A missing security check bug in trace_format_open().

[Jinmeng Zhou]

Dear maintainers,
hi, our team has found a missing check bug on Linux kernel v5.10.7
using static analysis. There is a missing security check bug in
trace_format_open() before calling function seq_open().

Function profile_open() checks security_locked_down() before the
critical function seq_open().
1. //check security_locked_down() ///////////////////////
2. static int profile_open(struct inode *inode, struct file *file)
3. {
4.   int ret;
5.   ret = security_locked_down(LOCKDOWN_TRACEFS);
6.   if (ret)
7.     return ret;
8.   return seq_open(file, &profile_seq_op);
9. }

While trace_format_open() does not call this check,
security_locked_down(), and the parameters of calling seq_open() are
similar.
1. static int trace_format_open(struct inode *inode, struct file *file)
2. {
3.   struct seq_file *m;
4.   int ret;
5.
6.   /* Do we want to hide event format files on tracefs lockdown? */
7.
8.   ret = seq_open(file, &trace_format_seq_ops);
9.   if (ret < 0)
10.     return ret;
11.
12.   m = file->private_data;
13.   m->private = file;
14.
15.   return 0;
16. }

Both functions are assigned to the same struct type and field.
1. static const struct file_operations kprobe_profile_ops = {
2. …
3.   .open           = profile_open,
4. …
5. };
6. static const struct file_operations ftrace_event_format_fops = {
7. …
8.   .open           = trace_format_open,
9. …
10. };


In conclusion, we assume that these functions work in the same way.
However, it is not appropriate that one function is called without
checking.

Thanks!


Best regards,
Jinmeng Zhou