lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAEjxPJ4gCRaH3vBa9doenr86Xm7NMaPGkpFSngCEZkBuC7_LAw@mail.gmail.com>
Date: Thu, 5 Jun 2025 12:53:23 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: Collin Funk <collin.funk1@...il.com>
Cc: bug-gnulib@....org, linux-fsdevel@...r.kernel.org, 
	linux-kernel@...r.kernel.org, selinux@...r.kernel.org, 
	Christian Brauner <brauner@...nel.org>, Paul Eggert <eggert@...ucla.edu>, 
	Paul Moore <paul@...l-moore.com>
Subject: Re: Recent Linux kernel commit breaks Gnulib test suite.

On Thu, Jun 5, 2025 at 9:46 AM Stephen Smalley
<stephen.smalley.work@...il.com> wrote:
>
> On Thu, Jun 5, 2025 at 12:03 AM Collin Funk <collin.funk1@...il.com> wrote:
> >
> > Hi,
> >
> > Using the following testdir:
> >
> >     $ git clone https://git.savannah.gnu.org/git/gnulib.git && cd gnulib
> >     $ ./gnulib-tool --create-testdir --dir testdir1 --single-configure `./gnulib-tool --list | grep acl`
> >
> > I see the following result:
> >
> >     $ cd testdir1 && ./configure && make check
> >     [...]
> >     FAIL: test-copy-acl.sh
> >     [...]
> >     FAIL: test-file-has-acl.sh
> >
> > This occurs with these two kernels:
> >
> >     $ uname -r
> >     6.14.9-300.fc42.x86_64
> >     $ uname -r
> >     6.14.8-300.fc42.x86_64
> >
> > But with this kernel:
> >
> >     $ uname -r
> >     6.14.6-300.fc42.x86_64
> >
> > The result is:
> >
> >     $ cd testdir1 && ./configure && make check
> >     [...]
> >     PASS: test-copy-acl.sh
> >     [...]
> >     PASS: test-file-has-acl.sh
> >
> > Here is the test-suite.log from 6.14.9-300.fc42.x86_64:
> >
> >     FAIL: test-copy-acl.sh
> >     ======================
> >
> >     /home/collin/.local/src/gnulib/testdir1/gltests/test-copy-acl: preserving permissions for 'tmpfile2': Numerical result out of range
> >     FAIL test-copy-acl.sh (exit status: 1)
> >
> >     FAIL: test-file-has-acl.sh
> >     ==========================
> >
> >     file_has_acl("tmpfile0") returned no, expected yes
> >     FAIL test-file-has-acl.sh (exit status: 1)
> >
> > To investigate further, I created the testdir again after applying the
> > following diff:
> >
> >     diff --git a/tests/test-copy-acl.sh b/tests/test-copy-acl.sh
> >     index 061755f124..f9457e884f 100755
> >     --- a/tests/test-copy-acl.sh
> >     +++ b/tests/test-copy-acl.sh
> >     @@ -209,7 +209,7 @@ cd "$builddir" ||
> >        {
> >          echo "Simple contents" > "$2"
> >          chmod 600 "$2"
> >     -    ${CHECKER} "$builddir"/test-copy-acl${EXEEXT} "$1" "$2" || exit 1
> >     +    ${CHECKER} strace "$builddir"/test-copy-acl${EXEEXT} "$1" "$2" || exit 1
> >          ${CHECKER} "$builddir"/test-sameacls${EXEEXT} "$1" "$2" || exit 1
> >          func_test_same_acls                           "$1" "$2" || exit 1
> >        }
> >
> > Then running the test from inside testdir1/gltests:
> >
> >     $ ./test-copy-acl.sh
> >     [...]
> >     access("/etc/selinux/config", F_OK)     = 0
> >     openat(AT_FDCWD, "tmpfile0", O_RDONLY)  = 3
> >     fstat(3, {st_mode=S_IFREG|0610, st_size=16, ...}) = 0
> >     openat(AT_FDCWD, "tmpfile2", O_WRONLY)  = 4
> >     fchmod(4, 0610)                         = 0
> >     flistxattr(3, NULL, 0)                  = 17
> >     flistxattr(3, 0x7ffda3f6c900, 17)       = -1 ERANGE (Numerical result out of range)
> >     write(2, "/home/collin/.local/src/gnulib/t"..., 63/home/collin/.local/src/gnulib/testdir1/gltests/test-copy-acl: ) = 63
