diff options
| author | Sachin Grover <sgrover@codeaurora.org> | 2018-05-24 22:48:55 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-05-30 21:25:04 -0700 |
| commit | e42662afefdff1ab65d7cb1c76973a96d3569ed4 (patch) | |
| tree | ed8905763c9c47e35a21ea32f1b5bdfded1e1853 /scripts/gcc-wrapper.py | |
| parent | 7f1e39e00b529092f55b7c43e93bff4431b42273 (diff) | |
selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
Call trace:
[<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
[<ffffff9203a8dbf8>] show_stack+0x28/0x38
[<ffffff920409bfb8>] dump_stack+0xd4/0x124
[<ffffff9203d187e8>] print_address_description+0x68/0x258
[<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
[<ffffff9203d1927c>] kasan_report+0x5c/0x70
[<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
[<ffffff9203d17cdc>] memcpy+0x34/0x68
[<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
[<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
[<ffffff9203d75d68>] getxattr+0x100/0x2c8
[<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
[<ffffff9203a83f70>] el0_svc_naked+0x24/0x28
If user get root access and calls security.selinux setxattr() with an
embedded NUL on a file and then if some process performs a getxattr()
on that file with a length greater than the actual length of the string,
it would result in a panic.
To fix this, add the actual length of the string to the security context
instead of the length passed by the userspace process.
Change-Id: Ie0b8bfc7c96bc12282b955fb3adf41b3c2d011cd
Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
Diffstat (limited to 'scripts/gcc-wrapper.py')
0 files changed, 0 insertions, 0 deletions