lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dpuld3qyyl6kan2jsigftmuhrqee2htjfmlytvnr55x37wy3eb@jkutc2k4zkfm>
Date: Tue, 9 Dec 2025 09:22:10 +0100
From: Mateusz Guzik <mjguzik@...il.com>
To: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
Cc: Alexander Viro <viro@...iv.linux.org.uk>, 
	Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>, linux-fsdevel@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] file: Call security_file_alloc() after initializing the
 filp

On Tue, Dec 09, 2025 at 03:53:47PM +0800, Tianjia Zhang wrote:
> When developing a dedicated LSM module, we need to operate on the
> file object within the LSM function, such as retrieving the path.
> However, in `security_file_alloc()`, the passed-in `filp` is
> only a valid pointer; the content of `filp` is completely
> uninitialized and entirely random, which confuses the LSM function.
> 

I take it you have some underlying routine called by other hooks as well
which ends up looking at ->f_path.

Given that f_path *is not valid* to begin with, memsetted or not, your
file_alloc_security hoook should not be looking at it to begin with.

So I don't think this patch has merit.

> Therefore, it is necessary to call `security_file_alloc()` only
> after the main fields of the `filp` object have been initialized.
> This patch only moves the call to `security_file_alloc()` to the
> end of the `init_file()` function.
> 
> Signed-off-by: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
> ---
>  fs/file_table.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/file_table.c b/fs/file_table.c
> index 81c72576e548..e66531a629aa 100644
> --- a/fs/file_table.c
> +++ b/fs/file_table.c
> @@ -156,11 +156,6 @@ static int init_file(struct file *f, int flags, const struct cred *cred)
>  	int error;
>  
>  	f->f_cred = get_cred(cred);
> -	error = security_file_alloc(f);
> -	if (unlikely(error)) {
> -		put_cred(f->f_cred);
> -		return error;
> -	}
>  
>  	spin_lock_init(&f->f_lock);
>  	/*
> @@ -202,6 +197,14 @@ static int init_file(struct file *f, int flags, const struct cred *cred)
>  	 * They may be enabled later by fsnotify_open_perm_and_set_mode().
>  	 */
>  	file_set_fsnotify_mode(f, FMODE_NONOTIFY_PERM);
> +
> +	error = security_file_alloc(f);
> +	if (unlikely(error)) {
> +		mutex_destroy(&f->f_pos_lock);
> +		put_cred(f->f_cred);
> +		return error;
> +	}
> +
>  	return 0;
>  }
>  
> -- 
> 2.39.5 (Apple Git-154)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