[CVE-2017-2618][PATCH T/Y] selinux: fix off-by-one in setprocattr
Kai-Heng Feng
kai.heng.feng at canonical.com
Fri Jun 30 09:32:09 UTC 2017
Hi,
On Fri, Jun 30, 2017 at 3:21 PM, Po-Hsu Lin <po-hsu.lin at canonical.com> wrote:
> From: Stephen Smalley <sds at tycho.nsa.gov>
>
> CVE-2017-2618
>
> SELinux tries to support setting/clearing of /proc/pid/attr attributes
> from the shell by ignoring terminating newlines and treating an
> attribute value that begins with a NUL or newline as an attempt to
> clear the attribute. However, the test for clearing attributes has
> always been wrong; it has an off-by-one error, and this could further
> lead to reading past the end of the allocated buffer since commit
> bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
> switch to memdup_user()"). Fix the off-by-one error.
I can't find commit bb646cdb12e75d82258c2f2e7746d5952d3e321a in Trusty.
IIUC the test case is wrong, but the CVE can only be triggered after
that particular commit.
So, I guess we don't need to apply it to Trusty. Can you double confirm for me?
More information about the kernel-team
mailing list