[rhvgoyal:fuse-secctx 2/2] fs/fuse/dir.c:502:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-se...

From: kernel test robot
Date: Sat Nov 13 2021 - 10:11:26 EST

tree: https://github.com/rhvgoyal/linux fuse-secctx
head: 6df7ad1315eb0cf5fec0a2efc1a35743052f3087
commit: 6df7ad1315eb0cf5fec0a2efc1a35743052f3087 [2/2] fuse: Send security context of inode on file creation
config: riscv-randconfig-c006-20210930 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 28981015526f2192440c18f18e8a20cd11b0779c)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install riscv cross compiling tool for clang build
# apt-get install binutils-riscv64-linux-gnu
# https://github.com/rhvgoyal/linux/commit/6df7ad1315eb0cf5fec0a2efc1a35743052f3087
git remote add rhvgoyal https://github.com/rhvgoyal/linux
git fetch --no-tags rhvgoyal fuse-secctx
git checkout 6df7ad1315eb0cf5fec0a2efc1a35743052f3087
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=riscv clang-analyzer

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>


clang-analyzer warnings: (new ones prefixed by >>)

>> fs/fuse/dir.c:502:3: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
strcpy(ptr, name);
^~~~~~

>> fs/fuse/dir.c:772:2: warning: Address of stack memory associated with local variable 'outarg' is still referred to by the stack variable 'args' upon returning to the caller. This will be a dangling reference [clang-analyzer-core.StackAddressEscape]
return err;
^


vim +502 fs/fuse/dir.c

e5e5558e923f35 Miklos Szeredi 2005-09-09 461
6df7ad1315eb0c Vivek Goyal 2021-09-24 462 static int get_security_context(struct dentry *entry, umode_t mode,
6df7ad1315eb0c Vivek Goyal 2021-09-24 463 void **security_ctx, u32 *security_ctxlen)
6df7ad1315eb0c Vivek Goyal 2021-09-24 464 {
6df7ad1315eb0c Vivek Goyal 2021-09-24 465 struct fuse_secctx *fsecctx;
6df7ad1315eb0c Vivek Goyal 2021-09-24 466 void *ctx, *full_ctx;
6df7ad1315eb0c Vivek Goyal 2021-09-24 467 u32 ctxlen, full_ctxlen;
6df7ad1315eb0c Vivek Goyal 2021-09-24 468 int err = 0;
6df7ad1315eb0c Vivek Goyal 2021-09-24 469
6df7ad1315eb0c Vivek Goyal 2021-09-24 470 err = security_dentry_init_security(entry, mode, &entry->d_name, &ctx,
6df7ad1315eb0c Vivek Goyal 2021-09-24 471 &ctxlen);
6df7ad1315eb0c Vivek Goyal 2021-09-24 472 if (err) {
6df7ad1315eb0c Vivek Goyal 2021-09-24 473 if (err != -EOPNOTSUPP)
6df7ad1315eb0c Vivek Goyal 2021-09-24 474 goto out_err;
6df7ad1315eb0c Vivek Goyal 2021-09-24 475 /* No LSM is supporting this security hook. Ignore error */
6df7ad1315eb0c Vivek Goyal 2021-09-24 476 err = 0;
6df7ad1315eb0c Vivek Goyal 2021-09-24 477 ctxlen = 0;
6df7ad1315eb0c Vivek Goyal 2021-09-24 478 }
6df7ad1315eb0c Vivek Goyal 2021-09-24 479
6df7ad1315eb0c Vivek Goyal 2021-09-24 480 if (ctxlen > 0) {
6df7ad1315eb0c Vivek Goyal 2021-09-24 481 /*
6df7ad1315eb0c Vivek Goyal 2021-09-24 482 * security_dentry_init_security() does not return the name
6df7ad1315eb0c Vivek Goyal 2021-09-24 483 * of lsm or xattr to which label belongs. As of now only
6df7ad1315eb0c Vivek Goyal 2021-09-24 484 * selinux implements this. Hence, hardcoding the name to
6df7ad1315eb0c Vivek Goyal 2021-09-24 485 * security.selinux.
6df7ad1315eb0c Vivek Goyal 2021-09-24 486 */
6df7ad1315eb0c Vivek Goyal 2021-09-24 487 char *name = "security.selinux";
6df7ad1315eb0c Vivek Goyal 2021-09-24 488 void *ptr;
6df7ad1315eb0c Vivek Goyal 2021-09-24 489
6df7ad1315eb0c Vivek Goyal 2021-09-24 490 full_ctxlen = sizeof(*fsecctx) + strlen(name) + ctxlen + 1;
6df7ad1315eb0c Vivek Goyal 2021-09-24 491 full_ctx = kzalloc(full_ctxlen, GFP_KERNEL);
6df7ad1315eb0c Vivek Goyal 2021-09-24 492 if (!full_ctx) {
6df7ad1315eb0c Vivek Goyal 2021-09-24 493 err = -ENOMEM;
6df7ad1315eb0c Vivek Goyal 2021-09-24 494 kfree(ctx);
6df7ad1315eb0c Vivek Goyal 2021-09-24 495 goto out_err;
6df7ad1315eb0c Vivek Goyal 2021-09-24 496 }
6df7ad1315eb0c Vivek Goyal 2021-09-24 497
6df7ad1315eb0c Vivek Goyal 2021-09-24 498 ptr = full_ctx;
6df7ad1315eb0c Vivek Goyal 2021-09-24 499 fsecctx = (struct fuse_secctx*) ptr;
6df7ad1315eb0c Vivek Goyal 2021-09-24 500 fsecctx->size = ctxlen;
6df7ad1315eb0c Vivek Goyal 2021-09-24 501 ptr += sizeof(*fsecctx);
6df7ad1315eb0c Vivek Goyal 2021-09-24 @502 strcpy(ptr, name);
6df7ad1315eb0c Vivek Goyal 2021-09-24 503 ptr += strlen(name) + 1;
6df7ad1315eb0c Vivek Goyal 2021-09-24 504 memcpy(ptr, ctx, ctxlen);
6df7ad1315eb0c Vivek Goyal 2021-09-24 505 kfree(ctx);
6df7ad1315eb0c Vivek Goyal 2021-09-24 506 } else {
6df7ad1315eb0c Vivek Goyal 2021-09-24 507 full_ctxlen = sizeof(*fsecctx);
6df7ad1315eb0c Vivek Goyal 2021-09-24 508 full_ctx = kzalloc(full_ctxlen, GFP_KERNEL);
6df7ad1315eb0c Vivek Goyal 2021-09-24 509 if (!full_ctx) {
6df7ad1315eb0c Vivek Goyal 2021-09-24 510 err = -ENOMEM;
6df7ad1315eb0c Vivek Goyal 2021-09-24 511 goto out_err;
6df7ad1315eb0c Vivek Goyal 2021-09-24 512 }
6df7ad1315eb0c Vivek Goyal 2021-09-24 513 }
6df7ad1315eb0c Vivek Goyal 2021-09-24 514
6df7ad1315eb0c Vivek Goyal 2021-09-24 515 *security_ctxlen = full_ctxlen;
6df7ad1315eb0c Vivek Goyal 2021-09-24 516 *security_ctx = full_ctx;
6df7ad1315eb0c Vivek Goyal 2021-09-24 517 out_err:
6df7ad1315eb0c Vivek Goyal 2021-09-24 518 return err;
6df7ad1315eb0c Vivek Goyal 2021-09-24 519 }
6df7ad1315eb0c Vivek Goyal 2021-09-24 520

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Attachment: .config.gz
Description: application/gzip