releases/4.14.130/apparmor-enforce-nullbyte-at-end-of-tag-string.patch

   1 From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
   2 From: Jann Horn <jannh@google.com>
   3 Date: Tue, 28 May 2019 17:32:26 +0200
   4 Subject: apparmor: enforce nullbyte at end of tag string
   5
   6 From: Jann Horn <jannh@google.com>
   7
   8 commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
   9
  10 A packed AppArmor policy contains null-terminated tag strings that are read
  11 by unpack_nameX(). However, unpack_nameX() uses string functions on them
  12 without ensuring that they are actually null-terminated, potentially
  13 leading to out-of-bounds accesses.
  14
  15 Make sure that the tag string is null-terminated before passing it to
  16 strcmp().
  17
  18 Cc: stable@vger.kernel.org
  19 Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
  20 Signed-off-by: Jann Horn <jannh@google.com>
  21 Signed-off-by: John Johansen <john.johansen@canonical.com>
  22 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23
  24 ---
  25  security/apparmor/policy_unpack.c |    2 +-
  26  1 file changed, 1 insertion(+), 1 deletion(-)
  27
  28 --- a/security/apparmor/policy_unpack.c
  29 +++ b/security/apparmor/policy_unpack.c
  30 @@ -259,7 +259,7 @@ static bool unpack_nameX(struct aa_ext *
  31                 char *tag = NULL;
  32                 size_t size = unpack_u16_chunk(e, &tag);
  33                 /* if a name is specified it must match. otherwise skip tag */
  34 -               if (name && (!size || strcmp(name, tag)))
  35 +               if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
  36                         goto fail;
  37         } else if (name) {
  38                 /* if a name is specified and there is no name tag fail */