> >     write(2, "preserving permissions for 'tmpf"..., 37preserving permissions for 'tmpfile2') = 37
> >     write(2, ": Numerical result out of range", 31: Numerical result out of range) = 31
> >     write(2, "\n", 1
> >     )                       = 1
> >     exit_group(1)                           = ?
> >     +++ exited with 1 +++
> >
> > So, we get the buffer size from 'flistxattr(3, NULL, 0)' and then call
> > it again after allocating it 'flistxattr(3, 0x7ffda3f6c900, 17)'. This
> > shouldn't fail with ERANGE then.
> >
> > To confirm, I replaced 'strace' with 'gdb --args'. Here is the result:
> >
> >     (gdb) b qcopy_acl
> >     Breakpoint 1 at 0x400a10: file qcopy-acl.c, line 84.
> >     (gdb) run
> >     Starting program: /home/collin/.local/src/gnulib/testdir1/gltests/test-copy-acl tmpfile0 tmpfile2
> >     [Thread debugging using libthread_db enabled]
> >     Using host libthread_db library "/lib64/libthread_db.so.1".
> >
> >     Breakpoint 1, qcopy_acl (src_name=src_name@...ry=0x7fffffffd7c3 "tmpfile0", source_desc=source_desc@...ry=3,
> >         dst_name=dst_name@...ry=0x7fffffffd7cc "tmpfile2", dest_desc=dest_desc@...ry=4, mode=mode@...ry=392) at qcopy-acl.c:84
> >     84    ret = chmod_or_fchmod (dst_name, dest_desc, mode);
> >     (gdb) n
> >     90    if (ret == 0)
> >     (gdb) n
> >     92        ret = source_desc <= 0 || dest_desc <= 0
> >     (gdb) s
> >     attr_copy_fd (src_path=src_path@...ry=0x7fffffffd7c3 "tmpfile0", src_fd=src_fd@...ry=3, dst_path=dst_path@...ry=0x7fffffffd7cc "tmpfile2",
> >         dst_fd=dst_fd@...ry=4, check=check@...ry=0x4009b0 <is_attr_permissions>, ctx=ctx@...ry=0x0) at libattr/attr_copy_fd.c:73
> >     73          if (check == NULL)
> >     (gdb) n
> >     76          size = flistxattr (src_fd, NULL, 0);
> >     (gdb) n
> >     77          if (size < 0) {
> >     (gdb) print size
> >     $1 = 17
> >     (gdb) n
> >     86          names = (char *) my_alloc (size+1);
> >     (gdb) n
> >     92          size = flistxattr (src_fd, names, size);
> >     (gdb) print errno
> >     $2 = 0
> >     (gdb) n
> >     93          if (size < 0) {
> >     (gdb) print size
> >     $3 = -1
> >     (gdb) print errno
> >     $4 = 34
> >
> > After confirming with the Fedora Kernel tags [1], I am fairly confident
> > that it was caused by this commit [2].
> >
> > But I am not familiar enough with ACLs, SELinux, or the Kernel to know
> > the fix.
> >
> > Adding the lists where this was discussed and some of the signers to CC,
> > since they will know better than me.
>
> Thank you for the bug report. Looks like the security xattr handling
> is somehow replacing the overall length with just the length of the
> security.selinux xattr rather than adding it to the length of the acl
> xattr. Will check to see if this is already fixed on vfs.fixes; if
> not, will look into a fix although it wasn't immediately obvious to me
> why this is happening. There is also another patch related to this
> pending that is supposed to go through the LSM tree which might fix
> it.

Sorry, mea culpa; should be fixed by
https://lore.kernel.org/selinux/20250605164852.2016-1-stephen.smalley.work@gmail.com/

>
> >
> > Collin
> >
> > [1] https://gitlab.com/cki-project/kernel-ark
> > [2] https://github.com/torvalds/linux/commit/8b0ba61df5a1c44e2b3cf683831a4fc5e24ea99d

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