* [PATCH v3] libselinux: Eliminate use of security_compute_user()
@ 2020-02-08 7:36 Petr Lautrbach
2020-02-10 14:23 ` Stephen Smalley
2020-02-10 15:00 ` Ondrej Mosnacek
0 siblings, 2 replies; 4+ messages in thread
From: Petr Lautrbach @ 2020-02-08 7:36 UTC (permalink / raw)
To: selinux; +Cc: Petr Lautrbach
get_ordered_context_list() code used to ask the kernel to compute the complete
set of reachable contexts using /sys/fs/selinux/user aka
security_compute_user(). This set can be so huge so that it doesn't fit into a
kernel page and security_compute_user() fails. Even if it doesn't fail,
get_ordered_context_list() throws away the vast majority of the returned
contexts because they don't match anything in
/etc/selinux/targeted/contexts/default_contexts or
/etc/selinux/targeted/contexts/users/
get_ordered_context_list() is rewritten to compute set of contexts based on
/etc/selinux/targeted/contexts/users/ and
/etc/selinux/targeted/contexts/default_contexts files and to return only valid
contexts, using security_check_context(), from this set.
Fixes: https://github.com/SELinuxProject/selinux/issues/28
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
v3 changes:
- check return values of context_range_set() and context_str()
- do not add duplicate entries to reachable contexts
libselinux/src/get_context_list.c | 219 ++++++++++++++----------------
1 file changed, 103 insertions(+), 116 deletions(-)
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 689e46589f30..cc39f8c6a96c 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -2,6 +2,7 @@
#include <errno.h>
#include <stdio.h>
#include <stdio_ext.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
@@ -114,61 +115,38 @@ int get_default_context(const char *user,
return 0;
}
-static int find_partialcon(char ** list,
- unsigned int nreach, char *part)
+static int is_in_reachable(char **reachable, const char *usercon_str)
{
- const char *conrole, *contype;
- char *partrole, *parttype, *ptr;
- context_t con;
- unsigned int i;
+ if (!reachable)
+ return 0;
- partrole = part;
- ptr = part;
- while (*ptr && !isspace(*ptr) && *ptr != ':')
- ptr++;
- if (*ptr != ':')
- return -1;
- *ptr++ = 0;
- parttype = ptr;
- while (*ptr && !isspace(*ptr) && *ptr != ':')
- ptr++;
- *ptr = 0;
-
- for (i = 0; i < nreach; i++) {
- con = context_new(list[i]);
- if (!con)
- return -1;
- conrole = context_role_get(con);
- contype = context_type_get(con);
- if (!conrole || !contype) {
- context_free(con);
- return -1;
- }
- if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
- context_free(con);
- return i;
+ for (; *reachable != NULL; reachable++) {
+ if (strcmp(*reachable, usercon_str) == 0) {
+ return 1;
}
- context_free(con);
}
-
- return -1;
+ return 0;
}
-static int get_context_order(FILE * fp,
+static int get_context_user(FILE * fp,
char * fromcon,
- char ** reachable,
- unsigned int nreach,
- unsigned int *ordering, unsigned int *nordered)
+ const char * user,
+ char ***reachable,
+ unsigned int *nreachable)
{
char *start, *end = NULL;
char *line = NULL;
- size_t line_len = 0;
+ size_t line_len = 0, usercon_len;
+ size_t user_len = strlen(user);
ssize_t len;
int found = 0;
- const char *fromrole, *fromtype;
+ const char *fromrole, *fromtype, *fromlevel;
char *linerole, *linetype;
- unsigned int i;
+ char **new_reachable = NULL;
+ char *usercon_str;
