diff options
| author | Stephen Smalley <stephen.smalley.work@gmail.com> | 2025-06-13 15:37:05 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-06-27 11:02:56 +0100 |
| commit | a21966e594ecc7d30421df0e1e336516ef0f9ee5 (patch) | |
| tree | c28e7e2feff0ae8fa3ae4e20a1ac75c46fdd371d /security | |
| parent | 48222a330de4fc72830016ff118d7e73d572d3d6 (diff) | |
| download | linux-a21966e594ecc7d30421df0e1e336516ef0f9ee5.tar.gz linux-a21966e594ecc7d30421df0e1e336516ef0f9ee5.tar.bz2 linux-a21966e594ecc7d30421df0e1e336516ef0f9ee5.zip | |
selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len
commit 86c8db86af43f52f682e53a0f2f0828683be1e52 upstream.
We should count the terminating NUL byte as part of the ctx_len.
Otherwise, UBSAN logs a warning:
UBSAN: array-index-out-of-bounds in security/selinux/xfrm.c:99:14
index 60 is out of range for type 'char [*]'
The allocation itself is correct so there is no actual out of bounds
indexing, just a warning.
Cc: stable@vger.kernel.org
Suggested-by: Christian Göttsche <cgzones@googlemail.com>
Link: https://lore.kernel.org/selinux/CAEjxPJ6tA5+LxsGfOJokzdPeRomBHjKLBVR6zbrg+_w3ZZbM3A@mail.gmail.com/
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/xfrm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 00e95f8bd7c7..ccc3a4389ce9 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -95,7 +95,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, ctx->ctx_doi = XFRM_SC_DOI_LSM; ctx->ctx_alg = XFRM_SC_ALG_SELINUX; - ctx->ctx_len = str_len; + ctx->ctx_len = str_len + 1; memcpy(ctx->ctx_str, &uctx[1], str_len); ctx->ctx_str[str_len] = '\0'; rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len, |