| Message ID | 20240223190546.3329966-1-mic@digikod.net |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-79016-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:a81b:b0:108:e6aa:91d0 with SMTP id
bq27csp788772dyb;
Fri, 23 Feb 2024 11:06:38 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCXxyavE3s7eazFJwyM0ZlredtjM3ghWBVbbEyj7uuT31AO3uu6hnGLBP9jeP2d1IaOE1q8csJrNAo5WhYzV04KXrvCoXg==
X-Google-Smtp-Source:
AGHT+IH7NIKWOzOGFKv9vSfUJQm1vQP09s1LfBjva3b9awxkEH1pJS7+wPm+5kbdEInClm3n0Kxa
X-Received: by 2002:a17:90a:51e2:b0:29a:842b:d8b3 with SMTP id
u89-20020a17090a51e200b0029a842bd8b3mr714813pjh.7.1708715198651;
Fri, 23 Feb 2024 11:06:38 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708715198; cv=pass;
d=google.com; s=arc-20160816;
b=uruFaEYJZPYNjaa0v38gFvZm1DxPIMHMFJkZyJHebkHMp3ue2O74XeW9FpJyY2DB9C
ZSZ9AkbEWxnB8V/TdOfqrTjNp8KOMWKEwtYxxt/Nbu39rBoAg18Ezaef6wMPStrcM5GG
gzoJ1xiUlGHO6yTHQFcLb/Vfbk/5wCs/iu8Sbo9JLTmqVywIokGtVxXCEhnslEYAtE6a
S5kjI+F9r5WW9+AOnvLFXh8NR16WxmQ5Nxj4vUeYTnBDGkbjfGs6z4cjfbWInQpTfztF
hsIMejMWiGhiDNBHXb+aeeb2OSJuocJqFjkOxAqORNmDqFISVBbMlUTVheYyVQi0bqJ4
dzSg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:message-id:date:subject:cc:to
:from:dkim-signature;
bh=BSUEogyFCjluFI3KSBFuKHUGIeaHAns7++aIAJSrgw8=;
fh=75p7ccQGuT0xN9vNAOHl1M6SKBcYhJIT9hLFptk3jWg=;
b=LZeApnoLEg3lITD2d+gBRKcQdT1Ap4Fri0K8/VG0Ixy1d+v8XWiN6JijgXbBGhUupw
7JfYkrLesUtH6yxKq5oX4Y+Au9Rpmc5gI/b1n8wAlQIqB3kEMSAYSv/H9Od5bTl4XWQH
4i+xtLzOl2CtuNNpbX6e97xCpr4fE08TkQp8ynuXRVtR76Zg8xKmHUafQ2lHrB+UdIy/
BYlABXG2BOQ27s88ff0AQpBGvR/uf67Lbp7lKBihP1Pa+OKj1LjVXN6qcTWVWYRK7PbU
v+2EEIfOpXFjvt/0lvPYgAajH+SeyJsDPAe3swkX/mQD84S4QxmTkGNXt79WR6NPsjLB
QnfA==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@digikod.net header.s=20191114 header.b=1N9Om1Cl;
arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass
dkdomain=digikod.net);
spf=pass (google.com: domain of
linux-kernel+bounces-79016-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-79016-ouuuleilei=gmail.com@vger.kernel.org"
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
by mx.google.com with ESMTPS id
g3-20020a17090a578300b002994211c0c2si1601459pji.81.2024.02.23.11.06.38
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 23 Feb 2024 11:06:38 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-79016-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
dkim=pass header.i=@digikod.net header.s=20191114 header.b=1N9Om1Cl;
arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass
dkdomain=digikod.net);
spf=pass (google.com: domain of
linux-kernel+bounces-79016-ouuuleilei=gmail.com@vger.kernel.org designates
139.178.88.99 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-79016-ouuuleilei=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sv.mirrors.kernel.org (Postfix) with ESMTPS id DAE13287B07
for <ouuuleilei@gmail.com>; Fri, 23 Feb 2024 19:06:27 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 6082B1448FD;
Fri, 23 Feb 2024 19:06:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net
header.b="1N9Om1Cl"
Received: from smtp-190f.mail.infomaniak.ch (smtp-190f.mail.infomaniak.ch
[185.125.25.15])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BCCD142631
for <linux-kernel@vger.kernel.org>; Fri, 23 Feb 2024 19:06:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=185.125.25.15
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1708715169; cv=none;
b=nyVUf9nRAvJdey2UXK8F5aHIPL8+vdeE8ys1HdFfsz/9lVnyA83kURD4z/urKFFSVdp47/nio3SSiShMZ2VOZsKVwFFCA4R1pQmg2i0ZQp3jI7NCjU/LTSosUBKm3P0UlpidqSkr7nE7n0EsJqAQ1EoVyfWd1SeJAMtXVqoUvz8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1708715169; c=relaxed/simple;
bh=qpzM6NBYR7WpVcp9/HBiZFKK8JElis+2lrx2b9BJFms=;
h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=SLYfZX/1sXOCIW+C/VvTgl8A0/OsNYZilxlC5DzSz7g33Ewj5zmINuoAy+GjRKMlOPLegfIE+86bStdYyVCw8TLv/xaz7LaBap5Od2oUQP9dpGc4R1cSaAcRklc3OlCeAMJLH4B4Z5AD9NDJNzIgap2V/VFRCRPnti8xSrYR1Mg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=digikod.net;
spf=pass smtp.mailfrom=digikod.net;
dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net
header.b=1N9Om1Cl; arc=none smtp.client-ip=185.125.25.15
Authentication-Results: smtp.subspace.kernel.org;
dmarc=none (p=none dis=none) header.from=digikod.net
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=digikod.net
Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch
[10.7.10.108])
by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4ThKGt4rmsz2TC;
Fri, 23 Feb 2024 20:05:58 +0100 (CET)
Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA
id 4ThKGs49MCzjsT;
Fri, 23 Feb 2024 20:05:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net;
s=20191114; t=1708715158;
bh=qpzM6NBYR7WpVcp9/HBiZFKK8JElis+2lrx2b9BJFms=;
h=From:To:Cc:Subject:Date:From;
b=1N9Om1ClO+r+L8Qkam4EJkqyN1SiVBZqs5lER3lgzN2iIjXSyXKUsBnEwslb1urAP
jw9IIgIu8sDs1Q4U5Oe/6uKx2AlVRr4rQwt/lIGGpkjJ1kHax1FNIiJsD+DMzXzo78
KnimjfuRbCak8dfFUJl1/GYfQfvSCPQEYotFWX+c=
From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>
To: Casey Schaufler <casey@schaufler-ca.com>,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>
Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>,
James Morris <jmorris@namei.org>, "Serge E . Hallyn" <serge@hallyn.com>,
linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org,
stable@vger.kernel.org
Subject: [PATCH 1/2] SELinux: Fix lsm_get_self_attr()
Date: Fri, 23 Feb 2024 20:05:45 +0100
Message-ID: <20240223190546.3329966-1-mic@digikod.net>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Infomaniak-Routing: alpha
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1791717748115558063
X-GMAIL-MSGID: 1791717748115558063
|
| Series |
[1/2] SELinux: Fix lsm_get_self_attr()
|
|
Commit Message
Mickaël Salaün
Feb. 23, 2024, 7:05 p.m. UTC
selinux_lsm_getattr() may not initialize the value's pointer in some
case. As for proc_pid_attr_read(), initialize this pointer to NULL in
selinux_getselfattr() to avoid an UAF in the kfree() call.
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: stable@vger.kernel.org
Fixes: 762c934317e6 ("SELinux: Add selfattr hooks")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
security/selinux/hooks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
These bugs have been found with syzkaller. I just sent a PR to add support for the new LSM syscalls: https://github.com/google/syzkaller/pull/4524 On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > selinux_lsm_getattr() may not initialize the value's pointer in some > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > selinux_getselfattr() to avoid an UAF in the kfree() call. > > Cc: Casey Schaufler <casey@schaufler-ca.com> > Cc: Paul Moore <paul@paul-moore.com> > Cc: stable@vger.kernel.org > Fixes: 762c934317e6 ("SELinux: Add selfattr hooks") > Signed-off-by: Mickaël Salaün <mic@digikod.net> > --- > security/selinux/hooks.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index a6bf90ace84c..338b023a8c3e 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -6559,7 +6559,7 @@ static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, > size_t *size, u32 flags) > { > int rc; > - char *val; > + char *val = NULL; > int val_len; > > val_len = selinux_lsm_getattr(attr, current, &val); > -- > 2.43.0 >
On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > selinux_lsm_getattr() may not initialize the value's pointer in some > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > selinux_getselfattr() to avoid an UAF in the kfree() call. Not UAF but NULL pointer dereference (both patches)...
On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote: > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > > selinux_lsm_getattr() may not initialize the value's pointer in some > > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > > selinux_getselfattr() to avoid an UAF in the kfree() call. > > Not UAF but NULL pointer dereference (both patches)... Well, that may be the result (as observed with the kfree() call), but the cause is obviously an uninitialized pointer.