context_t con;
+ context_t usercon;
+
int rc;
errno = -EINVAL;
@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
return -1;
fromrole = context_role_get(con);
fromtype = context_type_get(con);
+ fromlevel = context_range_get(con);
if (!fromrole || !fromtype) {
context_free(con);
return -1;
@@ -243,23 +222,89 @@ static int get_context_order(FILE * fp,
if (*end)
*end++ = 0;
- /* Check for a match in the reachable list. */
- rc = find_partialcon(reachable, nreach, start);
- if (rc < 0) {
- /* No match, skip it. */
+ /* Check whether a new context is valid */
+ if (SIZE_MAX - user_len < strlen(start) + 1) {
+ fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
+ errno = EINVAL;
+ rc = -1;
+ goto out;
+ }
+ usercon_len = user_len + strlen(start) + 1;
+ usercon_str = malloc(usercon_len);
+ if (!usercon_str) {
+ rc = -1;
+ goto out;
+ }
+
+ /* set range from fromcon in the new usercon */
+ snprintf(usercon_str, usercon_len - 1, "%s:%s", user, start);
+ usercon = context_new(usercon_str);
+ if (!usercon) {
+ if (errno != EINVAL) {
+ free(usercon_str);
+ rc = -1;
+ goto out;
+ }
+ fprintf(stderr,
+ "%s: can't create a context from %s, skipping\n",
+ __FUNCTION__, usercon_str);
+ free(usercon_str);
+ start = end;
+ continue;
+ }
+ if (context_range_set(usercon, fromlevel) != 0) {
+ if (errno != EINVAL) {
+ free(usercon_str);
+ rc = -1;
+ goto out;
+ }
+ fprintf(stderr,
+ "%s: can't set a new range %s for %s, skipping\n",
+ __FUNCTION__, fromlevel, usercon_str);
+ free(usercon_str);
start = end;
continue;
}
+ free(usercon_str);
+ usercon_str = context_str(usercon);
+ if (!usercon_str) {
+ rc = -1;
+ goto out;
+ }
- /* If a match is found and the entry is not already ordered
- (e.g. due to prior match in prior config file), then set
- the ordering for it. */
- i = rc;
- if (ordering[i] == nreach)
- ordering[i] = (*nordered)++;
+ /* check whether usercon is already in reachable */
+ if (is_in_reachable(*reachable, usercon_str)) {
+ start = end;
+ continue;
+ }
+ if (security_check_context(usercon_str) == 0) {
+ if (*nreachable == 0) {
+ new_reachable = malloc(2 * sizeof(char *));
+ if (!new_reachable) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ } else {
+ new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
+ if (!new_reachable) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ }
+ new_reachable[*nreachable] = strdup(usercon_str);
+ if (new_reachable[*nreachable] == NULL) {
+ rc = -1;
+ goto out;
+ }
+ new_reachable[*nreachable + 1] = 0;
+ *reachable = new_reachable;
+ *nreachable += 1;
+ }
+ context_free(usercon);
start = end;
}
-
rc = 0;
out:
@@ -313,21 +358,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
return 0;
}
-struct context_order {
- char * con;
- unsigned int order;
-};
-
-static int order_compare(const void *A, const void *B)
-{
- const struct context_order *c1 = A, *c2 = B;
- if (c1->order < c2->order)
- return -1;
- else if (c1->order > c2->order)
- return 1;
- return strcmp(c1->con, c2->con);
-}
-
int get_ordered_context_list_with_level(const char *user,
const char *level,
char * fromcon,
@@ -395,11 +425,8 @@ int get_ordered_context_list(const char *user,
char *** list)
{
char **reachable = NULL;
- unsigned int *ordering = NULL;
- struct context_order *co = NULL;
- char **ptr;
int rc = 0;
- unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
