lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5c6ab57d-dbd6-85e2-72fc-d74998ae15b0@intel.com>
Date:   Sat, 13 Nov 2021 23:09:51 +0800
From:   kernel test robot <yujie.liu@...el.com>
To:     Vivek Goyal <vgoyal@...hat.com>
CC:     <llvm@...ts.linux.dev>, <kbuild-all@...ts.01.org>,
        "Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>
Subject: [rhvgoyal:fuse-secctx 2/2] fs/fuse/dir.c:502:3: warning: Call to
 function 'strcpy' is insecure as it does not provide bounding of the memory
 buffer. Replace unbounded copy functions with analogous functions that
 support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-se...

tree:   https://github.com/rhvgoyal/linux fuse-secctx
head:   6df7ad1315eb0cf5fec0a2efc1a35743052f3087
commit: 6df7ad1315eb0cf5fec0a2efc1a35743052f3087 [2/2] fuse: Send security context of inode on file creation
config: riscv-randconfig-c006-20210930 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 28981015526f2192440c18f18e8a20cd11b0779c)
reproduce (this is a W=1 build):
         wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
         chmod +x ~/bin/make.cross
         # install riscv cross compiling tool for clang build
         # apt-get install binutils-riscv64-linux-gnu
         # https://github.com/rhvgoyal/linux/commit/6df7ad1315eb0cf5fec0a2efc1a35743052f3087
         git remote add rhvgoyal https://github.com/rhvgoyal/linux
         git fetch --no-tags rhvgoyal fuse-secctx
         git checkout 6df7ad1315eb0cf5fec0a2efc1a35743052f3087
         # save the attached .config to linux build tree
         COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=riscv clang-analyzer

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>


clang-analyzer warnings: (new ones prefixed by >>)

 >> fs/fuse/dir.c:502:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
                    strcpy(ptr, name);
                    ^~~~~~

 >> fs/fuse/dir.c:772:2: warning: Address of stack memory associated with local variable 'outarg' is still referred to by the stack variable 'args' upon returning to the caller.  This will be a dangling reference [clang-analyzer-core.StackAddressEscape]
            return err;
            ^


