lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202204081146.DPLvGqQ7-lkp@intel.com>
Date:   Fri, 8 Apr 2022 11:43:33 +0800
From:   kernel test robot <lkp@...el.com>
To:     Casey Schaufler <casey@...aufler-ca.com>,
        casey.schaufler@...el.com, jmorris@...ei.org,
        linux-security-module@...r.kernel.org, selinux@...r.kernel.org
Cc:     kbuild-all@...ts.01.org, casey@...aufler-ca.com,
        linux-audit@...hat.com, keescook@...omium.org,
        john.johansen@...onical.com, penguin-kernel@...ove.sakura.ne.jp,
        paul@...l-moore.com, stephen.smalley.work@...il.com,
        linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
        netdev@...r.kernel.org
Subject: Re: [PATCH v34 11/29] LSM: Use lsmblob in security_current_getsecid

Hi Casey,

I love your patch! Perhaps something to improve:

[auto build test WARNING on pcmoore-selinux/next]
[also build test WARNING on linus/master v5.18-rc1 next-20220407]
[cannot apply to pcmoore-audit/next jmorris-security/next-testing]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
config: arm-randconfig-c002-20220408 (https://download.01.org/0day-ci/archive/20220408/202204081146.DPLvGqQ7-lkp@intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
        git checkout 0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4
        # save the config file to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arm SHELL=/bin/bash security/integrity/ima/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>

All warnings (new ones prefixed by >>):

   security/integrity/ima/ima_appraise.c: In function 'ima_must_appraise':
>> security/integrity/ima/ima_appraise.c:81:16: warning: array subscript 0 is outside array bounds of 'u32[0]' {aka 'unsigned int[]'} [-Warray-bounds]
      81 |         return ima_match_policy(mnt_userns, inode, current_cred(),
         |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      82 |                                 blob.secid[0], func, mask,
         |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~
      83 |                                 IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL,
         |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      84 |                                 NULL);
         |                                 ~~~~~
   In file included from include/linux/ima.h:12,
                    from security/integrity/ima/ima_appraise.c:14:
   include/linux/security.h:150:17: note: while referencing 'secid'
     150 |         u32     secid[LSMBLOB_ENTRIES];
         |                 ^~~~~
   security/integrity/ima/ima_appraise.c:74:24: note: defined here 'blob'
      74 |         struct lsmblob blob;
         |                        ^~~~


vim +81 security/integrity/ima/ima_appraise.c

    65	
    66	/*
    67	 * ima_must_appraise - set appraise flag
    68	 *
    69	 * Return 1 to appraise or hash
    70	 */
    71	int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
    72			      int mask, enum ima_hooks func)
    73	{
    74		struct lsmblob blob;
    75	
    76		if (!ima_appraise)
    77			return 0;
    78	
    79		security_current_getsecid_subj(&blob);
    80		/* scaffolding the .secid[0] */
  > 81		return ima_match_policy(mnt_userns, inode, current_cred(),
    82					blob.secid[0], func, mask,
    83					IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL,
    84					NULL);
    85	}
    86	

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