+ unsigned nreachable = 0, freefrom = 0;
FILE *fp;
char *fname = NULL;
size_t fname_len;
@@ -413,23 +440,6 @@ int get_ordered_context_list(const char *user,
freefrom = 1;
}
- /* Determine the set of reachable contexts for the user. */
- rc = security_compute_user(fromcon, user, &reachable);
- if (rc < 0)
- goto failsafe;
- nreach = 0;
- for (ptr = reachable; *ptr; ptr++)
- nreach++;
- if (!nreach)
- goto failsafe;
-
- /* Initialize ordering array. */
- ordering = malloc(nreach * sizeof(unsigned int));
- if (!ordering)
- goto failsafe;
- for (i = 0; i < nreach; i++)
- ordering[i] = nreach;
-
/* Determine the ordering to apply from the optional per-user config
and from the global config. */
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -440,8 +450,8 @@ int get_ordered_context_list(const char *user,
fp = fopen(fname, "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
- &nordered);
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -454,8 +464,7 @@ int get_ordered_context_list(const char *user,
fp = fopen(selinux_default_context_path(), "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
- &nordered);
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -463,32 +472,11 @@ int get_ordered_context_list(const char *user,
__FUNCTION__, selinux_default_context_path());
/* Fall through */
}
- rc = 0;
+ rc = nreachable;
}
- if (!nordered)
- goto failsafe;
-
- /* Apply the ordering. */
- co = malloc(nreach * sizeof(struct context_order));
- if (!co)
+ if (!nreachable)
goto failsafe;
- for (i = 0; i < nreach; i++) {
- co[i].con = reachable[i];
- co[i].order = ordering[i];
- }
- qsort(co, nreach, sizeof(struct context_order), order_compare);
- for (i = 0; i < nreach; i++)
- reachable[i] = co[i].con;
- free(co);
-
- /* Only report the ordered entries to the caller. */
- if (nordered <= nreach) {
- for (i = nordered; i < nreach; i++)
- free(reachable[i]);
- reachable[nordered] = NULL;
- rc = nordered;
- }
out:
if (rc > 0)
@@ -496,7 +484,6 @@ int get_ordered_context_list(const char *user,
else
freeconary(reachable);
- free(ordering);
if (freefrom)
freecon(fromcon);
--
2.24.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v3] libselinux: Eliminate use of security_compute_user()
2020-02-08 7:36 [PATCH v3] libselinux: Eliminate use of security_compute_user() Petr Lautrbach
@ 2020-02-10 14:23 ` Stephen Smalley
2020-02-10 15:00 ` Ondrej Mosnacek
1 sibling, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2020-02-10 14:23 UTC (permalink / raw)
To: Petr Lautrbach, selinux
On 2/8/20 2:36 AM, Petr Lautrbach wrote:
> get_ordered_context_list() code used to ask the kernel to compute the complete
> set of reachable contexts using /sys/fs/selinux/user aka
> security_compute_user(). This set can be so huge so that it doesn't fit into a
> kernel page and security_compute_user() fails. Even if it doesn't fail,
> get_ordered_context_list() throws away the vast majority of the returned
> contexts because they don't match anything in
> /etc/selinux/targeted/contexts/default_contexts or
> /etc/selinux/targeted/contexts/users/
>
> get_ordered_context_list() is rewritten to compute set of contexts based on
> /etc/selinux/targeted/contexts/users/ and
> /etc/selinux/targeted/contexts/default_contexts files and to return only valid
> contexts, using security_check_context(), from this set.