vim +502 fs/fuse/dir.c

e5e5558e923f35 Miklos Szeredi 2005-09-09  461
6df7ad1315eb0c Vivek Goyal    2021-09-24  462  static int get_security_context(struct dentry *entry, umode_t mode,
6df7ad1315eb0c Vivek Goyal    2021-09-24  463  				void **security_ctx, u32 *security_ctxlen)
6df7ad1315eb0c Vivek Goyal    2021-09-24  464  {
6df7ad1315eb0c Vivek Goyal    2021-09-24  465  	struct fuse_secctx *fsecctx;
6df7ad1315eb0c Vivek Goyal    2021-09-24  466  	void *ctx, *full_ctx;
6df7ad1315eb0c Vivek Goyal    2021-09-24  467  	u32 ctxlen, full_ctxlen;
6df7ad1315eb0c Vivek Goyal    2021-09-24  468  	int err = 0;
6df7ad1315eb0c Vivek Goyal    2021-09-24  469
6df7ad1315eb0c Vivek Goyal    2021-09-24  470  	err = security_dentry_init_security(entry, mode, &entry->d_name, &ctx,
6df7ad1315eb0c Vivek Goyal    2021-09-24  471  					    &ctxlen);
6df7ad1315eb0c Vivek Goyal    2021-09-24  472  	if (err) {
6df7ad1315eb0c Vivek Goyal    2021-09-24  473  		if (err != -EOPNOTSUPP)
6df7ad1315eb0c Vivek Goyal    2021-09-24  474  			goto out_err;
6df7ad1315eb0c Vivek Goyal    2021-09-24  475  		/* No LSM is supporting this security hook. Ignore error */
6df7ad1315eb0c Vivek Goyal    2021-09-24  476  		err = 0;
6df7ad1315eb0c Vivek Goyal    2021-09-24  477  		ctxlen = 0;
6df7ad1315eb0c Vivek Goyal    2021-09-24  478  	}
6df7ad1315eb0c Vivek Goyal    2021-09-24  479
6df7ad1315eb0c Vivek Goyal    2021-09-24  480  	if (ctxlen > 0) {
6df7ad1315eb0c Vivek Goyal    2021-09-24  481  		/*
6df7ad1315eb0c Vivek Goyal    2021-09-24  482  		 * security_dentry_init_security() does not return the name
6df7ad1315eb0c Vivek Goyal    2021-09-24  483  		 * of lsm or xattr to which label belongs. As of now only
6df7ad1315eb0c Vivek Goyal    2021-09-24  484  		 * selinux implements this. Hence, hardcoding the name to
6df7ad1315eb0c Vivek Goyal    2021-09-24  485  		 * security.selinux.
6df7ad1315eb0c Vivek Goyal    2021-09-24  486  		 */
6df7ad1315eb0c Vivek Goyal    2021-09-24  487  		char *name = "security.selinux";
6df7ad1315eb0c Vivek Goyal    2021-09-24  488  		void *ptr;
6df7ad1315eb0c Vivek Goyal    2021-09-24  489
6df7ad1315eb0c Vivek Goyal    2021-09-24  490  		full_ctxlen = sizeof(*fsecctx) + strlen(name) + ctxlen + 1;
6df7ad1315eb0c Vivek Goyal    2021-09-24  491  		full_ctx = kzalloc(full_ctxlen, GFP_KERNEL);
6df7ad1315eb0c Vivek Goyal    2021-09-24  492  		if (!full_ctx) {
6df7ad1315eb0c Vivek Goyal    2021-09-24  493  			err = -ENOMEM;
6df7ad1315eb0c Vivek Goyal    2021-09-24  494  			kfree(ctx);
6df7ad1315eb0c Vivek Goyal    2021-09-24  495  			goto out_err;
6df7ad1315eb0c Vivek Goyal    2021-09-24  496  		}
6df7ad1315eb0c Vivek Goyal    2021-09-24  497
6df7ad1315eb0c Vivek Goyal    2021-09-24  498  		ptr = full_ctx;
6df7ad1315eb0c Vivek Goyal    2021-09-24  499  		fsecctx = (struct fuse_secctx*) ptr;
6df7ad1315eb0c Vivek Goyal    2021-09-24  500  		fsecctx->size = ctxlen;
6df7ad1315eb0c Vivek Goyal    2021-09-24  501  		ptr += sizeof(*fsecctx);
6df7ad1315eb0c Vivek Goyal    2021-09-24 @502  		strcpy(ptr, name);
6df7ad1315eb0c Vivek Goyal    2021-09-24  503  		ptr += strlen(name) + 1;
6df7ad1315eb0c Vivek Goyal    2021-09-24  504  		memcpy(ptr, ctx, ctxlen);
6df7ad1315eb0c Vivek Goyal    2021-09-24  505  		kfree(ctx);
6df7ad1315eb0c Vivek Goyal    2021-09-24  506  	} else {
6df7ad1315eb0c Vivek Goyal    2021-09-24  507  		full_ctxlen = sizeof(*fsecctx);
6df7ad1315eb0c Vivek Goyal    2021-09-24  508  		full_ctx = kzalloc(full_ctxlen, GFP_KERNEL);
6df7ad1315eb0c Vivek Goyal    2021-09-24  509  		if (!full_ctx) {
6df7ad1315eb0c Vivek Goyal    2021-09-24  510  			err = -ENOMEM;
6df7ad1315eb0c Vivek Goyal    2021-09-24  511  			goto out_err;
6df7ad1315eb0c Vivek Goyal    2021-09-24  512  		}
6df7ad1315eb0c Vivek Goyal    2021-09-24  513  	}
6df7ad1315eb0c Vivek Goyal    2021-09-24  514
6df7ad1315eb0c Vivek Goyal    2021-09-24  515  	*security_ctxlen = full_ctxlen;
6df7ad1315eb0c Vivek Goyal    2021-09-24  516  	*security_ctx = full_ctx;
6df7ad1315eb0c Vivek Goyal    2021-09-24  517  out_err:
6df7ad1315eb0c Vivek Goyal    2021-09-24  518  	return err;
6df7ad1315eb0c Vivek Goyal    2021-09-24  519  }
6df7ad1315eb0c Vivek Goyal    2021-09-24  520

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Download attachment ".config.gz" of type "application/gzip" (29222 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