[thirdparty/kernel/stable-queue.git] / queue-4.9 / apparmor-enforce-nullbyte-at-end-of-tag-string.patch

From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
From: Jann Horn <jannh@google.com>
Date: Tue, 28 May 2019 17:32:26 +0200
Subject: apparmor: enforce nullbyte at end of tag string

From: Jann Horn <jannh@google.com>

commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.

A packed AppArmor policy contains null-terminated tag strings that are read
by unpack_nameX(). However, unpack_nameX() uses string functions on them
without ensuring that they are actually null-terminated, potentially
leading to out-of-bounds accesses.

Make sure that the tag string is null-terminated before passing it to
strcmp().

Cc: stable@vger.kernel.org
Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/apparmor/policy_unpack.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -177,7 +177,7 @@ static bool unpack_nameX(struct aa_ext *
 		char *tag = NULL;
 		size_t size = unpack_u16_chunk(e, &tag);
 		/* if a name is specified it must match. otherwise skip tag */
-		if (name && (!size || strcmp(name, tag)))
+		if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
 			goto fail;
 	} else if (name) {
 		/* if a name is specified and there is no name tag fail */
Commit	Line	Data
a8c1222d GKH	1	From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
	2	From: Jann Horn <jannh@google.com>
	3	Date: Tue, 28 May 2019 17:32:26 +0200
	4	Subject: apparmor: enforce nullbyte at end of tag string
	5
	6	From: Jann Horn <jannh@google.com>
	7
	8	commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
	9
	10	A packed AppArmor policy contains null-terminated tag strings that are read
	11	by unpack_nameX(). However, unpack_nameX() uses string functions on them
	12	without ensuring that they are actually null-terminated, potentially
	13	leading to out-of-bounds accesses.
	14
	15	Make sure that the tag string is null-terminated before passing it to
	16	strcmp().
	17
	18	Cc: stable@vger.kernel.org
	19	Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
	20	Signed-off-by: Jann Horn <jannh@google.com>
	21	Signed-off-by: John Johansen <john.johansen@canonical.com>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23
	24	---
	25	security/apparmor/policy_unpack.c \| 2 +-
	26	1 file changed, 1 insertion(+), 1 deletion(-)
	27
	28	--- a/security/apparmor/policy_unpack.c
	29	+++ b/security/apparmor/policy_unpack.c
	30	@@ -177,7 +177,7 @@ static bool unpack_nameX(struct aa_ext *
	31	char *tag = NULL;
	32	size_t size = unpack_u16_chunk(e, &tag);
	33	/* if a name is specified it must match. otherwise skip tag */
	34	- if (name && (!size \|\| strcmp(name, tag)))
	35	+ if (name && (!size \|\| tag[size-1] != '\0' \|\| strcmp(name, tag)))
	36	goto fail;
	37	} else if (name) {
	38	/* if a name is specified and there is no name tag fail */