>
> Fixes: https://github.com/SELinuxProject/selinux/issues/28
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
> diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
> index 689e46589f30..cc39f8c6a96c 100644
> --- a/libselinux/src/get_context_list.c
> +++ b/libselinux/src/get_context_list.c
> @@ -243,23 +222,89 @@ static int get_context_order(FILE * fp,
> if (*end)
> *end++ = 0;
>
> - /* Check for a match in the reachable list. */
> - rc = find_partialcon(reachable, nreach, start);
> - if (rc < 0) {
> - /* No match, skip it. */
> + /* Check whether a new context is valid */
> + if (SIZE_MAX - user_len < strlen(start) + 1) {
> + fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
> + errno = EINVAL;
> + rc = -1;
> + goto out;
> + }
> + usercon_len = user_len + strlen(start) + 1;
> + usercon_str = malloc(usercon_len);
> + if (!usercon_str) {
> + rc = -1;
> + goto out;
> + }
> +
> + /* set range from fromcon in the new usercon */
> + snprintf(usercon_str, usercon_len - 1, "%s:%s", user, start);
> + usercon = context_new(usercon_str);
> + if (!usercon) {
> + if (errno != EINVAL) {
> + free(usercon_str);
> + rc = -1;
> + goto out;
> + }
> + fprintf(stderr,
> + "%s: can't create a context from %s, skipping\n",
> + __FUNCTION__, usercon_str);
> + free(usercon_str);
> + start = end;
> + continue;
> + }
> + if (context_range_set(usercon, fromlevel) != 0) {
> + if (errno != EINVAL) {
> + free(usercon_str);
> + rc = -1;
> + goto out;
> + }
> + fprintf(stderr,
> + "%s: can't set a new range %s for %s, skipping\n",
> + __FUNCTION__, fromlevel, usercon_str);
> + free(usercon_str);
I'd think we could always treat this as a fatal error but up to you.
Regardless, we need to also do a context_free(usercon); here or we will
leak the memory.
> start = end;
> continue;
> }
> + free(usercon_str);
> + usercon_str = context_str(usercon);
> + if (!usercon_str) {
> + rc = -1;
context_free(usercon); needed here as well.
> + goto out;
> + }
>
> - /* If a match is found and the entry is not already ordered
> - (e.g. due to prior match in prior config file), then set
> - the ordering for it. */
> - i = rc;
> - if (ordering[i] == nreach)
> - ordering[i] = (*nordered)++;
> + /* check whether usercon is already in reachable */
> + if (is_in_reachable(*reachable, usercon_str)) {
> + start = end;
And again.
> + continue;
> + }
> + if (security_check_context(usercon_str) == 0) {
> + if (*nreachable == 0) {
> + new_reachable = malloc(2 * sizeof(char *));
> + if (!new_reachable) {
> + context_free(usercon);
> + rc = -1;
> + goto out;
> + }
> + } else {
> + new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
> + if (!new_reachable) {
> + context_free(usercon);
> + rc = -1;
> + goto out;
> + }
> + }
> + new_reachable[*nreachable] = strdup(usercon_str);
> + if (new_reachable[*nreachable] == NULL) {
> + rc = -1;
> + goto out;
> + }
> + new_reachable[*nreachable + 1] = 0;
> + *reachable = new_reachable;
> + *nreachable += 1;
> + }
> + context_free(usercon);
> start = end;
> }
> -
> rc = 0;
>
> out:
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v3] libselinux: Eliminate use of security_compute_user()
2020-02-08 7:36 [PATCH v3] libselinux: Eliminate use of security_compute_user() Petr Lautrbach
2020-02-10 14:23 ` Stephen Smalley
@ 2020-02-10 15:00 ` Ondrej Mosnacek
2020-02-10 16:09 ` Stephen Smalley
1 sibling, 1 reply; 4+ messages in thread
From: Ondrej Mosnacek @ 2020-02-10 15:00 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: SElinux list
I haven't looked at the whole patch properly yet, but noting what I
found so far (see below)...
On Sat, Feb 8, 2020 at 8:36 AM Petr Lautrbach <plautrba@redhat.com> wrote:
> get_ordered_context_list() code used to ask the kernel to compute the complete
> set of reachable contexts using /sys/fs/selinux/user aka
> security_compute_user(). This set can be so huge so that it doesn't fit into a
> kernel page and security_compute_user() fails. Even if it doesn't fail,
> get_ordered_context_list() throws away the vast majority of the returned
> contexts because they don't match anything in
> /etc/selinux/targeted/contexts/default_contexts or
> /etc/selinux/targeted/contexts/users/
>
> get_ordered_context_list() is rewritten to compute set of contexts based on
> /etc/selinux/targeted/contexts/users/ and
> /etc/selinux/targeted/contexts/default_contexts files and to return only valid
> contexts, using security_check_context(), from this set.
