From: Al Viro Date: Sat, 9 Jun 2012 07:15:16 +0000 (+0100) Subject: selinux: fix selinux_inode_setxattr oops X-Git-Tag: v3.6-rc1~55^2 X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3fea3f70fd68af0574a5f24246cdb4ed07f2b74;p=pandora-kernel.git selinux: fix selinux_inode_setxattr oops OK, what we have so far is e.g. setxattr(path, name, whatever, 0, XATTR_REPLACE) with name being good enough to get through xattr_permission(). Then we reach security_inode_setxattr() with the desired value and size. Aha. name should begin with "security.selinux", or we won't get that far in selinux_inode_setxattr(). Suppose we got there and have enough permissions to relabel that sucker. We call security_context_to_sid() with value == NULL, size == 0. OK, we want ss_initialized to be non-zero. I.e. after everything had been set up and running. No problem... We do 1-byte kmalloc(), zero-length memcpy() (which doesn't oops, even thought the source is NULL) and put a NUL there. I.e. form an empty string. string_to_context_struct() is called and looks for the first ':' in there. Not found, -EINVAL we get. OK, security_context_to_sid_core() has rc == -EINVAL, force == 0, so it silently returns -EINVAL. All it takes now is not having CAP_MAC_ADMIN and we are fucked. All right, it might be a different bug (modulo strange code quoted in the report), but it's real. Easily fixed, AFAICS: Deal with size == 0, value == NULL case in selinux_inode_setxattr() Cc: stable@vger.kernel.org Signed-off-by: Al Viro Tested-by: Dave Jones Reported-by: Dave Jones Signed-off-by: James Morris --- Reading git-diff-tree failed