lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ee75bde9a17f418984186caa70abd33b@huawei.com>
Date:   Fri, 11 Jun 2021 09:44:03 +0000
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     "viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        "paul@...l-moore.com" <paul@...l-moore.com>,
        "Stephen Smalley" <stephen.smalley.work@...il.com>,
        "casey@...aufler-ca.com" <casey@...aufler-ca.com>,
        Stefan Berger <stefanb@...ux.ibm.com>
CC:     "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "selinux@...r.kernel.org" <selinux@...r.kernel.org>
Subject: Size mismatch between vfs_getxattr_alloc() and vfs_getxattr()

Hello

the ima-evm-utils tool discovered an issue doing signature
verification of xattrs.

On kernel side, EVM reads the xattr value with
vfs_getxattr_alloc(), which gets the value directly from the
xattr handler.

On user side, ima-evm-utils reads the value with the
lgetxattr() system call, which gets the value from LSMs.

There is a corner case, where security.selinux is set directly
with setfattr without adding \0 at the end.

In this case, the kernel and the user see different values
due to the fact that the former gets the raw value from the
xattr handler, and the latter gets the value normalized by
SELinux (which adds \0).

I found that originally also lgetxattr() was getting the value
from the xattr handler. This changed with:

commit 4bea58053f206be9a89ca35850f9ad295dac2042
Author: David P. Quigley <dpquigl@...ho.nsa.gov>
Date:   Mon Feb 4 22:29:40 2008 -0800

    VFS: Reorder vfs_getxattr to avoid unnecessary calls to the LSM

which directly calls LSMs for security.* xattrs.

Given that this patch is there for a long time, I would ask
if it makes sense to fix this issue. The way I would do it
is to check if the size returned by the xattr handler is the
same of the size returned by LSMs. If not, I would get
the value from the xattr handler.

Although this change does not check the xattr content,
it is sufficient to fix the issue.

Any opinion?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