>
> Fixes: https://github.com/SELinuxProject/selinux/issues/28
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>
> v3 changes:
>
> - check return values of context_range_set() and context_str()
> - do not add duplicate entries to reachable contexts
>
>
> libselinux/src/get_context_list.c | 219 ++++++++++++++----------------
> 1 file changed, 103 insertions(+), 116 deletions(-)
>
> diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
> index 689e46589f30..cc39f8c6a96c 100644
> --- a/libselinux/src/get_context_list.c
> +++ b/libselinux/src/get_context_list.c
<snip>
> -static int get_context_order(FILE * fp,
> +static int get_context_user(FILE * fp,
> char * fromcon,
> - char ** reachable,
> - unsigned int nreach,
> - unsigned int *ordering, unsigned int *nordered)
> + const char * user,
> + char ***reachable,
> + unsigned int *nreachable)
> {
> char *start, *end = NULL;
> char *line = NULL;
> - size_t line_len = 0;
> + size_t line_len = 0, usercon_len;
> + size_t user_len = strlen(user);
> ssize_t len;
> int found = 0;
> - const char *fromrole, *fromtype;
> + const char *fromrole, *fromtype, *fromlevel;
> char *linerole, *linetype;
> - unsigned int i;
> + char **new_reachable = NULL;
> + char *usercon_str;
> context_t con;
> + context_t usercon;
> +
> int rc;
>
> errno = -EINVAL;
> @@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
> return -1;
> fromrole = context_role_get(con);
> fromtype = context_type_get(con);
> + fromlevel = context_range_get(con);
> if (!fromrole || !fromtype) {
> context_free(con);
> return -1;
> @@ -243,23 +222,89 @@ static int get_context_order(FILE * fp,
> if (*end)
> *end++ = 0;
>
> - /* Check for a match in the reachable list. */
> - rc = find_partialcon(reachable, nreach, start);
> - if (rc < 0) {
> - /* No match, skip it. */
> + /* Check whether a new context is valid */
> + if (SIZE_MAX - user_len < strlen(start) + 1) {
You need to also account for either the null character or the colon
(not sure which one you missed).
> + fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
> + errno = EINVAL;
> + rc = -1;
> + goto out;
> + }
> + usercon_len = user_len + strlen(start) + 1;
> + usercon_str = malloc(usercon_len);
Again, you are not accounting for one of '\0' or ':' here.
> + if (!usercon_str) {
> + rc = -1;
> + goto out;
> + }
> +
> + /* set range from fromcon in the new usercon */
> + snprintf(usercon_str, usercon_len - 1, "%s:%s", user, start);
The second argument should be just usercon_len (assuming you fix the
above) - see snprintf(3):
"The functions snprintf() and vsnprintf() write at most size bytes
(including the terminating null byte ('\0')) to str."
So this should always result in a string with 2 last characters
truncated (followed by a null character and an unused byte). Or am I
missing something? Did you get correct strings when you tested this?
<snip>
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v3] libselinux: Eliminate use of security_compute_user()
2020-02-10 15:00 ` Ondrej Mosnacek
@ 2020-02-10 16:09 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2020-02-10 16:09 UTC (permalink / raw)
To: Ondrej Mosnacek, Petr Lautrbach; +Cc: SElinux list
On 2/10/20 10:00 AM, Ondrej Mosnacek wrote:
> I haven't looked at the whole patch properly yet, but noting what I
> found so far (see below)...
>
> On Sat, Feb 8, 2020 at 8:36 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>> get_ordered_context_list() code used to ask the kernel to compute the complete
>> set of reachable contexts using /sys/fs/selinux/user aka
>> security_compute_user(). This set can be so huge so that it doesn't fit into a
>> kernel page and security_compute_user() fails. Even if it doesn't fail,
>> get_ordered_context_list() throws away the vast majority of the returned
>> contexts because they don't match anything in
>> /etc/selinux/targeted/contexts/default_contexts or
>> /etc/selinux/targeted/contexts/users/
>>
>> get_ordered_context_list() is rewritten to compute set of contexts based on
>> /etc/selinux/targeted/contexts/users/ and
>> /etc/selinux/targeted/contexts/default_contexts files and to return only valid
>> contexts, using security_check_context(), from this set.