On Fri, Feb 23, 2024 at 2:17 PM Mickaël Salaün <mic@digikod.net> wrote: > These bugs have been found with syzkaller. I just sent a PR to add > support for the new LSM syscalls: > https://github.com/google/syzkaller/pull/4524 Thanks :)
On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote: > > On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote: > > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > > > selinux_lsm_getattr() may not initialize the value's pointer in some > > > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > > > selinux_getselfattr() to avoid an UAF in the kfree() call. > > > > Not UAF but NULL pointer dereference (both patches)... > > Well, that may be the result (as observed with the kfree() call), but > the cause is obviously an uninitialized pointer. Adding the SELinux list to the CC line; SELinux folks the original post is here: * https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net Thanks for finding this and testing the patch, based on our off-list discussion, do you mind if I add a Suggested-by? Looking at this a bit more I think we'll want to make a few changes to selinux_lsm_getattr() later, but this patch is a good one for stable as it not only fixes the bug, but it is a trivial one-liner with very low risk. I do think we need to tweak the commit description a bit, what do you think of the following? "selinux_getselfattr() doesn't properly initialize the string pointer it passes to selinux_lsm_getattr() which can cause a problem when an attribute hasn't been explicitly set; selinux_lsm_getattr() returns 0/success, but does not set or initialize the string label/attribute. Failure to properly initialize the string causes problems later in selinux_getselfattr() when the function attempts to kfree() the string."
On Fri, Feb 23, 2024 at 04:05:16PM -0500, Paul Moore wrote: > On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote: > > > > On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote: > > > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > > > > selinux_lsm_getattr() may not initialize the value's pointer in some > > > > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > > > > selinux_getselfattr() to avoid an UAF in the kfree() call. > > > > > > Not UAF but NULL pointer dereference (both patches)... > > > > Well, that may be the result (as observed with the kfree() call), but > > the cause is obviously an uninitialized pointer. > > Adding the SELinux list to the CC line; SELinux folks the original post is here: > > * https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net > > Thanks for finding this and testing the patch, based on our off-list > discussion, do you mind if I add a Suggested-by? Looking at this a Sure! I was in a hurry and didn't give it the attention it needed... > bit more I think we'll want to make a few changes to > selinux_lsm_getattr() later, but this patch is a good one for stable > as it not only fixes the bug, but it is a trivial one-liner with very > low risk. > > I do think we need to tweak the commit description a bit, what do you > think of the following? > > "selinux_getselfattr() doesn't properly initialize the string > pointer it passes to selinux_lsm_getattr() which can cause a > problem when an attribute hasn't been explicitly set; > selinux_lsm_getattr() returns 0/success, but does not set or > initialize the string label/attribute. Failure to properly > initialize the string causes problems later in > selinux_getselfattr() when the function attempts to kfree() > the string." Much better!
On Fri, Feb 23, 2024 at 5:03 PM Mickaël Salaün <mic@digikod.net> wrote: > On Fri, Feb 23, 2024 at 04:05:16PM -0500, Paul Moore wrote: > > On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote: > > > > > > On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote: > > > > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > > > > > selinux_lsm_getattr() may not initialize the value's pointer in some > > > > > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > > > > > selinux_getselfattr() to avoid an UAF in the kfree() call. > > > > > > > > Not UAF but NULL pointer dereference (both patches)... > > > > > > Well, that may be the result (as observed with the kfree() call), but > > > the cause is obviously an uninitialized pointer. > > > > Adding the SELinux list to the CC line; SELinux folks the original post is here: > > > > * https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net > > > > Thanks for finding this and testing the patch, based on our off-list > > discussion, do you mind if I add a Suggested-by? Looking at this a > > Sure! I was in a hurry and didn't give it the attention it needed... > > > bit more I think we'll want to make a few changes to > > selinux_lsm_getattr() later, but this patch is a good one for stable > > as it not only fixes the bug, but it is a trivial one-liner with very > > low risk. > > > > I do think we need to tweak the commit description a bit, what do you > > think of the following? > > > > "selinux_getselfattr() doesn't properly initialize the string > > pointer it passes to selinux_lsm_getattr() which can cause a > > problem when an attribute hasn't been explicitly set; > > selinux_lsm_getattr() returns 0/success, but does not set or > > initialize the string label/attribute. Failure to properly > > initialize the string causes problems later in > > selinux_getselfattr() when the function attempts to kfree() > > the string." > > Much better! Great :) I just went ahead and merged this into the lsm/stable-6.8 branch to get this some testing in linux-next, although I'm going to be *shocked* if this commit causes a regression. I'll send this up to Linus early next week, and if John wants me to send the AppArmor patch I'll do that at the same time.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a6bf90ace84c..338b023a8c3e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6559,7 +6559,7 @@ static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, size_t *size, u32 flags) { int rc; - char *val; + char *val = NULL; int val_len; val_len = selinux_lsm_getattr(attr, current, &val);