diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-10-08 10:51:37 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-10-08 10:51:37 -0700 |
commit | 2ef459167adb5d7cf76df403b4fcf79347056824 (patch) | |
tree | a769c7c4bc544c97f54a666495bd257a2faca96f | |
parent | f54e66ae770fe559fb21383f95d739ac74c03ea8 (diff) | |
parent | 2a5243937c700ffe6a28e6557a4562a9ab0a17a4 (diff) | |
download | linux-2ef459167adb5d7cf76df403b4fcf79347056824.tar.bz2 |
Merge tag 'selinux-pr-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinuxfix from Paul Moore:
"One patch to ensure we don't copy bad memory up into userspace"
* tag 'selinux-pr-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: fix context string corruption in convert_context()
-rw-r--r-- | security/selinux/ss/services.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 3a29e7c24ba9..a5813c7629c1 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1946,7 +1946,14 @@ static int convert_context(struct context *oldc, struct context *newc, void *p) rc = string_to_context_struct(args->newp, NULL, s, newc, SECSID_NULL); if (rc == -EINVAL) { - /* Retain string representation for later mapping. */ + /* + * Retain string representation for later mapping. + * + * IMPORTANT: We need to copy the contents of oldc->str + * back into s again because string_to_context_struct() + * may have garbled it. + */ + memcpy(s, oldc->str, oldc->len); context_init(newc); newc->str = s; newc->len = oldc->len; |