>>
>> Fixes: https://github.com/SELinuxProject/selinux/issues/28
>>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>>
>> v3 changes:
>>
>> - check return values of context_range_set() and context_str()
>> - do not add duplicate entries to reachable contexts
>>
>>
>> libselinux/src/get_context_list.c | 219 ++++++++++++++----------------
>> 1 file changed, 103 insertions(+), 116 deletions(-)
>>
>> diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
>> index 689e46589f30..cc39f8c6a96c 100644
>> --- a/libselinux/src/get_context_list.c
>> +++ b/libselinux/src/get_context_list.c
>
> <snip>
>
>> -static int get_context_order(FILE * fp,
>> +static int get_context_user(FILE * fp,
>> char * fromcon,
>> - char ** reachable,
>> - unsigned int nreach,
>> - unsigned int *ordering, unsigned int *nordered)
>> + const char * user,
>> + char ***reachable,
>> + unsigned int *nreachable)
>> {
>> char *start, *end = NULL;
>> char *line = NULL;
>> - size_t line_len = 0;
>> + size_t line_len = 0, usercon_len;
>> + size_t user_len = strlen(user);
>> ssize_t len;
>> int found = 0;
>> - const char *fromrole, *fromtype;
>> + const char *fromrole, *fromtype, *fromlevel;
>> char *linerole, *linetype;
>> - unsigned int i;
>> + char **new_reachable = NULL;
>> + char *usercon_str;
>> context_t con;
>> + context_t usercon;
>> +
>> int rc;
>>
>> errno = -EINVAL;
>> @@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
>> return -1;
>> fromrole = context_role_get(con);
>> fromtype = context_type_get(con);
>> + fromlevel = context_range_get(con);
>> if (!fromrole || !fromtype) {
>> context_free(con);
>> return -1;
>> @@ -243,23 +222,89 @@ static int get_context_order(FILE * fp,
>> if (*end)
>> *end++ = 0;
>>
>> - /* Check for a match in the reachable list. */
>> - rc = find_partialcon(reachable, nreach, start);
>> - if (rc < 0) {
>> - /* No match, skip it. */
>> + /* Check whether a new context is valid */
>> + if (SIZE_MAX - user_len < strlen(start) + 1) {
>
> You need to also account for either the null character or the colon
> (not sure which one you missed).
>
>> + fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
>> + errno = EINVAL;
>> + rc = -1;
>> + goto out;
>> + }
>> + usercon_len = user_len + strlen(start) + 1;
>> + usercon_str = malloc(usercon_len);
>
> Again, you are not accounting for one of '\0' or ':' here.
>
>> + if (!usercon_str) {
>> + rc = -1;
>> + goto out;
>> + }
>> +
>> + /* set range from fromcon in the new usercon */
>> + snprintf(usercon_str, usercon_len - 1, "%s:%s", user, start);
>
> The second argument should be just usercon_len (assuming you fix the
> above) - see snprintf(3):
>
> "The functions snprintf() and vsnprintf() write at most size bytes
> (including the terminating null byte ('\0')) to str."
>
> So this should always result in a string with 2 last characters
> truncated (followed by a null character and an unused byte). Or am I
> missing something? Did you get correct strings when you tested this?
It is truncating the "s0" level from start but then we are explicitly
overriding the level via context_range_set(), so the bug gets masked.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-02-10 16:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-08 7:36 [PATCH v3] libselinux: Eliminate use of security_compute_user() Petr Lautrbach
2020-02-10 14:23 ` Stephen Smalley
2020-02-10 15:00 ` Ondrej Mosnacek
2020-02-10 16:09 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).