From: Greg Kroah-Hartman Date: Sun, 16 Feb 2014 18:21:19 +0000 (-0800) Subject: 3.13-stable patches X-Git-Tag: v3.4.81~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b9865b226848bce94ac679636721cc1b6d38f79;p=thirdparty%2Fkernel%2Fstable-queue.git 3.13-stable patches added patches: selinux-fix-kernel-bug-on-empty-security-contexts.patch --- diff --git a/queue-3.13/selinux-fix-kernel-bug-on-empty-security-contexts.patch b/queue-3.13/selinux-fix-kernel-bug-on-empty-security-contexts.patch new file mode 100644 index 00000000000..67938c03ccd --- /dev/null +++ b/queue-3.13/selinux-fix-kernel-bug-on-empty-security-contexts.patch @@ -0,0 +1,116 @@ +From 2172fa709ab32ca60e86179dc67d0857be8e2c98 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Thu, 30 Jan 2014 11:26:59 -0500 +Subject: SELinux: Fix kernel BUG on empty security contexts. + +From: Stephen Smalley + +commit 2172fa709ab32ca60e86179dc67d0857be8e2c98 upstream. + +Setting an empty security context (length=0) on a file will +lead to incorrectly dereferencing the type and other fields +of the security context structure, yielding a kernel BUG. +As a zero-length security context is never valid, just reject +all such security contexts whether coming from userspace +via setxattr or coming from the filesystem upon a getxattr +request by SELinux. + +Setting a security context value (empty or otherwise) unknown to +SELinux in the first place is only possible for a root process +(CAP_MAC_ADMIN), and, if running SELinux in enforcing mode, only +if the corresponding SELinux mac_admin permission is also granted +to the domain by policy. In Fedora policies, this is only allowed for +specific domains such as livecd for setting down security contexts +that are not defined in the build host policy. + +Reproducer: +su +setenforce 0 +touch foo +setfattr -n security.selinux foo + +Caveat: +Relabeling or removing foo after doing the above may not be possible +without booting with SELinux disabled. Any subsequent access to foo +after doing the above will also trigger the BUG. + +BUG output from Matthew Thode: +[ 473.893141] ------------[ cut here ]------------ +[ 473.962110] kernel BUG at security/selinux/ss/services.c:654! +[ 473.995314] invalid opcode: 0000 [#6] SMP +[ 474.027196] Modules linked in: +[ 474.058118] CPU: 0 PID: 8138 Comm: ls Tainted: G D I +3.13.0-grsec #1 +[ 474.116637] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0 +07/29/10 +[ 474.149768] task: ffff8805f50cd010 ti: ffff8805f50cd488 task.ti: +ffff8805f50cd488 +[ 474.183707] RIP: 0010:[] [] +context_struct_compute_av+0xce/0x308 +[ 474.219954] RSP: 0018:ffff8805c0ac3c38 EFLAGS: 00010246 +[ 474.252253] RAX: 0000000000000000 RBX: ffff8805c0ac3d94 RCX: +0000000000000100 +[ 474.287018] RDX: ffff8805e8aac000 RSI: 00000000ffffffff RDI: +ffff8805e8aaa000 +[ 474.321199] RBP: ffff8805c0ac3cb8 R08: 0000000000000010 R09: +0000000000000006 +[ 474.357446] R10: 0000000000000000 R11: ffff8805c567a000 R12: +0000000000000006 +[ 474.419191] R13: ffff8805c2b74e88 R14: 00000000000001da R15: +0000000000000000 +[ 474.453816] FS: 00007f2e75220800(0000) GS:ffff88061fc00000(0000) +knlGS:0000000000000000 +[ 474.489254] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 474.522215] CR2: 00007f2e74716090 CR3: 00000005c085e000 CR4: +00000000000207f0 +[ 474.556058] Stack: +[ 474.584325] ffff8805c0ac3c98 ffffffff811b549b ffff8805c0ac3c98 +ffff8805f1190a40 +[ 474.618913] ffff8805a6202f08 ffff8805c2b74e88 00068800d0464990 +ffff8805e8aac860 +[ 474.653955] ffff8805c0ac3cb8 000700068113833a ffff880606c75060 +ffff8805c0ac3d94 +[ 474.690461] Call Trace: +[ 474.723779] [] ? lookup_fast+0x1cd/0x22a +[ 474.778049] [] security_compute_av+0xf4/0x20b +[ 474.811398] [] avc_compute_av+0x2a/0x179 +[ 474.843813] [] avc_has_perm+0x45/0xf4 +[ 474.875694] [] inode_has_perm+0x2a/0x31 +[ 474.907370] [] selinux_inode_getattr+0x3c/0x3e +[ 474.938726] [] security_inode_getattr+0x1b/0x22 +[ 474.970036] [] vfs_getattr+0x19/0x2d +[ 475.000618] [] vfs_fstatat+0x54/0x91 +[ 475.030402] [] vfs_lstat+0x19/0x1b +[ 475.061097] [] SyS_newlstat+0x15/0x30 +[ 475.094595] [] ? __audit_syscall_entry+0xa1/0xc3 +[ 475.148405] [] system_call_fastpath+0x16/0x1b +[ 475.179201] Code: 00 48 85 c0 48 89 45 b8 75 02 0f 0b 48 8b 45 a0 48 +8b 3d 45 d0 b6 00 8b 40 08 89 c6 ff ce e8 d1 b0 06 00 48 85 c0 49 89 c7 +75 02 <0f> 0b 48 8b 45 b8 4c 8b 28 eb 1e 49 8d 7d 08 be 80 01 00 00 e8 +[ 475.255884] RIP [] +context_struct_compute_av+0xce/0x308 +[ 475.296120] RSP +[ 475.328734] ---[ end trace f076482e9d754adc ]--- + +Reported-by: Matthew Thode +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/ss/services.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -1232,6 +1232,10 @@ static int security_context_to_sid_core( + struct context context; + int rc = 0; + ++ /* An empty security context is never valid. */ ++ if (!scontext_len) ++ return -EINVAL; ++ + if (!ss_initialized) { + int i; + diff --git a/queue-3.13/series b/queue-3.13/series new file mode 100644 index 00000000000..28db5b4d597 --- /dev/null +++ b/queue-3.13/series @@ -0,0 +1 @@ +selinux-fix-kernel-bug-on-empty-security-contexts.patch