--- /dev/null
+From efe3de79e0b52ca281ef6691480c8c68c82a4657 Mon Sep 17 00:00:00 2001
+From: Sachin Grover <sgrover@codeaurora.org>
+Date: Fri, 25 May 2018 14:01:39 +0530
+Subject: selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
+
+From: Sachin Grover <sgrover@codeaurora.org>
+
+commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream.
+
+Call trace:
+ [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
+ [<ffffff9203a8dbf8>] show_stack+0x28/0x38
+ [<ffffff920409bfb8>] dump_stack+0xd4/0x124
+ [<ffffff9203d187e8>] print_address_description+0x68/0x258
+ [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
+ [<ffffff9203d1927c>] kasan_report+0x5c/0x70
+ [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
+ [<ffffff9203d17cdc>] memcpy+0x34/0x68
+ [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
+ [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
+ [<ffffff9203d75d68>] getxattr+0x100/0x2c8
+ [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
+ [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28
+
+If user get root access and calls security.selinux setxattr() with an
+embedded NUL on a file and then if some process performs a getxattr()
+on that file with a length greater than the actual length of the string,
+it would result in a panic.
+
+To fix this, add the actual length of the string to the security context
+instead of the length passed by the userspace process.
+
+Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/services.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -1271,7 +1271,7 @@ static int security_context_to_sid_core(
+ scontext_len, &context, def_sid);
+ if (rc == -EINVAL && force) {
+ context.str = str;
+- context.len = scontext_len;
++ context.len = strlen(str) + 1;
+ str = NULL;
+ } else if (rc)
+ goto out_unlock;
--- /dev/null
+From 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Sun, 27 May 2018 20:54:44 -0400
+Subject: tracing: Fix crash when freeing instances with event triggers
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 upstream.
+
+If a instance has an event trigger enabled when it is freed, it could cause
+an access of free memory. Here's the case that crashes:
+
+ # cd /sys/kernel/tracing
+ # mkdir instances/foo
+ # echo snapshot > instances/foo/events/initcall/initcall_start/trigger
+ # rmdir instances/foo
+
+Would produce:
+
+ general protection fault: 0000 [#1] PREEMPT SMP PTI
+ Modules linked in: tun bridge ...
+ CPU: 5 PID: 6203 Comm: rmdir Tainted: G W 4.17.0-rc4-test+ #933
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016
+ RIP: 0010:clear_event_triggers+0x3b/0x70
+ RSP: 0018:ffffc90003783de0 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b2b RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800c7130ba0
+ RBP: ffffc90003783e00 R08: ffff8801131993f8 R09: 0000000100230016
+ R10: ffffc90003783d80 R11: 0000000000000000 R12: ffff8800c7130ba0
+ R13: ffff8800c7130bd8 R14: ffff8800cc093768 R15: 00000000ffffff9c
+ FS: 00007f6f4aa86700(0000) GS:ffff88011eb40000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f6f4a5aed60 CR3: 00000000cd552001 CR4: 00000000001606e0
+ Call Trace:
+ event_trace_del_tracer+0x2a/0xc5
+ instance_rmdir+0x15c/0x200
+ tracefs_syscall_rmdir+0x52/0x90
+ vfs_rmdir+0xdb/0x160
+ do_rmdir+0x16d/0x1c0
+ __x64_sys_rmdir+0x17/0x20
+ do_syscall_64+0x55/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+This was due to the call the clears out the triggers when an instance is
+being deleted not removing the trigger from the link list.
+
+Cc: stable@vger.kernel.org
+Fixes: 85f2b08268c01 ("tracing: Add basic event trigger framework")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_trigger.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -469,9 +469,10 @@ clear_event_triggers(struct trace_array
+ struct ftrace_event_file *file;
+
+ list_for_each_entry(file, &tr->events, list) {
+- struct event_trigger_data *data;
+- list_for_each_entry_rcu(data, &file->triggers, list) {
++ struct event_trigger_data *data, *n;
++ list_for_each_entry_safe(data, n, &file->triggers, list) {
+ trace_event_trigger_enable_disable(file, 0);
++ list_del_rcu(&data->list);
+ if (data->ops->free)
+ data->ops->free(data->ops, data);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
