Merge tag 'selinux-pr-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinuxfix from Paul Moore: "One patch to ensure we don't copy bad memory up into userspace" * tag 'selinux-pr-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: fix context string corruption in convert_context()

commit: 2ef459167adb5d7cf76df403b4fcf79347056824 [log] [tgz]
author: Linus Torvalds <torvalds@linux-foundation.org> Tue Oct 08 10:51:37 2019 -0700
committer: Linus Torvalds <torvalds@linux-foundation.org> Tue Oct 08 10:51:37 2019 -0700
tree: a769c7c4bc544c97f54a666495bd257a2faca96f
parent: f54e66ae770fe559fb21383f95d739ac74c03ea8 [diff]
parent: 2a5243937c700ffe6a28e6557a4562a9ab0a17a4 [diff]
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3a29e7c..a5813c7 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c

@@ -1946,7 +1946,14 @@ static int convert_context(struct context *oldc, struct context *newc, void *p)
 		rc = string_to_context_struct(args->newp, NULL, s,
 					      newc, SECSID_NULL);
 		if (rc == -EINVAL) {
-			/* Retain string representation for later mapping. */
+			/*
+			 * Retain string representation for later mapping.
+			 *
+			 * IMPORTANT: We need to copy the contents of oldc->str
+			 * back into s again because string_to_context_struct()
+			 * may have garbled it.
+			 */
+			memcpy(s, oldc->str, oldc->len);
 			context_init(newc);
 			newc->str = s;
 			newc->len = oldc->len;
commit	2ef459167adb5d7cf76df403b4fcf79347056824	[log] [tgz]
author	Linus Torvalds <torvalds@linux-foundation.org>	Tue Oct 08 10:51:37 2019 -0700
committer	Linus Torvalds <torvalds@linux-foundation.org>	Tue Oct 08 10:51:37 2019 -0700
tree	a769c7c4bc544c97f54a666495bd257a2faca96f
parent	f54e66ae770fe559fb21383f95d739ac74c03ea8 [diff]
parent	2a5243937c700ffe6a28e6557a4562a9ab0a17a4 [diff]