[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <202206230827.rGKbTxmu-lkp@intel.com>
Date: Thu, 23 Jun 2022 10:09:48 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: kbuild@...ts.01.org, Casey Schaufler <casey@...aufler-ca.com>,
casey.schaufler@...el.com, jmorris@...ei.org,
linux-security-module@...r.kernel.org, selinux@...r.kernel.org
Cc: lkp@...el.com, kbuild-all@...ts.01.org, casey@...aufler-ca.com,
linux-audit@...hat.com, keescook@...omium.org,
john.johansen@...onical.com, penguin-kernel@...ove.sakura.ne.jp,
paul@...l-moore.com, stephen.smalley.work@...il.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v36 18/33] LSM: Use lsmcontext in
security_dentry_init_security
Hi Casey,
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220610-080129
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
config: parisc-randconfig-m031-20220622 (https://download.01.org/0day-ci/archive/20220623/202206230827.rGKbTxmu-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 11.3.0
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
New smatch warnings:
fs/fuse/dir.c:484 get_security_context() error: uninitialized symbol 'name'.
Old smatch warnings:
fs/fuse/dir.c:503 get_security_context() warn: is 'ptr' large enough for 'struct fuse_secctx'? 0
vim +/name +484 fs/fuse/dir.c
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 462 static int get_security_context(struct dentry *entry, umode_t mode,
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 463 void **security_ctx, u32 *security_ctxlen)
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 464 {
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 465 struct fuse_secctx *fctx;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 466 struct fuse_secctx_header *header;
86d33e271bed73 Casey Schaufler 2022-06-09 467 struct lsmcontext lsmctx;
^^^^^^^^^^^^^^^^^^^^^^^^
86d33e271bed73 Casey Schaufler 2022-06-09 468 void *ptr;
86d33e271bed73 Casey Schaufler 2022-06-09 469 u32 total_len = sizeof(*header);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 470 int err, nr_ctx = 0;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 471 const char *name;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 472 size_t namelen;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 473
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 474 err = security_dentry_init_security(entry, mode, &entry->d_name,
86d33e271bed73 Casey Schaufler 2022-06-09 475 &name, &lsmctx);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 476 if (err) {
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 477 if (err != -EOPNOTSUPP)
Imagine "err == -EOPNOTSUPP".
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 478 goto out_err;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 479 /* No LSM is supporting this security hook. Ignore error */
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 480 }
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 481
86d33e271bed73 Casey Schaufler 2022-06-09 482 if (lsmctx.len) {
Then actually "lsmctx.len" is uninitialized. Everything breaks after
that.
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 483 nr_ctx = 1;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 @484 namelen = strlen(name) + 1;
^^^^
Warning.
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 485 err = -EIO;
86d33e271bed73 Casey Schaufler 2022-06-09 486 if (WARN_ON(namelen > XATTR_NAME_MAX + 1 ||
86d33e271bed73 Casey Schaufler 2022-06-09 487 lsmctx.len > S32_MAX))
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 488 goto out_err;
86d33e271bed73 Casey Schaufler 2022-06-09 489 total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen +
86d33e271bed73 Casey Schaufler 2022-06-09 490 lsmctx.len);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 491 }
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 492
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 493 err = -ENOMEM;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 494 header = ptr = kzalloc(total_len, GFP_KERNEL);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 495 if (!ptr)
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 496 goto out_err;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 497
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 498 header->nr_secctx = nr_ctx;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 499 header->size = total_len;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 500 ptr += sizeof(*header);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 501 if (nr_ctx) {
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 502 fctx = ptr;
86d33e271bed73 Casey Schaufler 2022-06-09 503 fctx->size = lsmctx.len;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 504 ptr += sizeof(*fctx);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 505
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 506 strcpy(ptr, name);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 507 ptr += namelen;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 508
86d33e271bed73 Casey Schaufler 2022-06-09 509 memcpy(ptr, lsmctx.context, lsmctx.len);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 510 }
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 511 *security_ctxlen = total_len;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 512 *security_ctx = header;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 513 err = 0;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 514 out_err:
86d33e271bed73 Casey Schaufler 2022-06-09 515 if (nr_ctx)
86d33e271bed73 Casey Schaufler 2022-06-09 516 security_release_secctx(&lsmctx);
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 517 return err;
3e2b6fdbdc9ab5 Vivek Goyal 2021-11-11 518 }
--
0-DAY CI Kernel Test Service
https://01.org/lkp
Powered by blists - more mailing lists