| Message ID | 20240223190546.3329966-1-mic@digikod.net (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [1/2] SELinux: Fix lsm_get_self_attr() | expand |
On Fri, Feb 23, 2024 at 2:17 PM Mickaël Salaün <mic@digikod.net> wrote: > These bugs have been found with syzkaller. I just sent a PR to add > support for the new LSM syscalls: > https://github.com/google/syzkaller/pull/4524 Thanks :)
On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote: > > On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote: > > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > > > selinux_lsm_getattr() may not initialize the value's pointer in some > > > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > > > selinux_getselfattr() to avoid an UAF in the kfree() call. > > > > Not UAF but NULL pointer dereference (both patches)... > > Well, that may be the result (as observed with the kfree() call), but > the cause is obviously an uninitialized pointer. Adding the SELinux list to the CC line; SELinux folks the original post is here: * https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net Thanks for finding this and testing the patch, based on our off-list discussion, do you mind if I add a Suggested-by? Looking at this a bit more I think we'll want to make a few changes to selinux_lsm_getattr() later, but this patch is a good one for stable as it not only fixes the bug, but it is a trivial one-liner with very low risk. I do think we need to tweak the commit description a bit, what do you think of the following? "selinux_getselfattr() doesn't properly initialize the string pointer it passes to selinux_lsm_getattr() which can cause a problem when an attribute hasn't been explicitly set; selinux_lsm_getattr() returns 0/success, but does not set or initialize the string label/attribute. Failure to properly initialize the string causes problems later in selinux_getselfattr() when the function attempts to kfree() the string."
On Fri, Feb 23, 2024 at 04:05:16PM -0500, Paul Moore wrote: > On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote: > > > > On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote: > > > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > > > > selinux_lsm_getattr() may not initialize the value's pointer in some > > > > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > > > > selinux_getselfattr() to avoid an UAF in the kfree() call. > > > > > > Not UAF but NULL pointer dereference (both patches)... > > > > Well, that may be the result (as observed with the kfree() call), but > > the cause is obviously an uninitialized pointer. > > Adding the SELinux list to the CC line; SELinux folks the original post is here: > > * https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net > > Thanks for finding this and testing the patch, based on our off-list > discussion, do you mind if I add a Suggested-by? Looking at this a Sure! I was in a hurry and didn't give it the attention it needed... > bit more I think we'll want to make a few changes to > selinux_lsm_getattr() later, but this patch is a good one for stable > as it not only fixes the bug, but it is a trivial one-liner with very > low risk. > > I do think we need to tweak the commit description a bit, what do you > think of the following? > > "selinux_getselfattr() doesn't properly initialize the string > pointer it passes to selinux_lsm_getattr() which can cause a > problem when an attribute hasn't been explicitly set; > selinux_lsm_getattr() returns 0/success, but does not set or > initialize the string label/attribute. Failure to properly > initialize the string causes problems later in > selinux_getselfattr() when the function attempts to kfree() > the string." Much better!
On Fri, Feb 23, 2024 at 5:03 PM Mickaël Salaün <mic@digikod.net> wrote: > On Fri, Feb 23, 2024 at 04:05:16PM -0500, Paul Moore wrote: > > On Fri, Feb 23, 2024 at 3:04 PM Mickaël Salaün <mic@digikod.net> wrote: > > > > > > On Fri, Feb 23, 2024 at 08:59:34PM +0100, Mickaël Salaün wrote: > > > > On Fri, Feb 23, 2024 at 08:05:45PM +0100, Mickaël Salaün wrote: > > > > > selinux_lsm_getattr() may not initialize the value's pointer in some > > > > > case. As for proc_pid_attr_read(), initialize this pointer to NULL in > > > > > selinux_getselfattr() to avoid an UAF in the kfree() call. > > > > > > > > Not UAF but NULL pointer dereference (both patches)... > > > > > > Well, that may be the result (as observed with the kfree() call), but > > > the cause is obviously an uninitialized pointer. > > > > Adding the SELinux list to the CC line; SELinux folks the original post is here: > > > > * https://lore.kernel.org/all/20240223190546.3329966-1-mic@digikod.net > > > > Thanks for finding this and testing the patch, based on our off-list > > discussion, do you mind if I add a Suggested-by? Looking at this a > > Sure! I was in a hurry and didn't give it the attention it needed... > > > bit more I think we'll want to make a few changes to > > selinux_lsm_getattr() later, but this patch is a good one for stable > > as it not only fixes the bug, but it is a trivial one-liner with very > > low risk. > > > > I do think we need to tweak the commit description a bit, what do you > > think of the following? > > > > "selinux_getselfattr() doesn't properly initialize the string > > pointer it passes to selinux_lsm_getattr() which can cause a > > problem when an attribute hasn't been explicitly set; > > selinux_lsm_getattr() returns 0/success, but does not set or > > initialize the string label/attribute. Failure to properly > > initialize the string causes problems later in > > selinux_getselfattr() when the function attempts to kfree() > > the string." > > Much better! Great :) I just went ahead and merged this into the lsm/stable-6.8 branch to get this some testing in linux-next, although I'm going to be *shocked* if this commit causes a regression. I'll send this up to Linus early next week, and if John wants me to send the AppArmor patch I'll do that at the same time.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a6bf90ace84c..338b023a8c3e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6559,7 +6559,7 @@ static int selinux_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, size_t *size, u32 flags) { int rc; - char *val; + char *val = NULL; int val_len; val_len = selinux_lsm_getattr(attr, current, &val);
selinux_lsm_getattr() may not initialize the value's pointer in some case. As for proc_pid_attr_read(), initialize this pointer to NULL in selinux_getselfattr() to avoid an UAF in the kfree() call. Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Paul Moore <paul@paul-moore.com> Cc: stable@vger.kernel.org Fixes: 762c934317e6 ("SELinux: Add selfattr hooks") Signed-off-by: Mickaël Salaün <mic@digikod.net> --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)