getxattr+0x100/0x2c8
 [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
 [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28

If user get root access and calls security.selinux setxattr() with an
embedded NUL on a file and then if some process performs a getxattr()
on that file with a length greater than the actual length of the string,
it would result in a panic.

To fix this, add the actual length of the string to the security context
instead of the length passed by the userspace process.

Change-Id: Ie0b8bfc7c96bc12282b955fb3adf41b3c2d011cd
Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
2018-05-30 21:25:04 -07:00
..
apparmor apparmor: Make path_max parameter readonly 2018-03-22 09:23:24 +01:00
integrity ima: relax requiring a file signature for new files with zero length 2018-03-22 09:23:30 +01:00
keys KEYS: encrypted: fix buffer overread in valid_master_desc() 2018-02-16 20:09:38 +01:00
pfe security: pfe: Return proper error code 2017-11-08 16:49:51 +05:30
selinux selinux: KASAN: slab-out-of-bounds in xattr_getsecurity 2018-05-30 21:25:04 -07:00
smack lsm: fix smack_inode_removexattr and xattr_getsecurity memleak 2017-10-12 11:27:32 +02:00
tomoyo LSM: Switch to lists of hooks 2015-05-12 15:00:41 +10:00
yama security: let security modules use PTRACE_MODE_* with bitmasks 2016-03-03 15:07:32 -08:00
commoncap.c BACKPORT: ptrace: use fsuid, fsgid, effective creds for fs access checks 2016-07-07 16:30:43 -07:00
device_cgroup.c security/device_cgroup: Fix RCU_LOCKDEP_WARN() condition 2015-09-03 18:13:10 -07:00
inode.c ANDROID: vfs: Add permission2 for filesystems with per mount permissions 2017-02-03 15:04:29 +05:30
Kconfig Merge android-4.4.110 (5cc8c2e) into msm-4.4 2018-01-18 12:50:51 +05:30
lsm_audit.c BACKPORT: audit: consistently record PIDs with task_tgid_nr() 2016-10-12 17:34:22 +05:30
Makefile PFT: moved to a new directory 2016-03-23 21:24:04 -07:00
min_addr.c mmap_min_addr check CAP_SYS_RAWIO only for write 2010-05-14 19:03:15 +10:00
security.c Merge tag 'lsk-v4.4-17.02-android' into branch 'msm-4.4' 2017-03-18 08:55:10 -07:00