[CVE-2017-2618][PATCH T/Y] selinux: fix off-by-one in setprocattr

Po-Hsu Lin po-hsu.lin at canonical.com
Fri Jun 30 10:19:54 UTC 2017


Yes this commit (bb646cdb) does not exist in Trusty.

I sent this for Trusty is because the security/selinux/hooks.c still
suffer from the off-by-one error. Not sure if we should only do this
on Yakkety.

Regarding the test case, you're mentioning the example in the description?


On Fri, Jun 30, 2017 at 5:32 PM, Kai-Heng Feng
<kai.heng.feng at canonical.com> wrote:
> Hi,
> On Fri, Jun 30, 2017 at 3:21 PM, Po-Hsu Lin <po-hsu.lin at canonical.com> wrote:
>> From: Stephen Smalley <sds at tycho.nsa.gov>
>> CVE-2017-2618
>> SELinux tries to support setting/clearing of /proc/pid/attr attributes
>> from the shell by ignoring terminating newlines and treating an
>> attribute value that begins with a NUL or newline as an attempt to
>> clear the attribute.  However, the test for clearing attributes has
>> always been wrong; it has an off-by-one error, and this could further
>> lead to reading past the end of the allocated buffer since commit
>> bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
>> switch to memdup_user()").  Fix the off-by-one error.
> I can't find commit bb646cdb12e75d82258c2f2e7746d5952d3e321a in Trusty.
> IIUC the test case is wrong, but the CVE can only be triggered after
> that particular commit.
> So, I guess we don't need to apply it to Trusty. Can you double confirm for me?

More information about the kernel-team mailing list