summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-10-08 10:51:37 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2019-10-08 10:51:37 -0700
commit2ef459167adb5d7cf76df403b4fcf79347056824 (patch)
treea769c7c4bc544c97f54a666495bd257a2faca96f
parentf54e66ae770fe559fb21383f95d739ac74c03ea8 (diff)
parent2a5243937c700ffe6a28e6557a4562a9ab0a17a4 (diff)
downloadlinux-2ef459167adb5d7cf76df403b4fcf79347056824.tar.bz2
Merge tag 'selinux-pr-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinuxfix from Paul Moore: "One patch to ensure we don't copy bad memory up into userspace" * tag 'selinux-pr-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: fix context string corruption in convert_context()
-rw-r--r--security/selinux/ss/services.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3a29e7c24ba9..a5813c7629c1 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1946,7 +1946,14 @@ static int convert_context(struct context *oldc, struct context *newc, void *p)
rc = string_to_context_struct(args->newp, NULL, s,
newc, SECSID_NULL);
if (rc == -EINVAL) {
- /* Retain string representation for later mapping. */
+ /*
+ * Retain string representation for later mapping.
+ *
+ * IMPORTANT: We need to copy the contents of oldc->str
+ * back into s again because string_to_context_struct()
+ * may have garbled it.
+ */
+ memcpy(s, oldc->str, oldc->len);
context_init(newc);
newc->str = s;
newc->len = oldc->len;