5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Smalley stephen.smalley.work@gmail.com
commit 86c8db86af43f52f682e53a0f2f0828683be1e52 upstream.
We should count the terminating NUL byte as part of the ctx_len. Otherwise, UBSAN logs a warning: UBSAN: array-index-out-of-bounds in security/selinux/xfrm.c:99:14 index 60 is out of range for type 'char [*]'
The allocation itself is correct so there is no actual out of bounds indexing, just a warning.
Cc: stable@vger.kernel.org Suggested-by: Christian Göttsche cgzones@googlemail.com Link: https://lore.kernel.org/selinux/CAEjxPJ6tA5+LxsGfOJokzdPeRomBHjKLBVR6zbrg+_w... Signed-off-by: Stephen Smalley stephen.smalley.work@gmail.com Signed-off-by: Paul Moore paul@paul-moore.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- security/selinux/xfrm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -95,7 +95,7 @@ static int selinux_xfrm_alloc_user(struc
ctx->ctx_doi = XFRM_SC_DOI_LSM; ctx->ctx_alg = XFRM_SC_ALG_SELINUX; - ctx->ctx_len = str_len; + ctx->ctx_len = str_len + 1; memcpy(ctx->ctx_str, &uctx[1], str_len); ctx->ctx_str[str_len] = '\0'; rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len,