diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2018-05-30 16:35:07 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-05-30 16:35:07 -0500 |
commit | 943cf9f3ca16133dbd00f9a4cbfea46512fcb0e8 (patch) | |
tree | 0f41a7d08f725701203530978b6180d6cb340ea7 /security/selinux | |
parent | c462f16b1a319991c59747e65837924a5ff17755 (diff) | |
parent | efe3de79e0b52ca281ef6691480c8c68c82a4657 (diff) |
Merge tag 'selinux-pr-20180530' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull SELinux fix from Paul Moore:
"One more small fix for SELinux: a small string length fix found by
KASAN.
I dislike sending patches this late in the release cycle, but this
patch fixes a legitimate problem, is very small, limited in scope, and
well understood.
There are two threads with more information on the problem, the latest
is linked below:
https://marc.info/?t=152723737400001&r=1&w=2
Stephen points out in the thread linked above:
'Such a setxattr() call can only be performed by a process with
CAP_MAC_ADMIN that is also allowed mac_admin permission in SELinux
policy. Consequently, this is never possible on Android (no process
is allowed mac_admin permission, always enforcing) and is only
possible in Fedora/RHEL for a few domains (if enforcing)'"
* tag 'selinux-pr-20180530' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: KASAN: slab-out-of-bounds in xattr_getsecurity
Diffstat (limited to 'security/selinux')
-rw-r--r-- | security/selinux/ss/services.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 8057e19dc15f..3ce225e3f142 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1494,7 +1494,7 @@ static int security_context_to_sid_core(struct selinux_state *state, scontext_len, &context, def_sid); if (rc == -EINVAL && force) { context.str = str; - context.len = scontext_len; + context.len = strlen(str) + 1; str = NULL; } else if (rc) goto out_unlock; |